CISOs and security professionals always talk about risk when it comes to the cybersecurity of their organizations, but what exactly is risk? For the purposes of discussion, generally the level of risk in any given organization is defined as the severity of a possible issue combined with the value of the affected asset(s).
Naturally, cyber risk is taking that same principle and applying it to digital assets. As organizations struggle to protect themselves from the seemingly ubiquitous threat of cyberattack, the concept of risk management becomes all the more important. Protecting everything all the time from every possible threat is an unreasonable and impossible task, or as the saying goes, “He who defends everything defends nothing.” So as virtually every industry now has to grapple with how and where to assign their cybersecurity resources, it has fallen on CISOs and other leading security professionals to define the risk inherent in their organizations, and to find and deploy the technologies and methods necessary to bring it within an acceptable level.
Compounding this issue for security executives and professionals is the dramatic increase in connectivity in both IT and OT networks, brought about in part by the pressure for greater productivity and efficiency through digitization and the utilization of various third-party applications and services. Organizations now have hundreds of connections to third parties including vendors, customers, cloud environments, outsourced service providers, and more. Because each external connection represents another possible point of ingress to your networks, it should come as no surprise that as the number of connections has increased, so has the risk.