In the fast-paced world of cybersecurity, risk managers often struggle with limited time, staff, and budgets to address all necessary security measures. The scrutiny faced after a security breach can feel unfair, but there’s a little-known rule called reasonable security that can aid in justifying security expenses. This rule emphasizes that the burden of safeguards should not exceed the risk posed to others, allowing for a more balanced approach to security. By utilizing Duty of Care Risk Analysis (DoCRA), which is gaining traction among regulators, cybersecurity practitioners and risk managers can better navigate demands from auditors and demonstrate the reasonableness of their security measures.
TRANSCRIPT
You don’t have enough time in your workday to get done what needs getting done, and you certainly don’t have enough staff and budget to take care of all the things you need to take care of for cybersecurity.
What’s more, it’s only after a hacker takes advantage of an obscure vulnerability that everyone will ask you why you didn’t block what to them after the incident was clearly obvious. That’s not fair to you, and it doesn’t help you get your job done now.
But there’s a little understood rule in cybersecurity regulations that can help you.
That rule is called reasonable security. You’ll see it in regulations, phrases like reasonable risk, risk-based, reasonable safeguards, that all mean the same thing.
The burden of your safeguards may not be greater than the risk you pose to others. When you have that rule by your side, anytime you need to justify a new security expense that you don’t have the resources, the budget, or the team to address, You can show in business terms why the expense is no more or no less than what’s needed for security and for the law.
And if you have a breach or an otherwise demanding auditor, you can demonstrate why their demands are not reasonable as the law defines it.
You can take advantage of this rule by using Duty of Care Risk Analysis or DoCRA. DoCRA is increasingly adopted by regulators and standards bodies as a way to balance your already difficult burden with the care you owe to others.
You can learn more by looking at the DoCRA standard at docra.org, by talking to your account executives at reasonablerisk.com or HALOCK Security Labs, or by going to cisecurity.org to look at CIS RAM.
