October 5, 2017 By Rick M Robinson 2 min read

When things go wrong with computer systems and networks, whether due to ordinary mishaps or malicious actors, the organizations that rely on those systems and networks are put at risk. They may suffer direct financial losses, reputational damage or both, with effects ranging from inconvenience to total loss and liquidation of the enterprise.

Understanding these hazards and their consequences is what risk analysis is all about. It may seem obvious, but too many organizations — and even security professionals — have lost sight of the importance of risk management. They are often so focused on efforts to describe security expenditures in terms of return on investment (ROI) that they fail to adequately account for risks. Security ROI computations tend to be meaningless without the proper context of a risk analysis.

The Challenges of Risk Analysis

In most cases, according to Errata Security, organizations “don’t have a sophisticated enough risk matrix in order to plug in some ROI numbers to reduce cost/risk.” Instead, the risk assessment numbers on which an ROI computation is supposedly based are often generated by outside vendors or security engineers with little basis in reality.

This challenge is particularly great because security risks are moving targets driven by malicious actors. In industries such as energy and utilities, risk analysis is relatively straightforward because the threats come almost entirely from accidental mishaps. These risks can be assessed and computed based on engineering experience.

In contrast, security risks depend on technological considerations, such as potential points of vulnerability, as well as the “whims and fads of the hacker community,” according to Errata Security. Because the technology is rapidly evolving and the ecosystem is deeply layered, risk assessment needs to consider not only vulnerabilities that exist now, but also new ones that may develop in the future.

The Architecture of Security

For these interrelated reasons, trying to encapsulate security spending needs in terms of ROI is an artificial exercise. The presentation may sound crisp and businesslike, but it is so full of hidden asterisks that it is essentially meaningless.

So what should guide security professionals and business leaders to help them determine the right level of spending on cybersecurity? Errata recommended thinking about security engineering as analogous to architecture — not computer architecture, but the concrete and steel kind. When designers plan a building, they know they will need to provide a certain number of bathrooms to accommodate the building’s users, a calculation that requires no ROI computation.

Security is not an obscure mystery. We know the basic things we need to do to protect our systems and networks against cyberthreats, and we know how to mitigate the effects of damaging attacks. We need to take action, not seek assurance from fanciful ROI computations.

Listen to the six-part podcast series: A CISO’s Guide to Obtaining Budget

More from Risk Management

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Cybersecurity dominates concerns among the C-suite, small businesses and the nation

4 min read - Once relegated to the fringes of business operations, cybersecurity has evolved into a front-and-center concern for organizations worldwide. What was once considered a technical issue managed by IT departments has become a boardroom topic of utmost importance. With the rise of sophisticated cyberattacks, the growing use of generative AI by threat actors and massive data breach costs, it is no longer a question of whether cybersecurity matters but how deeply it affects every facet of modern operations.The 2024 Allianz Risk…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today