Merely conforming to cybersecurity standards, such as ISO/IEC 27001, or complying with regulatory requirements, such as PCI DSS, won’t automatically make an enterprise’s security complete, effective or economical. Meeting a standardized control baseline might check compliance boxes, but creating a strong risk-based strategy, building a resilient operating environment and hardening against evolving cyberthreats requires more.
This gap — the difference between the bare minimum and a strategic, formalized, resilience-based program — is what risk-based security is all about. A risk-based approach incorporates information about the organization — its goals, critical assets, context, threats — into security planning. It ensures resources are used optimally, context-specific circumstances are accounted for, and that real threats tie directly to deployed countermeasures.
Let’s look at what a risk-based security strategy involves and five steps security practitioners should follow when developing their plan.
What is risk-based security?
Security practitioners know that risk is a function of two factors:
- Impact. How bad a given outcome will be.
- Likelihood. The…
