Understand your risk appetite to better prioritize and align your resources and address key cybersecurity risks.

This blog is part of Apex Digital Solutions’ Best-In-Class Security series. In this blog series, we explore key topics in Developing and Implementing a Best-In-Class Security Strategy. 


Have you ever worked with a financial advisor? What was one of the first questions they asked you? In many cases it is – “what is your risk tolerance when it comes to financial investing?” In the financial world, your response to that should depend on several factors including your age, target retirement date, how much money you require to fund your retirement, and other financial resources you have outside of the investment in question. If you are younger in age, you may be willing to sacrifice the risk of potential losses for the potential reward of higher returns. Likewise, as you near retirement, you may look to reduce risk in your investment portfolio. 

There is one universal truth amongst all the organizations that I have worked with or for; they all have limited resources – people, time, and money. Another universal truth is that all organizations face risk(s) associated with cybersecurity. Whether it is as simple as broken business processes or well-intentioned insiders mishandling data or if it is more complex like external attackers (hackers) breaching their system or breaching the system of an organization’s 3rd party vendors or partners that may have access into the controlled environment.

While all organizations have cyber risk, not all cyber risk is created equal; each business is unique. Understanding which threats pose a risk to the survival of your business, which would wound your business like a temporary stoppage, and which would simply cause operational delays or hiccups is essential. 

Get Started with Vantage

Apex’s Vantage Maturity Model helps organizations monitor and measure their maturity over time. 

To understand risk, you must first understand the resources within your business. It is vital to identify your critical assets, systems, and processes.

Assets could be individual machines, devices, or other physical assets that are critical to the operation (and survival) of your business.

Systems can be a collection of assets or processes that make up a system – such as an inventory fulfillment system, an HR system, or a communication system such as email. 

Processes may include both manual and automated business processes that are critical to the operation of your business such as customer acquisition (sales) processes.  

Next, focused specifically on cyber risk(s), businesses should evaluate the different types of cyber threats that could potentially negatively impact their operations.

There are many different types of risks that can result in data loss, theft of IP, and so on, such as lost or stolen devices, password compromise, malware or ransomware infection, denial of service, data breaches including external attackers or insider threats, and more.

Organizations should also think about regulatory compliance impacts and what may happen if you fail to meet your regulatory requirements including fines or loss of business. These can be captured and listed within a (cybersecurity) risk register where you can also evaluate the likelihood, impact, severity of each potential scenario as part of your overall risk modelling. 

For each of the identified risk scenarios, time should be dedicated to understanding the impact. This is where we can cross-reference the work that was done previously to understand each impact to critical assets, systems, or processes in the business. Categorizing risks from low impact to catastrophic impact based on their potential to cause damage to the business should an event occur. 

This type of risk modelling is unique to each business and should be carried out to help you understand your risk appetite in each scenario based on the unique circumstances as they apply to your business.  If you successfully map risk down to the specific systems, then based on the criticality of that system, you will be more easily able to understand your tolerance by knowing and understanding if that system is business-critical or not. 

As with the other assessments we have discussed in this series, it is important to continuously re-evaluate or re-assess on a frequent basis. The decisions you make may change over time as new threats become a reality, systems and/or processes change, or as new regulatory requirements emerge with new financial penalties.  As we have suggested in the broader best-in-class series: it is best to re-evaluate regularly.  Always be sure to prioritize efforts on addressing or mitigating the threats where your tolerance for risk is the lowest. 

If you have not yet read the previous blogs in this Best-In-Class series, read Measuring for Success which covers selecting a security framework and Mind the Gap! which covers the topic of assessing and understanding the difference between your current and targeted maturity to better prioritize and plan for your future.

Together this trio of blogs provide key insights into some of the critical aspects of establishing a best-in-class security strategy.     

Vantage, Apex Digital Solutions’ proprietary capability and operational maturity model, is designed to help organizations monitor and measure their current maturity based on key questions and traits. Vantage helps identify and prioritize critical areas that organizations can improve over time through continuous assessment and re-assessment across core functional areas, including security. Learn More >>