In short, risk is where an asset is threatened by a vulnerability. Going back to our Alex Honnold climbing example, the asset is quite simply Alex. He is vulnerable because he is without a rope. And the threat is of him falling. Falling while climbing is quite common, so how did free soloing El Cap become an acceptable risk to him? Well, years of expert level climbing experience and years of preparation for this climb with a rope brought the risk into a tolerable level for him. But to most of us this is still crazy, which just exemplifies how the perception of risk changes from different perspectives.
Let’s take the same process and apply it to cybersecurity. Every server, every laptop, every application is an asset. Threat actors (emphasis on threat) are trying to compromise your assets through known vulnerabilities. This is your risk. Your goal is to minimize the risk with defensive tactics like reducing your threat surface, patching systems, utilizing intrusion detection and protection tools, and training your employees.
This process can feel endless and like a complete cost sink, but there are limits to what companies can afford. Risk appetites vary by business sector, company size and budgets. Some organizations spend millions annually protecting sensitive data, others can only afford thousands. While no one should go without a rope, even the biggest cybersecurity budgets cannot eliminate risk. The trick is to identify your greatest risks and spend wisely to minimize them.
Need help with this? Reach out.