Security Experts:

Connect with us

Hi, what are you looking for?


Risk Management

Risky Business: Understand Your Assets and Align Security With the Business

For years I wondered why business groups would move forward with technology initiatives before fully understanding their risk exposure. Focused on the business outcome, teams always wanted to implement first and figure out the risks later. 

For years I wondered why business groups would move forward with technology initiatives before fully understanding their risk exposure. Focused on the business outcome, teams always wanted to implement first and figure out the risks later. 

Problem is, risks are intrinsic to business outcomes. A solution is only as valuable as the information flowing through it. Compromise the information, bring down the solution, and the business outcome cannot be realized.   

Too often this dawns on the business after implementation, when risk treatment options are limited. Often the only choice is to put a wrapper around the solution, a compensating mitigation with a tendency to make users less happy and the technology less appealing — which also diminishes the desired outcome.

Align security and risk with the business

Once you dive into the trenches with business groups, it’s much easier to understand why this is such a challenge, since you’re representing initiatives that are potentially hugely valuable to the company. But there doesn’t have to be so much friction in the process. 

By working closely with business groups to do a thorough risk analysis, we’re not only doing the due diligence required by regulatory and industry associations — we can also teach business pros how to understand risk and the different avenues for dealing with it. 

Understand your assets

First it’s important to understand the value of the information and the technology in terms of its impact to the business. Business groups need to understand not only what their assets are, but also how the security team classifies those assets in terms of business impact. 

For sensitive information, the military uses four categories: Top Secret, Secret, Confidential, and Unclassified. They describe the consequences of unintended release of Top Secret information with one word: grave. 

WAF by F5 NetworksA similar model within corporations etc. In the corporate world a similar model etc. Most companies use a three-tiered classification of high, medium or low business impact. And in terms of high-impact business data, I would argue that the term grave still applies.  

Whatever system you use, once you’ve classified your assets and determined the level of risk involved, you’re in a better position to decide which risk treatment options and timeframes make sense within the context of the business, its size and its industry.

For some systems, the necessary treatments are already defined by regulatory or industry requirements. To process credit cards, for example, companies must comply with PCI requirements or face higher processing costs or even the suspension of processing altogether. 

But for other systems it’s not so cut and dry, and risk mitigation strategies will lean heavily on the organization’s appetite for risk, as well as its ability to mitigate. There are generally four treatment options, and mature companies typically end up doing all of these: 


For business leaders, the least obvious option is probably just avoiding the risk altogether. But when the security team is proactive and doing risk analysis with the business up front, you’ll be surprised at how many decision-makers end up avoiding the risk by scrapping the initiative. They see that even though it provides a sizable financial benefit, it simply opens the business up to too much exposure. 

Sometimes it’s ok to not implement the technology. Being smart about when to avoid risk is actually great for everyone, because you end up eliminating controls that are difficult to maintain. 


The same thing could be said about risk transfer. Risk transfer can involve non-technology solutions, such as buying an insurance policy to help compensate the business in the event of an exploit or other compromise to the system. It can also involve contracts that literally transfer the risk to another party. 

Technology-based risk transfer options include moving to a cloud provider with the resources to centralize security controls and attain certifications most companies can’t afford. There’s also the option to outsource controls like a WAF, instead of trying to build them on your own. For some companies, this type of risk transfer may become a primary mitigation strategy. 


And then there’s risk acceptance, which may actually be the most important tool that exists for security. This is when you go to an officer of the company, educate her on the risk in question, and ask her to accept it and document the acceptance. 

Here the documentation is critical. The CISO and the business owner are mutually agreeing on the acceptance of a risk and the company’s plan for dealing with it. This then becomes the codification in the organization of the risk being accepted and how that risk will be managed. 

And again, you’d be shocked at how many people decide to go from risk acceptance to risk avoidance. 


Of course, there will always be mitigation, and that’s really about controls. If you’re doing things right and the security team is brought in at the beginning, you minimize the need to perform compensating controls later. This results in a much stronger system. 

But mitigation isn’t the only game in town, and business owners don’t always understand these additional options — because they’re not being taught. The solution is to work with them to understand the value of the assets and what the risk treatment options are, then build a risk treatment plan that truly reflects your priorities, risk tolerance and resources. 

Working closely with business groups throughout the process of due diligence and due care not only fulfills the CISO’s responsibilities, it also creates more security-savvy business groups who understand how to use their risk treatment toolkit more strategically. 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Risk Management

In this virtual summit, SecurityWeek brings together expert defenders to share best practices around reducing attack surfaces in modern computing.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...