Understanding Risk and Responding Effectively

Article2Cybersecurity
Written By Adam Evans, CISSP

We also have this information in video format.

Can I eliminate risk?

Not really. There's always going to be some inherent risk in everything we do. But there are different responses that you can take to reduce that risk. For instance, you can mitigate the risk by putting appropriate controls and safeguards in place to decrease the impact of that risk.

For example, seatbelts on the car. You know that you know there's a possibility that you may get into a car accident. A seat belt helps mitigate the damage that you would have in that accident.

There is also a risk transference. Which is having someone else assume the responsibility and liability for that risk. A good example of that is insurance. In the event of that car accident, you don't have to deal with the burdens of paying for all that yourself. You've got a third party, your insurance company, who will come in and pay the bill for you. You still have to pay for them, but again, the full financial risk isn't on you as an individual.

There's also a risk deterrence which is enacting enough safeguards to try to prevent that risk from happening.

Risk avoidance is basically just looking at a completely alternative approach. You're worried about the risk of being in a car accident, so you choose not to drive a car. Ever.

Then there's risk acceptance. That is looking at the risk, the costs, whether it's possible to avoid, if it can be transferred, and deciding there's nothing you can do about it.

And lastly, there is risk rejection, that is, choosing to do nothing about the risk. Risk rejection usually constitutes gross negligence and is a violation of due care and due diligence. Risk rejection is not a valid risk response when dealing with cyber issues.

One of the common misconceptions about risks is that identifying risks is scary, so you ignore them.  However, once you identify that risks are there, then you can plan for them, and you can plan to mitigate them.

So, can you eliminate risk? No, but not all risks are inherently bad. There's always going to be some degree of risk in everything that we do and how businesses operate. It's important for businesses to understand those risks and to respond to them effectively.

Contact us if you have concerns about the cyber risks for your organization.

Adam Evans, CISSP

About Adam Evans, CISSP

Adam is a seasoned cybersecurity professional with more than a decade of experience in the MSP industry. He started his career as a helpdesk engineer and worked his way up through various technical roles to specialize in cybersecurity – specifically GRC, security architecture, and defensive operations. 

Adam is passionate about sharing his expertise and insights with the next generation of security professionals. He believes that by working together and sharing knowledge, we can make the world a safer and more secure place for everyone.

Connect with Adam on LinkedIn: https://www.linkedin.com/in/grcadame/

Previous

Get Ready for Cybersecurity Month 
Next

Taylor Business Group BigBIG 2023 Conference Recap