Security Experts:

Connect with us

Hi, what are you looking for?


Risk Management

Risky Business (Part 2): Why You Need a Risk Treatment Plan

Performing a Risk Analysis and Taking Due Care Are No Longer Optional 

Now hear this: You will always have exposure.

Performing a Risk Analysis and Taking Due Care Are No Longer Optional 

Now hear this: You will always have exposure.

No company has the ability to mitigate all risks at all times. No company I’ve ever visited has even had all of its identified risks treated at any given point.

Yet so many companies lead their security strategy with controls. They’ll make sizable investments in security appliances without fully understanding why the appliance is required. They’ll implement their controls without documentation of what the actual risks are and how they’re being treated.

You may have learned about due diligence and due care, but this situation amounts to omitting both. To bridge that gap, you need a risk treatment plan.

The objective of a risk treatment plan is to document your exposure and show that the organization is applying appropriate resources to mitigate it in a reasonable timeframe.

Not only does this tie your mitigation efforts to the actual business risks being addressed, but the RTP is really a form of risk treatment in itself. Even if you can’t mitigate every risk, you’re documenting that you have a plan to deal with those risks — and having your efforts documented provides some recourse to prove due care.

This is important when it comes to any form of litigation. Today we live in a world where if (or when) you have a breach, you are going to have litigation. When you’re working with your legal team, third parties, and insurance companies, the more detailed your treatment plan, the better position you are in.

If you can show you did the appropriate risk analysis, leveraged reasonable means to put a plan in place, and acted on that plan, you can minimize the impact of any breach and resulting litigation on the organization. Not only can you prove you did your due diligence in the risk assessment, but more importantly, you can prove you did your due care in building out a plan and, ultimately, following it.

So what constitutes reasonable efforts? That judgement is generally based off the company’s capacity to deal with a given risk. It should never be a requirement of the business to spend so much on mitigating a risk that it puts them out of business. So for smaller or mid-sized companies, it’s reasonable to say that for some noncritical risks you’re taking three years to do treatment when that’s the timeframe your available resources will allow.

For example, your plan should lay out the mitigation to be implemented and state that, based on current budget, it would take 18 months to make the full investment. Realistically, there will be risk exposure for those 18 months, but now you can be fully transparent with customers. In many instances, the customer will agree the plan is reasonable and write it into the contract that that you must execute against the plan.

On the other hand, the absence of a plan is negligence, period. If a customer trusts us with critical data and we are not doing our due diligence to understand the risk and document how it will be treated, that’s negligence in a court of law. That negligence is compounded if due diligence is done without due care, because you know you have a high-impact asset and you’re aware of its associated risk, but haven’t documented the steps you’re taking to deal with it.

All of this is going to become even more important in the age of GDPR. There are so many measures the security industry considers optional today. GDPR is going to change that, putting some teeth into regulating security practices in the EU.

And since business is so global, eventually there will be other regulations and regulatory bodies in the U.S. Consider how the financial industry has built out authorities and regulations such as the SEC and Sarbanes-Oxley. 

Just as you would never run a business without appropriate financial controls, performing a risk analysis and taking due care are no longer optional. They are mandatory. Building your plan out today will put you in a position to ensure you’re not negligent before you have to prove it.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Risk Management

In this virtual summit, SecurityWeek brings together expert defenders to share best practices around reducing attack surfaces in modern computing.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...