Skip to content

Chapter 4

Adopting a risk-based approach to make business impacts explicit

In order to effectively strengthen the security of the digital enterprise without overwhelming it with a profusion of technical devices and constraining procedures, it is essential that the solution be proportionate to the probability and extent of possible damage. In other words, to move from the absolute notion of security to the relative notion of risk. Another key advantage of risk is that it can be assessed in terms of its probability and impact on the company, and thus removes the technical dimension in which cybersecurity is too often confined. Translated into risks, IT security is no longer an obscure and costly constraint, but an objective management element. Adopting a risk-based approach makes it possible to clarify the potential impacts on the business. The stakes then become comprehensible to all, measurable and comparable, so that the company can set clear objectives and rules and measure the progress made in relation to the investments made.

For almost all the respondents (92,2 %), a risk framework already guides risk-based investment decisions. More specifically, 81.4% of the companies surveyed believe that their approach to cybersecurity is already aligned with this risk management policy.

  • Does your organization incorporate risk modeling and risk management into its strategy planning? Yes! 92,2 %
  • Is your organization’s cybersecurity strategy reflective of the enterprise risk management strategy? Yes! 81,4 %

Yet, as we have seen, budgetary constraints and skills shortages remain
permanent obstacles to improving security. It is surprising that companies
can claim to be so risk-conscious but that it seems so difficult to mobilise the
necessary resources. Differences between the different profiles surveyed on
the benefits they expect from security or their perception of the operational
reality also suggest that cyber risk is not as well understood as some believe.
For example, Business decision-makers are convinced that cybersecurity is mostly
taken into account at the early stages of a project, whereas IT and Security
managers are well aware that this is not the case.

To what extent is IT security embedded into new business
initiatives in your organization?

The gap between what the profiles expect from the digital trust that cybersecurity can bring is particularly illuminating because it highlights three distinct attitudes towards cybersecurity. Looking ahead, Business decision-makers are anticipating – maybe a little hastily – that an environment of trust will enable them to grow their business within a customer and partner ecosystem. Facilitators by nature, CISOs see security as a lever for digital initiatives. Finally, pragmatic CIOs remind us of the need to align Security and Business, and consider risk as the means to achieve this.

What do you consider to be the most critical business outcome that security supports in establishing digital trust?

Business
Ensuring digital reputation as a requirement for partners and customers engaging in digital relationships

IT
Aligning security and business, contextualized on a risk basis

Security
Enabling broad digital transformation initiatives

Such differences of assessment reflect the lack of maturity already observed, and one may, therefore, suspect companies to be under the illusion that they are integrating cyber risk into their risk management policies.