How much cyber risk should an organization take?
“The key is to understand what the potential impact on the business would be if you had a breach…How would it affect the business? How would it affect the achievement of objectives and the success of the organization? And how much is it worth spending to address that? Because we don’t want to spend more money than we are actually getting a return on in terms of reducing the risk…we need to recognize that defense alone is not sufficient. A determined, intelligent attacker is going to, at some point, breach our defenses….so the change should be to recognize that. We still do what we can to put reasonable defenses in place, but put more priority on understanding when and how they get breached…”
I am interested in whether you share my views.
I also have some questions for you—after you watch the video:
- Should we be measuring cyber risk in relation to the potential effect of a breach on business objectives? Or should it be based on the effect on information assets?
- Do we know how to assess the level of risk?
- Are we doing a good job knowing how much risk we need to take to achieve our objectives? In other words, are we excessively risk averse or embracing of risk—and do we really know whether we are making the right business decision?
- Does it all come down to ROI, the cost and the value of additional investment in cyber prevention, detection, response, and remediation?
- Are we hyperventilating about cyber when there are more important risks to address?
I welcome your comments and answers.
Norman D. Marks, CPA, CRMA
Author, Evangelist and Mentor for Better Run Business
OCEG Fellow, Honorary Fellow of the Institute of Risk Management