Risk is always a part of your cyber strategy. It evolves based on your environment. It could be calm one moment, then a disastrous storm the next. The key to managing risk is to continually take care of your critical business areas and all interested parties.
But how do you manage the needs of many with different priorities?
By establishing reasonable security through the Duty of Care Risk Analysis (DoCRA). Duty of care requires that organizations demonstrate they used controls to ensure that risk was reasonable to the organization and appropriate to other interested parties at the time of the breach. This approach enables users to:
- Prioritize security investments
- Consider the needs of all interested parties
- Demonstrate that the risk is ‘Acceptable’ or ‘Reasonable’
- Protect the organization without overly burdening it
- Continuously manage to ‘enough’ security
- Manage your cyber insurance coverage appropriately
We also incorporate the Sedona Conference’s “Test for Reasonable Security Controls” establish that safeguards must not pose a higher risk to the organization than the lack of safeguards poses to others. By balancing an organization’s mission, objectives, and obligations, your risk strategy will have the appropriate balance of compliance, security, and corporate responsibility. You will be practicing ‘reasonable security’.