In the U.S. Army, any event that threatens combat readiness and the ability to project power can and should be considered a risk factor. As an Army Officer, managing risk was inherent to my role and the responsibilities I was entrusted with. Planning military operations in conflict-zones was a disciplined exercise in leveraging the Army’s risk management methodology that begins with mapping out all legitimate and perceived threats that could negatively impact the mission. In other words having exhaustive awareness of the threats we could potentially encounter was foundationally essential. Executing these same operations to reduce risk exposure was a combination of controls that included relentless training, leveraging advanced technologies, and superior weapon systems. It was still mostly science but there was also an element of art required to adapt to the one element we had no control over – the enemy.
As an Intelligence Officer, planning sensitive operations and managing risk were no less rigorous. Arguably in execution, the number of elements that became dynamic expanded significantly given the nature of our work, creating a broader definition for how we treated and understood the enemy and related threats. I found myself again managing risk through an adaptive model that acknowledged the diversity of circumstance and the associated variables of the situation. More specifically it meant that I had to adopt a much broader understanding of the totality of potential risk factors that could impede our chances for success. Again, having absolute awareness of the risk factors was foundational for determining what controls I could proactively implement to reduce the likelihood of my negative exposure to them.
Now as a business leader, I’ve changed uniforms, focus on different objectives – a new mission – but remain universally responsible for managing risk. Any event that threatens our ability to meet our revenue targets and related goals tied to increasing our customer base, achieving high rates of customer satisfaction, and driving innovation are considered risk factors. My stakeholders are different but the threats I face are at scale not unlike any organization that lives in a digitally connected world. My risk management process has also not changed, nor should it. I have something to protect – my business objectives – so I must have absolute confidence in my awareness of the risk environment.
In order to recognize, understand, and evaluate the significance of risks, we need to bound our assessment of the risk environment to whatever is worth protecting. This is not only a cost problem; we are protecting the value of the organization. It has to be measurable, focused on how we are impacted when exposed to threats seeking to exploit potential vulnerabilities. Effective Risk management is not a binary problem, either. It must be a continuous and adaptive model that respects the ruthless nature of the threat environment that is no less sophisticated or mature.
Cyber risk management is no different, and yet as security teams we find ourselves investing in a litany – 65 technologies in the average security stack – of solutions without first and comprehensively understanding what we’re actually protecting and why it should matter. To be sure, a tuned stack is essential to scale and support both the volume and velocity of data flow across the cyber environment and to protect a borderless and exploitable attack surface.
Cybersecurity has graduated to a top line business concern and in so doing must adopt a new paradigm that moves beyond simply protecting the environment to proactively managing the risks that impact the business – with measurable, data-driven confidence. Providing security value begins with determining what is of value to the organization to comprehensively understand what is at risk.
For more information on how Pellonium can support your cyber enterprise risk management efforts, please contact us at info@pellonium.com.
