Risk appetite and its impact on cyber security strategy

I can already feel your eyes glazing over at the thought of discussing risk management. It’s not a sexy topic to most, but it is a crucial topic that underlies most decisions people and organisations make in life; whether consciously or unconsciously. In terms of cybersecurity, risk management is a key principle that helps you decide how much time and energy you are going to invest in building and implementing a cybersecurity program.

Understanding your organisation’s risk appetite is crucial to developing an effective cybersecurity strategy. In this article, I’m going to explain what a risk appetite is and how you can apply it to the development of a cybersecurity strategy. I’ll also try and do it in a way that keeps you awake, so don’t put this article in on your bedside table to read before bed!

What is risk appetite?

Risk appetite is essentially the amount of risk someone is willing to take on to achieve their goals. For example, if I am starting a business selling cupcakes, how much of my own money am I prepared to invest (and potentially lose) when trying to start the business. I have an appetite to spend a certain amount of money to start my cupcake business. Anything beyond that amount is too much money for me to risk losing if the business is not successful.

Sometimes risk appetite is unconscious (e.g. I start my cupcake business, invest $50,000 before I realise it's not going to work out and decide to stop putting more money in) and sometimes it's conscious (I write a business plan before a start my cupcake shop and outline a budget in my business plan that specifies I will not invest more than $50,000). Sometimes, your risk appetite can change based on changing conditions (I invest $50,000 and have not yet started making a profit but have assessed the growing popularity of my business and determine I can probably be profitable if I invest another $10,000).

Understanding your organisation's risk appetite

Depending on the maturity of the risk management function at your organisation, this could be very easy, or very difficult. A larger organisation with a dedicated risk management function will likely have a defined risk appetite documented in policy. Or you could speak with the risk management team to understand the risk appetite.

In a smaller organisation, risk appetite may not be formally documented but instead, will be inherent in the way the organisation acts. In an organisation like this, you may need to look for queues in the way the organisation behaves or by speaking with decision makers to understand what the organisation's appetite to risk is. For example, if an organisation has a factory floor with signage everywhere about wearing safety gear, conducts regular training on how to properly wear personal protective equipment and tracks and reports on accidents that occur on the factory floor, you could ascertain the organisation has a low appetite for staff injury.

Organisations are going to have different appetites for different kinds of risks. An organisation may have a low appetite for financial risk and won't be willing to make investments in risky projects but may have a medium appetite for reputational risk; willing to tolerate some bad PR in service of making profits.

It's important to understand your organisation's appetites to various kinds of risk to build a cyber security strategy that aligns with their appetites.

Applying risk appetite to your cyber security strategy

Once you understand an organisation's appetite to various risks, you can start building a cyber security strategy that aligns with the business. Cyber Security professionals tend to want to have everything as secure as possible with no gaps left. Ultimate security doesn't always align with an organisation's goals and risk appetite though. Having a cyber strategy that works for the business will get you a lot more buy in than an over-engineered strategy.

While your cyber security strategy of course needs to consider cyber risk appetite, it also needs to consider other organisational risks. What is your organisation's appetite to financial loss? If your organisation has a low appetite to financial loss, you may need to consider additional cyber security controls to manage the risk of financial losses associated with a cyber-attack. If your organisation has a low appetite for operational disruption, your cyber security strategy needs to consider controls that enable business continuity in the event of a cyber-attack.

Considering and speaking to organisational risk appetite in your cyber security strategy can also be a driver for business investment in cyber security projects. Business stakeholders may not understand the value of cyber security controls when you are talking about preventing business email compromise but could be very interested when you are talking about potential financial losses of $10 million from a ransomware attack. Considering that the audience of your cyber security strategy is the entire organisation and building it to meet business needs will go a long way to getting buy in from key stakeholders.

You also want to be careful not to over-engineer your cyber-security strategy. If your organisation has a high tolerance for reputational risk, building a strategy focussed around reducing reputational damage from a cyber-attack is wasted effort but is also likely to lower your credibility with the organisation, since your strategy isn't aligned with business priorities.

Summary

Understanding your organisations risk appetite for various types of organisational risk is key to building a cyber security strategy that aligns with business objectives.

Your cyber strategy needs to consider all types of organisational risk and align with the organisational risk appetite and support business strategy.

Building a cyber strategy that aligns with organisational risk will enable you to implement a successful cyber security strategy that has a much better chance of getting buy in and support from the business.