Organizations do not need to support unrestrained capital spending on any project with a “cyber” prefix. However, leaders of the organization must ensure that adequate resources are allocated to mitigate cyber risk and to determine an acceptable level of risk. Each organization must…
- create and understand a cybersecurity strategy
- identify cybersecurity weaknesses
- support an informed, reasonable investment in the protection of critical data and assets
Each mitigation solution yields risk reduction at some associated cost. Based on unique vulnerabilities, mitigation solutions might be readily apparent and relatively low cost. Conversely, others might be expensive and difficult. Therefore we must evaluate each mitigation strategy relative to its risk reduction.
PeriCertum uses Thrivaca™ (an Arx Nimbus product) to facilitate the financial impact on risk of potential solutions. By comparing the results of the baseline Risk Identification and Evaluation to a revised analysis which includes the proposed mitigation solution, we can estimate the financial impact, and fundamentally point investment to the areas of greatest risk. Evaluating potential mitigation solutions is an iterative process against the then-current baseline.
The next step is to prioritize and select those projects that will fit within the organization’s budget and will reduce the cyber risk the most (value). Prioritizing increases the success rate of the organization’s overall cyber strategy by selecting those projects that add the most value.
As a result of the prioritization, an organization may choose to adjust its budget to enable more efforts in a shorter timeframe. It is important to note that money is not the only resource required for a successful mitigation solution implementation – you must have the right skills and people resources.
Once solutions are in place, the organization should create a new Risk Identification and Evaluation baseline.