Why a risk-based approach to cybersecurity is the right business choice for the “new normal”

Enterprises and organisations already have a good notion of risk and how to manage it. It’s time for cybersecurity to fit into the enterprise risk framework and demonstrate its business benefit. The approach already used to manage financial, market, regulatory, and other risks can be applied to cybersecurity. First, identify the cyber risks facing your organisation and rank them in order of importance. Next, determine the cybersecurity solution that makes best sense for each key risk in terms of coverage and return on investment.

These steps will help ensure top management support and prepare you for moving to risk-based cybersecurity across your organisation.

What’s the big deal?

One big reason why risk-based cybersecurity is attracting interest is that it offers a systematic, cost-effective way to protect your organisation against the cyberattack impacts that matter. Here at Microsoft, we have extensive experience of risk-based cybersecurity and we’ve had insightful discussions with experts in the industry and we are delighted to share this with you.

What’s different about risk-based cybersecurity?

Traditional compliance-based cybersecurity maturity models have often been indiscriminate in what they protect and how. Their blanket approach means that time, money, and effort may be spent on assets that don’t need protecting – or not as much as other assets. For example, your CRM, manufacturing, and financial systems need top-notch cybersecurity. But can the same be said of an app that tracks the stock of donuts in the cafeteria?

How to calculate risk

Risk associated with an incident can be defined as “the impact of that incident multiplied by the probability of the incident happening”. So, for example, a meteor falling on your headquarters is low risk. Even though a meteor could have a destructive impact, the likelihood of one striking your premises is small. By comparison, a cyberattack on personally identifiable information (PII) held in your organisation could be very high risk (high impact, high probability of an attack). Thus, a cyber risk-based approach shows you where to focus your cybersecurity resources.

Getting the board onboard

Below we will share how cyber risk can be managed within the overall risk management program of the organisation. This helps convince top management of the merits of risk-based cybersecurity by:

• Positioning cyber risk as the business issue and cybersecurity as the solution, rather than leading with cybersecurity (which may come across as a solution looking for a problem).
• Quantifying risks (remember, impact x probability) and prioritising the assets that pose the biggest risk and therefore have the greatest need of cyber protection.
• Comparing each risk to its cybersecurity budget. For example, preventing a PII breach may save millions for a cost of only thousands for appropriate cybersecurity.

Managing the change to risk-based cybersecurity

Risk-based cybersecurity may mean a change in how your organisation does things. Besides effective cybersecurity technology, the right engagement of managers, employees, contractors, and suppliers will also be essential. To bring about necessary changes:

• Leverage support from executive management to create a cyber risk-aware culture at all levels of the organisation.
• Recruit willing champions at departmental and team levels to help communicate and develop the right cyber attitude and behaviour.
• Make sure everyone understands which cyber behaviour is acceptable and which is unacceptable.
• Think of cyber risk as a collective problem. Offer help as appropriate to your business partners to manage their risk and cybersecurity posture, which will ultimately benefit your own.

Resilience for success

You’ll need to ensure resilience at the organisational level, with suitable responses to recover from an incident or breach. You may also need some resilience at a personal level to make risk-based cybersecurity part of daily life for your organisation. But hang in there, the result is worth it!