The Right Risks

(This post is part of a series about asking the right questions about your cybersecurity. Questions any one is qualified to ask.)

Are your cybersecurity (C/S) efforts protecting you from the right risks? In order to answer that, you need to know what makes a risk worthy of being avoided. Not all risks are worthy and not all risks are equally worthy. After all, there is never enough time and enough money to do everything that you might want to do: you have to choose your battles. This is just as true of C/S as it is of any other part of anything that human beings every do.

The first step is to list all of your critical systems and data. Your limited time and attention dictate that you worry about critical systems first. Remember that "critical" has nothing to do with "expensive" or "cool." Some workplaces need to be able to print in order to function, in which case your printers are critical systems. Boring, but critical.

What does "critical" mean here? A system or data repository is critical if the absence of that system would make doing at least some aspect of your work impossible or infeasible. To decide if a risk is worth addressing, consider the combination of how likely it is to occur and how painful it would be if it did occur. Very unlikely, but immensely painful risks such as a natural disaster should make the list. Very likely, although not that painful risks such as running out of paper or ink for your printers should make the list. Deciding what should make the list and what should not will be particular to your environment and may not be as clear-cut as these examples. This kind of executive decision-making is why we at Pythia Cyber insist that C/S is part of Risk Management and that Risk Management is an executive function.

Your hard work in defining "critical" and applying that definition to your particular environment has resulted in a list of all the assets you could protect. If you are lucky enough to have all the resources you could ever need, then go ahead and protect everything on the list in the first pass. Meanwhile, the rest of us need to do some work on that list.

To make the list useful, we need to put it into priority order so we do the most important things first. This ensures that when we inevitably run out of steam and have to stop, at least for now, we have made the best use of our available resources. How you define priority is another potentially sticky and difficult question. In theory, every critical system is, well, critical. In theory, you should protect them all, and do it now.

In practice, you have limited resources, so your priority system will likely consider how hard mitigating a given risk will be. Is it better to protect four easily-protected systems or one hard-to-protect system? There is no easy answer: it depends on what produces the best result. The goal is the best C/S you can afford. Never let the perfect be the enemy of the good--which in this case means never say that since you can't do it all, you might as well not try. 

And don't forget: things change. Life moves on. This year's list will be out of date before you know it. "The right risks" is a moving target. You review performance annually, you review the budget at least annually, you review sales targets and overhead on a regular basis. It is time that C/Srisks joined that club.