The Elements of a Risk-Based Security Strategy

The Elements of a Risk-Based Security Strategy

Employing the right mix of policies, solutions and services can improve an organization's security posture.
  • by Mike Chapple
  • Assistant professor of computer applications at the University of Notre Dame |

A risk-based security strategy should be tailored to the unique needs of a specific organization, but there are still many common elements that exist across organizations. 

Organizations considering a risk-based approach should understand these elements. They should focus on cybersecurity policies, technology solutions and services designed to help organizations manage cybersecurity risk.


Policy forms the cornerstone of every information security program. It sets out the guiding principles for cybersecurity efforts within an organization, formalizes the leadership support for those efforts and provides a justification for actions taken in the name of cybersecurity that might negatively affect other activities of the organization. In an organization adopting a risk-based approach to security, policies should spell out the nature of the risk-based approach and describe how the organization expects to avoid, mitigate and accept cybersecurity risks.

Fortunately, cybersecurity policy is a well-established field, and organizations do not need to start writing from a blank slate. Many government agencies and other organizations publish their cybersecurity policies on the internet, and organizations are free to peruse them for ideas as they begin to shape their own policies. The SANS Institute offers a free library of policy templates that organizations may use as the basis for their own policy documents. 

Organizations may also choose to base their policies on an established cybersecurity framework, such as the security standards published by the National Institute for Standards and Technology or the International Organization for Standardization (ISO). A firm wishing to adopt a standards-based approach to security may benefit from bringing in a third-party consultant to perform a gap analysis of its existing controls, identifying areas where there are significant deviations. This can then be used as the basis for a risk-prioritized approach to applying new controls that mitigate identified gaps.


The percentage of organizations that Gartner predicts will use the NIST Cybersecurity Framework by 2020

Source: National Institute of Standards and Technology, "Cybersecurity 'Rosetta Stone' Celebrates Two Years of Success," February 2016


Years ago, organizations seeking to formalize their risk management processes had very little in the way of outside resources to assist them. Over the past decade, new tools emerged to assist with this work. These range from comprehensive governance, risk and compliance solutions to specialized tools designed to assist with risk assessment and mitigation.

GRC solutions help tie together three functions that often exist in different silos within an organization. Policies are the product of governance processes, which often occur at the highest levels of an organization. Risk assessments and mitigation take place either within the IT function or as part of a dedicated risk management group. Compliance activities may occur within the legal or regulatory function. Each of these activities is extremely important to managing the organization’s overall risk exposure, but it is often difficult for them to share information. GRC solutions break down these walls by presenting each function with a function-specific view of important information, but allowing those views to draw from each other. For example, if internal auditors seek to determine the effectiveness of a security control at enforcing a policy objective, a GRC solution can help by linking security controls (risk management) to policy objectives (governance) and determining whether they are functioning properly (compliance).

Newer tools seek to dive deeper into risk management by leveraging artificial intelligence to help evaluate an organization’s risk profile. These tools can assess an organization’s internet footprint, previous data breaches and known security risks, and develop an independent risk score that can serve as a feedback loop for the risk assessment process. Other technologies deploy agents inside an organization’s IT infrastructure that continuously report back configuration information. These agents assess deviations from a security baseline that may represent cybersecurity risks.


Many organizations find themselves ill-equipped to provide a full range of security services internally. They may address this situation by contracting with vendors who offer security services. For example, managed security service providers offer clients numerous security operations center capabilities on a contract basis. Organizations that are unable to staff their own SOC on a continuous basis can hire an MSSP to monitor their security infrastructure around the clock for anomalies. When the MSSP detects suspicious activity, it may either immediately execute a planned response or escalate the issue to the organization’s own security team for resolution.

Organizations can also turn to service providers to assist with assessments of their internal infrastructure. Some MSSPs offer vulnerability scanning services that constantly monitor client networks for vulnerable systems and provide a remediation workflow that allows engineers to monitor the status of issue resolution. Other MSSPs provide penetration testing capabilities that use trained ethical hackers to probe an organization’s defenses using the same tools leveraged by cybercriminals. These attacks provide valuable insight into an organization’s security posture, allowing them to correct issues that pose a significant risk of exploitation. 

Learn more about the path toward risk-based security.