All the risk management measures that an organization might take to address cybersecurity threats depends on one critical question: What is the organization’s risk tolerance?
Risk tolerance is a concept borrowed from investment strategy. An investor with high risk tolerance will be more willing to endure the potential volatility of the stock market and engage in more risky investments; one with lower risk tolerance is more cautious. Financial advisers make different recommendations to their clients depending on each client’s tolerance of risk.
The same principles apply in cybersecurity risk management. A company’s risk appetite refers to the desired amount of risk to your data and infrastructure that the business is willing (and able) to sustain. Risk tolerance is the degree to which the company is willing to stray from those stated risk appetite to achieve other goals.
Some industries can accept a higher risk tolerance, which means their security will not be as stringent as those with lower risk tolerance. If your company deals with particularly sensitive data or is subject to strict compliance obligations, then your risk tolerance levels will be lower.
Risk capacity is another term that originated in investments, but is not the same as risk tolerance. Risk tolerance is the level of risk your company is willing to accept in pursuit of certain goals. Risk capacity is the amount of risk you need to accept to accomplish your goals, both long and short-term.
In the financial world, high-risk investment strategies can bring higher returns. In cybersecurity, however, that’s seldom the case. So finding the right balance between risk capacity and risk tolerance will help you meet your goals without subjecting your company to unnecessary threats.
Businesses With High Risk Tolerance
The benefit of a higher risk tolerance is that you can be more flexible with your cybersecurity measures. That doesn’t mean you can be complacent with your risk management strategy, but you have more discretion to prioritize areas where the most protection is needed. This can save you money in the long run since you’ll have more choice about where your funds are allocated.
Businesses that either don’t process or don’t store much customer data (for example, a janitorial service or commercial construction firm) can have a higher risk tolerance. Your risk tolerance can also be affected by your cloud storage, the number of endpoint devices in your network, and the current configuration of your security framework.
Businesses with Low Risk Tolerance
Businesses with low risk tolerance must be more cautious with their approach to risk management. Reasons for a lower risk tolerance could be government contracts, access to particularly sensitive information, or trading in data that makes you particularly attractive as a target for cyberthieves. So examples could include defense contractors, financial firms, hospitals, or higher education.
If your company determines that your risk tolerance is low, then you will have no real margin for error when it comes to cybersecurity.
Determining Your Risk Tolerance Level
Here are some questions to ask to determine your risk profile:
What are your goals? What does your past performance look like, and what does your company hope to achieve in the future? Financial goals, your potential scalability, and any potential mergers are all things to consider while deciding how much risk your company can take on.
What compliance guidelines are required of your industry? Do your business dealings fall under the PCI DSS or the GDPR? Are you subject to HIPAA or FISMA guidelines? If your industry, location, or size dictates a particular framework, then that framework must factor into your decision making.
Who needs to be involved in the risk tolerance conversation? Your company won’t be able to paint an accurate picture of your risk tolerance without input from departments at all levels. Different team members may have different comfort levels, and it’s important to solicit information from all of them.
What particular risks are inherent to your industry? Companies that access or process medical data are statistically more likely to experience attempted breaches. Your company’s public profile could make you vulnerable to ransomware attacks. Think about the unique ways in which your company may attract risk, and plan accordingly.
Track Emerging Risks With ZenGRC
Regardless of your tolerance level, your company needs a consistent strategy for managing risk. If you’re still using outdated tools to track your cybersecurity efforts, ZenGRC has the solutions you need.
ZenGRC is a unified, single-platform solution that allows you to maintain real-time monitoring of the threats that affect your company. By reducing manual effort and streamlining workflows, ZenGRC creates a clear picture of your company’s threat landscape and helps you assess, prevent, and control threats. Schedule a demo today and learn more about how ZenGRC can improve your company’s risk and compliance program.