First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

How much cyber risk should an organization take?

risk“The key is to understand what the potential impact on the business would be if you had a breach…How would it affect the business? How would it affect the achievement of objectives and the success of the organization? And how much is it worth spending to address that? Because we don’t want to spend more money than we are actually getting a return on in terms of reducing the risk…we need to recognize that defense alone is not sufficient. A determined, intelligent attacker is going to, at some point, breach our defenses….so the change should be to recognize that. We still do what we can to put reasonable defenses in place, but put more priority on understanding when and how they get breached…”

I did a video with Joe McCafferty of MISTI last month. He wrote about it here, and you can find the video on YouTube.

I am interested in whether you share my views.

I also have some questions for you—after you watch the video:

  1. Should we be measuring cyber risk in relation to the potential effect of a breach on business objectives? Or should it be based on the effect on information assets?
  2. Do we know how to assess the level of risk?
  3. Are we doing a good job knowing how much risk we need to take to achieve our objectives? In other words, are we excessively risk averse or embracing of risk—and do we really know whether we are making the right business decision?
  4. Does it all come down to ROI, the cost and the value of additional investment in cyber prevention, detection, response, and remediation?
  5. Are we hyperventilating about cyber when there are more important risks to address?

I welcome your comments and answers.

Norman D. Marks, CPA, CRMA
Author, Evangelist and Mentor for Better Run Business
OCEG Fellow, Honorary Fellow of the Institute of Risk Management

Occasional Contributors

In addition to our regular guest bloggers, Inside Internal Controls blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of risk management and best practices in finance and accounting, information technology, environmental issues, corporate governance, sales/marketing and operations, not-for-profits and business related issues in Canada. If you are a subject matter expert and would like to become an occasional blogger, please contact Yosie Saint-Cyr at If you liked this post and would like to subscribe to Inside Internal Controls blog click here.

, , , , , , , ,

Comments are currently closed.