As an industry we have a history of focusing on things around risk but not explicitly addressing risk; when we do that we are NOT doing “risk-based” anything.
I’m fully disenchanted with cybersecurity practitioners, vendors, and industry analysts claiming approach x to problem y is “risk-based” only to pull the carpet out from under me moments later. Technology risk is maturing beyond the superficial application of “risk-based” marketing fodder and it’s high time we hold offenders in contempt.
A true risk-based approach to decisions in cybersecurity means we explicitly address the frequency and magnitude of events associated to our decisions. Look for those two core components of risk whenever you hear a claim to be “risk-based.”
If we focus only on threats, highly targeted vulnerabilities, or assets and their value statements we will always ignore at least one of the core components required for risk-based decision making. It’s a flawed approach that’s guaranteed to fail us.
Overwhelmingly, this lipstick gets applied when a purveyor of a product, framework, or process claims the decisions made using said product, framework, or process are “risk-based.”
Don’t fall for the Vulnerability Management pitch…
A prime example is commonplace in the Vulnerability Management world. You’ll see a variation of this in anything from Vulnerability Management marketing material to Gartner’s gated reports:
"A risk-based approach to vulnerability remediation focuses on the vulnerabilities which threats are taking advantage of’ (emphasis mine)." It is a more mature approach to vulnerability prioritization than years past. But, it’s still muddy at a time when we cannot afford to live in the mud anymore.
This claim is not “risk-based”; it’s threat-based. This is good advice; but, it does not address the necessary components of risk and therefore cannot be ”risk-based.”
…Or the asset-value pitch
Once we realized the mentality of threats/vulnerabilities = risk was failing, we began shifting focus to other parts of the landscape: threats, assets, hiring practices, etc. If only I had a quarter for every time I heard this one:
"A risk-based approach to asset management focuses on the highest value assets first."
This claim is not “risk-based”; it’s asset-based. Again, this is a shift in the focus from vulnerabilities on assets to their value proposition. But, it suffers the same problem of ignoring the frequency of threats acting against assets.
Confront the hucksters
At every corner we see hucksters shouting claims that their shifted focus to another component of the landscape is invariably "risk-based." We should engage these claims head-on if we ever hope to get out of the mud as an industry.
If you need help honing your “risk-based” approach then take a FAIR training course and gain clarity on what “risk-based” really means. Then, get active in the FAIR community through the FAIR Institute. Become part of the solution.