Organizations need to practice regular cyber hygiene. But they must also take steps to mitigate cyber risk—the most serious threats to our security. Credit: Thinkstock In numerous discussions and forums recently, the conversation about the need for a risk management approach to cybersecurity has quickly devolved into a discussion about cyber hygiene and, ultimately, a discussion about compliance (with perhaps some simple metrics thrown in).+ Also on Network World: Match security plans to your company’s ‘risk appetite’ +This pattern of following a difficult, but business-oriented discussion of risk to a trivial oversimplification is common within government and industry circles—and even among the most sophisticated CISOs. What we really need, however, is a holistic risk framework and a solid commitment to risk-based measurements in order to accurately understand and defend against the most serious cybersecurity threats facing our country. Too often we focus solely on cyber hygiene, while important, doesn’t fully address the more severe risks organizations face with increasing frequency.Consider the analogy to personal hygiene. Do we believe everyday tasks such as brushing our teeth, washing our hands and taking a shower will prevent serious illnesses, birth defects or cancer? No. We believe that although good hygiene will help prevent many common ailments and even life-threatening diseases—from periodontal disease to the flu—it fails to thwart those more complex ailments. Because of this, we know we need to continue funding cancer research to find a cure, taking antibiotics for serious or chronic infections and leveraging technology such as MRIs to identify internal maladies that don’t respond to simple hygiene changes. Simple practices don’t prevent serious risksIn a similar way, cyber hygiene lends itself to simple surveys, compliance scans and audits. But will those perfectly acceptable practices help prevent more serious risks? I’d argue not, as those real risks often require something much more analytically sound and scientifically grounded. It is certainly good to be able to report that an organization passed an audit on a required security compliance regime, but it is difficult or impossible to describe how much risk was reduced by that level of compliance (or how much remains).What is needed is a truly analytical framework that enables executives to communicate in the language of risk and the language of the business. And while I like some aspects of NIST 800-30 (mainly the definitions), it’s certainly not helpful for implementing a risk approach. At the highest level, a risk analytic approach should answer these questions: Which threats are most likely to occur?What are our greatest vulnerabilities?What would be the consequence if a threat event was successful?Translating these into business terms is key, and measuring them so that risks and countermeasures can be prioritized is essential. Further, the approach needs to be analytically valid and automated, not just a once-in-a-while paper endeavor.Like human hygiene, organizations must maintain regular cyber hygiene for healthy outcomes. But it’s critical they don’t neglect the tools and processes that mitigate cyber risk—the most serious threats to our security. Both are critical, and it’s essential we understand the differences.Are you seeing good examples of risk programs? Please share! In subsequent posts, we’ll discuss analytical approaches and review some good examples. Related content opinion Is the 'right to explanation' in Europe’s GDPR a game-changer for security analytics? Making major adjustments in the types of software solutions they use to analyze personal data in the wake of the General Data Protection Regulation (GDPR). By Bryan Ware Jan 29, 2018 5 mins Regulation Privacy Analytics opinion Why Bayesian models excel at finding rogue insiders One case often looks very different from the next, and it is precisely this complexity and behavioral variability that makes finding insider threats so tricky. By Bryan Ware Nov 20, 2017 5 mins Technology Industry Cybercrime Data and Information Security opinion User behavior analytics: separating hype from reality UBA has already produced successes against some of the security community’s toughest challenges, and will continue to evolve as time goes by. By Bryan Ware Sep 26, 2017 5 mins DLP Software Big Data Data and Information Security opinion Why we need more shades of gray Security challenges we face now and in the future will rely on actionable intelligence that is to be found mostly in the gray areas. By Bryan Ware May 24, 2017 5 mins Big Data Network Security Analytics Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe