Viewing entries tagged
risk management

Is defining your 'Risk Appetite' important?


Is defining your 'Risk Appetite' important?

Yes. But is it a simple decision whether to put your head inside a lion's mouth or not? Cyber security risk decisions aren't that straightforward.

Ultimately, managing your cyber security risk is a trade-off between cost versus benefit. But it is a world away from being as simple as whether to put your head down a lion's mouth. Making a decision about cyber security risk is based on whether your organisation can manage the risk and therefore reduce it, or can afford to accept the risk and leave it alone for a while. The challenge is that not many organisations have the risk information, decision making process or risk management capabilities to do this on the fly without defining their risk appetite.  Do you know what your acceptable risk is?

Many organisations work to reduce the risks then end up accepting the risks that are too difficult to reduce or they cannot see the value in reducing. The trouble is that if you don’t know what level of risk your organisation can tolerate, how can you decide on whether to accept them? You absolutely need a clear understanding on what is OK to accept and what is not? Everyone hopes to avoid them in the first place, then attempts to transfer them to be someone else’s problem. However, what is important is to the have the capability to reduce them to a level that you are willing to accept as an organisation.

Many organisations are keen to understand how they will handle a cyber security attack and/or breach and are engaging cyber security organisations to review their business and technical environments. However, you get a better experience and answer to the question, “Do we really to spend this money on fixing this risk”, if you understand and know your organisation’s risk appetite. I’m not saying it’s a must, but in my opinion it’s a sign of real responsibility and maturity towards understanding your cyber security risks and threats. 

Our Approach

The process is pretty straight forward and it doesn’t have to be complex (complex = expensive). We believe in keeping things simple. You can spend lots of money trying to get a perfect answer only to change it 2 months later or you can get the fundamentals working properly and tweak to optimise it. There are 4 keys steps to follow:


  • Better decisions. Being able to make decisions easier and more accurately around risk treatment is important to be able to balance cost versus benefit when it comes to cyber risk.
  • Better risk management. Being able to manage risk more effectively by fully understanding your tolerances, thresholds and impact to assets.
  • Better financial management. Cost effective spending on cyber security controls and solutions is definitely important as many organisations are blindly spending money on cyber security without understand whether there is a benefit or they are reducing their risks. 

If you would like to know more about this process of defining your Risk Appetite, or like us to run a free half day workshop on Risk Appetite Definition, please get in touch (details below)


About Securestorm: We are a lean, agile and responsive cyber security consultancy that provides practical advice and intelligence with the aim to simplify the world of Cloud and Cyber Security. With a combination of innovation, expertise and strategy, Securestorm brings synergy to the industry.

About the Writer: As the CEO, Mandeep is the chief planner behind Securestorm’s wheels responsible for steering and implementing all aspects of the sales, marketing and business development to ensure the company’s ongoing success and growth. As a veteran security advisor and business leader, Mandeep has managed multinational clients and is a well-known security expert in the industry who has built his career and reputation on solving clients’ information security, risk and compliance challenges. Mandeep is able to draw from his 20+ years of business and security experience across industry and regularly contributes industry insights, workshops and seminars in the IT security space. 

Talk to us about this article: