Every day brings with it the news of yet another company falling victim to a cyberattack. The costs the affected businesses face are enormous: lost critical data, stolen assets and damaged reputations. 

But despite these very real threats, company leaders may resist committing the necessary resources to prevent them. After all, no one wants to pay for more than they need. This goes for cybersecurity as much as any other business expense. That’s why it’s vital for C-suites to include cybersecurity as part of their capital planning. And the key to that is determining what “just enough security” is for the organization to meet its business goals.

What’s the best way to determine how much security is “just enough”? Most C-level executives are accustomed to making overall business decisions based on risk. An effective risk management program identifies true risks to the business and determines how to reduce those risks to an acceptable level. Including an acceptable level of cyber risks into the organizational risk management program makes cybersecurity a part of the overall business strategy. And the best way to do this is to undergo a cybersecurity-related risk assessment. This helps translate the costs of what it could take to prevent unacceptable levels of cybersecurity risks or to reduce them to an acceptable level. These costs can then be included in budgetary calculations and overall risk management plans.

According to the SANS Institute, “the ability to perform risk management is crucial for organizations hoping to defend their systems. There are simply too many threats, too many potential vulnerabilities that could exist, and simply not enough resources to create an impregnable security infrastructure. Therefore every organization, whether they do so in an organized manner or not, will make priority decisions on how best to defend their valuable data assets. Risk management should be the foundational tool used to facilitate thoughtful and purposeful defense strategies.”

Many frameworks and industry standards, such as those offered by the National Institute of Standards and Technology (NIST) and ISO, provide guidelines for conducting risk assessments and implementing controls (best practices) to mitigate or prevent security risks. In general, risk assessments help organizations determine their inherent security risks by doing the following:

• Identifying, estimating, and prioritizing risk to their operations.
• Determining the possible threats from bad actors that can compromise the confidentiality, integrity, or availability of the information they are processing, storing, or transmitting.
• Identifying what measures or controls are in place to protect the critical assets and what measures/controls are lacking.
• Following recommending preventive measures and investing in security upgrades to reduce high levels of risk.

What does this mean? It depends on the type of business. Because as these examples show, not all risks are created equal.

A bank storing and processing large amounts of financial data or a hospital maintaining extensive patient records would be very concerned with the confidentiality of their data and the damage to their customers and patients if hackers accessed or leaked it. A risk assessment could tell them that they need to prioritize their resources toward protecting the confidentiality of their data with privacy-related controls and other security measures. The risk assessment might also indicate that they are vulnerable to a ransomware attack, so they should implement a recovery plan and perform daily and weekly system backups. But the risk assessment may indicate there is less risk to the availability or integrity of their data, so they would not need to invest as much in these areas.

Researchers developing intellectual property may be concerned both about outside actors wanting to steal their discoveries or insiders willing to sell them to competitors. The risk assessment might indicate that they are indeed vulnerable to such attacks. So they might prioritize increasing resources on instituting protective, access and monitoring best practices. They might also invest in awareness training to educate staff on recognizing phishing emails and other social media campaigns as well as internal threats. The risk assessment could suggest they have fewer risks to the confidentiality of this data, so they would not concentrate resources on protecting this area.

Once company leaders have identified the critical assets they most want to protect, have an idea of what cyber threat might attack these assets and how vulnerable their assets are to an attack, and understand how severe such an attack would be to their ability to function, they can make informed decisions on how to target their resources toward addressing the risks with the most significant impact to their business.

A risk assessment turns intangible concepts such as security, risk, and prevention into tangible realities with actual costs attached. Undetected/unprevented cyberattack equals financial ruin. And that’s an inevitability that every C-suite must face in today’s interconnected world.