Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Managing Risk Appetite: Balancing Cybersecurity and Business Growth

Determining, dealing with, and accepting a certain level of risk will always be a top priority for the members of any C-Suite.

 

Eliminating risk is likely not a possibility, especially when it concerns cybersecurity. Simply put, the threat landscape changes so rapidly that fully solving this problem is likely beyond our reach. That means organisations must focus on what they can control and how much they are willing to leave up to chance. 

 

Essentially, they accept a certain level of risk while maintaining the ability to operate their business.

 

This "risk appetite" will differ depending on the industry, location, partners, company size, etc., but every company must take some time to grow or move forward. Organisations should assess their tolerance for risk on a scale rather than looking at risk vs. no risk, establishing thresholds for comfortable levels of risk within that. 

 

Determining Your Risk Appetite

 

Every business knows it needs to accept some level of risk, but how can they assess that level? 

 

Firstly, the risk level a business faces needs to be established. 

 

The best way to do this is to conduct a formal risk assessment to identify, analyse, and prioritise potential security risks. These steps will include:

  • Identifying and cataloguing all assets; highlighting any potential threats or vulnerabilities through a penetration test,
  • A complete vulnerability assessment; analysing and assigning risk to any potential threats and vulnerabilities; and finally
  • Developing an up-to-date security strategy to mitigate the risk, where possible.

 

Next, an organisation needs to understand its risk tolerance. In other words, what level of risk, based on the type of business it is, what its objectives are, what resources it has available, and what data it holds, can the organisation handle? 

 

Businesses should also consider whether any regulations could have an impact on how much risk they can take. 

 

Once a business has established the risks it's facing and its tolerance for them, it can determine the risk thresholds it can implement and outline its risk appetite within those. This should be informed by a series of strategic conversations amongst key stakeholders that focuses on finding the right balance between taking risks to achieve business goals and avoiding excessive risk that could be detrimental. 

 

Once this is ascertained, businesses should then align on a series of measurements that everyone across the organisation can adhere to, ensuring any risk-taking stays within that parameter. 

 

Feeling Safe When Taking Risks

 

It's natural for businesses to want to stay risk-averse; however, being overly cautious can leave a business stagnant. As such, it's good to know what measures to take to protect the business whilst also taking on a little risk. 

 

Although not the extensive list, below are some things for businesses to consider to help them feel more comfortable accepting risk. 

 

Be Aware of Your Environment 

 

The adage "you can't protect what you can't see" is a good one to think about when ascertaining your organisation's level of risk and how that fits within the realms of appetite for it. 

 

For a business to truly know how much risk it is assuming, it must know everything about the environment it hopes to protect and the threats that could jeopardise that. Solutions such as network detection and response will certainly help with this. However, continuous testing and reassessing must also be part of the strategy.

 

Many organisations are guilty of conducting a one-off pen test or vulnerability scan and using that as a basis for all security policies moving forward.

 

However, as mentioned earlier, the threat landscape is constantly evolving, and, consequently, so is the risk. As such, frequent pen testing should be a non-negotiable, and the way businesses protect their environments should adapt just as frequently. 

 

Control What You Can Control

 

Once a business knows what's in its environment, controlling the controllable becomes a lot easier. Not everything can be predicted, prepared for, or mitigated in cybersecurity. However, organisations can give themselves half a chance if they have the right plans in place. 

 

When it comes to recovering quickly from a cyberattack, and therefore limiting risk, it's not all in the preparation or detection; the response is also just as important. Having an incident response plan covering any eventuality will mean that it has guidelines to follow if an organisation suffers a cyberattack or data breach.

 

Although having an incident response plan ready to go can't prevent a cyber-attack or guarantee a data breach won't occur, it will help to contain the incident. It will likely make businesses feel more comfortable when it comes to accepting risk. 

 

Train, Train, Train

 

Often, rather than having the right solutions in place to help mitigate cyber-attacks, having the right people in the room when hit by a cyber-attack can be more valuable. 

 

Incident response falls to the responsibility of everyone within the organisation, not just the security or IT team. As such, it's vital that incident response plans are written and practiced and run through with staff so they are prepared should an incident occur. This should include clear roles, responsibilities, and processes for managing risk across the business. 

 

People themselves can be a vulnerability when it comes to cybersecurity. Although training alone won't prevent a cyber-attack, it is an extremely important factor impacting an organization's overall risk.

 

Call in the Experts

 

If in doubt, leaning on external experts can really help. Assessing risk appetite doesn't solely depend on data; rather it's a more emotional decision based on how comfortable stakeholders are with taking risks.

 

Consultants bring an impartial view to the table by identifying blind spots or potential biases, allowing for the client to consider a broader range of perspectives.

 

Moreover, they also add unique insight from their specialised knowledge and experience, benchmark the organisation's risk appetite against others in the industry, and ensure risk strategies are tailored to the organisation's unique characteristics, industry regulations, and overall business goals.

 

Balancing Security with Innovation

 

In the current cybersecurity threat landscape, balancing security with innovation and growth is something businesses will continue to struggle with.

 

However, at the end of the day, the question businesses ask shouldn't be 'Are we secure?' but rather 'How well are we managing the elements of security that we need to be managing?' 

 

Once this is clear, the journey to establishing risk appetite becomes a lot easier. 

 

BalancingCybersecurity-1T

Click the Consulting and Professional Services image above to begin your journey to a more secure future

 

About the Author

Ed Williams is VP, SpiderLabs at Trustwave, with over 10 years of experience directly focused on penetration testing and consultancy for Government and private sector organizations. Follow Ed on LinkedIn.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo