by Hank Berkley
Contributing editor

No matter the type of organization in which you work, technologies that are embedded in your business pose a constant danger. Whether the technologies are obvious such as computer servers or process control systems, or less apparent such as scales in a rail yard, protecting them from cyber risks should be high on your list of priorities. But cyber security must be applied appropriately. Your goal should be to apply the right amount of effort to protect your company’s assets (including your reputation and ability to operate) based on their value.

The investment community has focused on risk adjusted returns for decades. Simply put, they expect to be better rewarded for taking a larger risk. This is why interest rates paid by the federal government are less than those paid by a typical company. Similarly, you should gauge the potential loss from a cyber incident with the cost of protection and assume an appropriate risk level for your situation.

The first step in any cyber security plan needs to be to understand the risk. A bank may have an armed guard in an armored vehicle when it is full of cash, but the guard goes off duty when the empty truck is parked for the night. What are you trying to protect; how much are you willing to spend to defend it; and what level of certainty can you live with (your risk tolerance). This is relatively straight forward when discussing physical security. How much cash is in the truck? What does it cost to have a guard? Do I want to buy insurance or self-insure? But in the world of cyber, just identifying the potential risk can be complicated and assessing that risk can become a major undertaking.

Key to having an appropriate security level is to recognize (a) that it is an ever-evolving process and (b) you can’t just hire someone to make the problem go away. There is no single solution – no one-size-fits-all approach that an organization can take. Equally important is the realization that no matter how much you spend, there can be no 100% certainty of success.

With such a complex problem it is easy to throw money at it or abandon all hope and wait for the loss that seems to be inevitable. But because you can’t be assured of a perfect solution doesn’t mean you shouldn’t pursue a level of protection that is appropriate for you, recognizing that an incident may still occur. People get in cars everyday knowing that there is some level of risk involved, but they fasten their seat belts to reduce the risk and buy insurance in case something unexpected does happen. Just the simple act of fastening the seatbelt reduces the chance of death by over 45%.

The good news is that some investments you can make in cyber security are like wearing a seatbelt and can have a big impact on reducing risk. The bad news is that as you reduce your risk, the marginal benefit of additional layers of security are lower and often the prices are higher. The goal is to achieve the right level of protection for your organization without over spending. Or worse – without handicapping your business operations.

Cyber security today is often driven by sowing FUD (fear, uncertainty and doubt) in an organization. You may not hear the term used, but you will certainly be subjected to it. Over the next several weeks, we will use this blog to shine a light on types of risks, types of security solutions, and how to find your way to achieving the balance.