Many business leaders say that they use “risk-based analysis cybersecurity” when making decisions. When asked what model or framework they use, business leaders cannot name one. Leaders don’t need a plan, model or framework. Instead, they rely on their experience and the suggestions of those around them.

However, this does not mean they are not open to additional analysis to support their “gut feelings” about the situation. Many leaders are open to receiving new information and direction, particularly in situations that are not yet known, like the 2020 pandemic. It can be difficult to change this decision-making pattern.

What is Risk-Based Analysis in Cybersecurity?

Risk-based analysis refers to the process of identifying and ranking potential risks. This allows the organization to identify which are most critical, exceed its risk tolerance, and require immediate attention. Then, the company can choose the appropriate risk management actions to address them. An organization must assess both its actual and potential risks in order to identify and rank them.

Once they are identified, they must be evaluated for their likelihood of occurring and the impact on the business. There are four main ways to address critical risks once they have been identified. These are preventive, prevention, reduction and risk transference. These are also known as:

  • Stop it happening!
  • You can reduce the chances of it happening.
  • Reduce the impact of an event that does occur.
  • Accept the risk, but save money to deal with it if it happens.

It will be difficult to move from an ad-hoc, gut-feeling approach to a well-documented model that can be easily implemented to all levels of an organization. There are many things you can do to move a cybersecurity program forward, but it is not possible to adopt a framework or model.

There is no magic formula that can be used to influence a decision. However, there are some things we have found to positively impact the decision-making process within our organizations.

Concentrate on the most important things that are closest to the money

One common business quote is that money is the reason businesses exist. Making money is not a simple task. There are many parts. This is where we look at reducing costs and addressing high-probability risks that could have an impact on the bottom-line of an organization. It is important to choose the risks that will have the greatest impact on the bottom line of the business. It is important to determine how the issue affects the bottom line.

Here’s an example of how to implement an automated patching system:

If the time it takes to apply a patch and release a patch, there is a chance of a system failure. It takes an average of 102 days to manually patch systems in a mid-sized organization (Refer: Ponemon Institute Research Report 2018 State of Endpoint Security Risk). Unexpected outages or breaches that occur between patch release and patch are a cause of operational loss for an organization. The bottom line is directly affected by the cost of remediating the problem and the revenue lost.

Automated patching can save approximately 120 hours per month (an average of 30 minutes per device) and improve the IT program’s ability to support an organization. It is important to document the costs of the system as well as any monthly effort required to manually apply patches for each system.

Always have cost comparisons handy when sharing information with leaders. Include the costs of an outage, recovery efforts, and ongoing manual efforts if actions are not taken. Next, share the ongoing costs and automation costs. This will allow you to calculate the net value.

Take into account the customer experience

Businesses exist to make money. However, they also provide a service to customers. It can be helpful to tie the risk of failure to the customer experience in a service-oriented culture.

These are some things to consider when implementing an automated patching system:

  • What will the long-term impact on your company if there is an outage
  • What departments will be affected? The ServiceDesk and HelpDesk will bear the brunt of the impacts.
  • How long-term will an outage affect your company’s customers?
  • Can a customer cancel an order if they are unable to place it?
  • How likely is it that they will be able to return home on their own after they leave?
  • Leaders can document the impact of previous outages to help them understand the impact on customers and the company.

Deep understanding of your data

We spend 8-16 hours analysing data in every meeting with the goal of making a decision.

You can answer any questions that are raised by the meeting if you have a good understanding of the data and the context within the company. It is possible that another meeting will be necessary if you are unable to answer the concerns and questions raised by others in the meeting. This allows people to voice their opinions and pushes decisions further away.

These are some questions you should ask to make sure you’re ready.

  • Why is this important for the business?
  • What is the cost of a technology/cost that is required as part of a solution? What happens if the status quo is maintained?
  • What impact does this have on our customers?
  • What are the ongoing and one-time costs?
  • What is the simplest question I can ask? Do not complicate the decision
  • I always try to have at most two options to address the risk.
  • What impact will this have on our customers and internally? How will it impact other departments? Example: The ServiceDesk may experience a spike of calls.

Build individual partnerships/agreements ahead of time

Although it can be time-consuming to meet with decision makers, trusting relationships pay off in the long term. Other decision-makers will be more likely to accept your proposals if you are able to show that you care about the company’s best interests.

These are some things you can use to build trust and connect with leaders:

  • Which leaders are crucial to the success of your business?
  • What is the interaction between your department and this leader?
  • What are the top factors these key leaders measure on?
  • What are some ways you could make a positive difference to these key factors?

Last Thoughts

New Genesis Solutions’ core service is developing and managing vulnerability management plans. This is an extremely complex task that requires both the identification of gaps in technology management practices and coordination with subject-matter specialists within an organization to fix them.

Add to that, technology solutions can be woven together to fulfill the mission of most businesses today. Once we add velocity to remediation processes, it becomes a requirement to be able to assist technology owners in making the right decisions.


Please enter your comment!
Please enter your name here