Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Why Your Cyber Risk Tolerance May Be Lower Than You Think

We’ve all assessed some level of risk in our lives in one way or another. For example, if you’re living in a studio apartment in New York City’s Lower East Side, chances are you won’t be shelling out the additional expense of adding home security to the 450-square-feet you occupy. While there is still a chance of having it broken into, the second-hand furniture and 24-inch flat screen TV may not be worth the risk for burglars.

But if you’re a family of four living in the Upper East Side, your neighborhood’s an indicator of wealth, and chances are you have a lot more to lose. In this case, you’ll opt for additional security.

While the parameters are different, the same thinking applies when it comes to determining your organization’s risk tolerance. Some businesses, however, are inaccurately measuring their risk appetite.

All organizations are targets for cyber attacks, but similar to the example outlined above, cybercriminals tend to place a bullseye on some more than others. Given the security arsenal some larger enterprises are equipped with, many times attackers will look to getting in by way of the smaller businesses that may be partnering with larger enterprises. That’s why accurately assessing your businesses’ cyber risk tolerance goes a long way in developing your overall cybersecurity strategy.

Where to Get Started

It’s your first day working as the cybersecurity lead at your organization, so chances are you’ll need to assess its overall risk appetite. But where do you start? According to Mark Whitehead, director of Americas at Trustwave SpiderLabs, it’s all about understanding what the core business is.

"This can help them understand if they’re prone to targeted attacks and what cybercriminals could be targeting," he says.

No matter the size of the business, chances are it’s a target if it’s involved in work that’s tied to the military, cutting edge research, processing payments, or is in the financial or retail industries, according to recent data from the 2019 Trustwave Global Security Report.

By getting a better sense of what your company assets are, it leads to more effective prioritization. This also helps determine what tools and services your business needs to tap into. When it's time to meet with upstream management about resources, clearly communicating the business’s risk appetite will go a long way.

"Security leaders need to make sure they are properly understanding and explaining risk and their company’s risk tolerance to the heads of the organization," Whitehead adds.

How to Determine Cyber Risk Tolerance

When you’re ready to assess your organization’s risk tolerance, it may be best to adhere to a framework that can serve as the foundation of your assessment. The NIST Cybersecurity Framework is one example that focuses on the essential functions that your team can adhere to. While there are others, this is one Whitehead recommends.

"If what your team is working on doesn’t answer how you identify, protect, detect and respond to assets, data or systems within the business, one could argue that your organization isn’t working on what matters," he says.

To effectively do this, it’s vital to identify critical assets within the business, something easier said than done. This is primarily because of the mountain of challenges security leaders are presented with, from merger and acquisition and Shadow IT activity to data stored on a cloud service provider.

Once you’re able to determine what and where your assets are, you can systematically apply risk by specific criteria. But it’s essential to test the controls in place to validate they work continually, Whitehead says.

"Both highly automated as well as manual testing is critical to an organization’s success," he adds.

Aspire to Adaptive Security

The lower the organization’s risk tolerance is, the more you should be baking anticipation into your overall cybersecurity strategy. Businesses that have a very low-risk tolerance tend to take an adaptive approach to security, which involves threat detection and response activities such as security orchestration and threat hunting. This approach also relies on artificial intelligence (AI) analysis of user behavior to anticipate attack methods.

"The cost of staying secure is forcing an organization to be more adaptive," Whitehead says. "Each day, new technology is available, but nothing really comes off an organization’s plate from a technology standpoint."

 

16190_security-maturity-image

A look at how high and low cyber risk tolerances impact technology usage.

 

This growing inventory is what’s made the modern-day business a labyrinth for security leaders to navigate. Evolving from mainframes to personal computers, and wireless internet-connected technology to social networks, there's no end in sight for this digital transformation movement.

"Given the predicted explosion of IoT devices that will interact seamlessly with the internet, a lot more is getting ready to get added onto that list," he says.

While investing in cutting-edge security solutions is always an option, enterprises with a low cybersecurity risk tolerance are also opting to partner with a trusted security advisor that can help increase bandwidth to direct and manage technology providers, in addition to offsetting the need for more skilled workers. This enables security leaders to focus on strategic projects that can measurably reduce risk within the business.

Key Questions to Keep Top of Mind

When you’re working through your organization’s risk assessment and prioritizing company assets, Whitehead suggests keeping the following questions top of mind to help you better understand the business’s overall risk tolerance:

  1. What puts my employees at risk physically?
  2. Would my customers be happy if this was exposed?
  3. Would our company still be in business if we lost access to this data or if it was available outside our organization?

 

16245_bh_halfheight-2019

 

Marcos Colón is the content marketing manager at Trustwave and a former IT security reporter and editor.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo