Inventory Your Highest Risks
A risk-based approach moves organizations beyond standard security frameworks and a reactive, compliance-driven mindset. It looks at an organization’s unique goals and operating landscape to identify the most pressing security risks first and develop tailored policies, controls and procedures to mitigate them, before moving on to lower-priority threats.
“It's about: ‘How is our business at risk? What are the worst types of scenarios that could occur for us?’” de Bont says. “Let's identify what those [risks] are, and let's reduce the risk of those events occurring.” That may mean implementing stronger authentication methods for certain high-risk user groups or systems than for others, for example.
To successfully execute this approach, de Bont says organizations need to get their technical teams, partners and suppliers on the same page about setting priorities based on potential outcomes.
41%
of executives say cyber risk initiatives at their organizations have not kept pace with digital transformation.
4 In 10
organizations now take a risk-based approach to cybersecurity.
Balance Innovation
& Security
With finite resources, no company can realistically expect optimized security in every scenario, de Bont says.
“Security takes extra time. It requires expertise. It's often hard. Add to this the agility and freedom you need to quickly innovate and fail fast and then transform—it’s a delicate balance,” he says.
That doesn’t mean organizations should accept weak security as a cost of innovation—but it does mean they’ll need to make strategic, case-by-case decisions about resource allocation. De Bont suggests prioritizing security for modernization initiatives, since they are critical for the future of the business.
“If you're embarking on a new initiative or a digital transformation effort, then baking security into that may be more important than going back or continuing the cleanup that you're doing for legacy systems,” he says.