Skip to main content

Align your cybersecurity strategy with your organization’s risk appetite

Strengthening security and governance begins with a firm understanding of acceptable risk and balancing it with cybersecurity costs.

Apr 25 2025Jackson Connell, Mitch Pronschinske

Cybersecurity remains top-of-mind again this year. According to Gartner, 69% of CIOs say managing cybersecurity and technology risks is their top focus for the next 12 months.

Breaking that down further, CIOs are specifically concerned about aligning their cybersecurity program and technology investments with their organization’s appetite for risk, largely due to increasingly sophisticated threats and adoption of AI. But how do you determine what constitutes acceptable risk?

This post will provide a basic framework for defining risk, as well as risk measurement, identification, and analysis. Finally, it will offer strategies for lowering risk to a level within your organizational risk appetite.

Related Content
Do cloud right and lower risk
Apr 01 2025 | The Infrastructure Cloud

»What is an acceptable risk?

Cybersecurity is a balancing act. Security budgets are not unlimited. Organizations need to weigh risk appetite against the cost of risk mitigation.

  • You don’t want to waste money by adding unnecessary security layers
  • You don’t want to underinvest in security and open your organization up to costly losses from a potential breach

Finding the answer comes down to the level of risk your organization is willing to take. Before you can determine acceptable risk, however, first you must define risk. This starts by recognizing the difference between threats and risk.

A threat is anything that can negatively impact your organization. From a cybersecurity perspective, these include malicious malware, DDoS attacks, credential theft, data exfiltration, and more.

Risk is an outcome. It is the result of analyzing threats and assessing the likelihood and impact of those threats to your organization. Evaluating risk goes way beyond just looking at cyber threats. Risk is multifaceted. It not only includes evaluating threats such as those mentioned above but also encompasses other potential activities, such as compliance failures, disasters, or downtime, and insider actions.

Typically, key stakeholders in an organization work together to define what is acceptable risk. This analysis comes down to determining when the cost of risk mitigation is larger than the presumed impact of the threat.

»The steps of risk analysis

This is a multi-step process within your Risk Management program. It enables you to catalog threats, prioritize them, and allocate resources to lower risk.

»Inventory

Risk identification begins with a comprehensive inventory of your organization’s key assets. These include people, hardware, software, data, infrastructure, intellectual property, physical property, and any other confidential or critical assets within your organization.

»Threats

The next step is identifying threats to your key assets. This too should be a comprehensive list, noting as many threats as possible. Threats are then categorized as external threats (malware, DDoS attacks, etc.), internal threats (phishing, human error, etc.), and environmental threats (natural disasters, etc.).

»Vulnerabilities

Note your vulnerabilities. Many breaches occur because a bad actor exploits a known vulnerability in software, hardware, or operational practices that an organization had not mitigated. Protecting your organization requires preventative measures such as ongoing scanning and analysis to identify and mitigate vulnerabilities that could include unpatched software, weak authentication protocols, and misconfigured cloud infrastructure.

»Context

Prioritizing threats and allocating resources depends on how important assets are to the operation and goals of your organization. This requires input from key stakeholders to determine context. In what environment is your organization operating? What industry or regulatory frameworks are you required to comply with? Is there live production code on a server, or sensitive data? Or is the server just a sandbox for testing?

»Likelihood and Impact

Perspective matters when analyzing risks. To put threats into perspective, you need to understand:

  • The probability of a threat — what is the likelihood this threat will actually manifest
  • The potential impact or consequences to your organization if the threat occurs

Likelihood is determined by creating a series of likelihood statements for each threat. Impact can be measured in many ways: from financial loss due to disruption of operations, fines or recovery costs, and damaged brand reputation.

»Prioritization

This is unique for every organization based on the type of operation and goals. Many use a simple High, Medium, Low scoring process. Others may use a quantitative process based on assigning numerical values to threats depending on the potential financial impact to the organization.

Teams can use the chart below as a starting point for mapping their risks.

Risk measuring chart

»Responding to risk

Following the basic process outlined above, you can perform an initial assessment of risk and determine a course of action. There are four ways to respond to risk:

  1. Do nothing and accept the risk
  2. Treat the risk using countermeasures — technology, policies, and/or procedures
  3. Transfer the risk to a third party
  4. Terminate the system or activity to avoid the risk

Other than option 1, every other response is designed to mitigate or eliminate the risk. To find out if the mitigation was successful, you measure residual risk.

Residual risk is the risk level that remains after an action has been taken. For example, if you mitigate the threat of a bad actor gaining access to your sensitive data by using firewalls, fine-grained access controls, and data encryption, you can lower the likelihood and/or impact of an event. What you have left is your residual risk.

Another example could be the threat of cloud misconfigurations. If you mitigate the threat of vulnerability-spawning misconfigurations by automating infrastructure provisioning and applying policy as code, you again reduce the likelihood of the threat and improve your security posture.

»Lowering risk by strengthening cloud security and governance

For almost every large enterprise, the cloud is a business necessity. With 75% of top performing companies adopting cloud at scale, and 81% of enterprises using multiple cloud providers, strengthening cloud security is essential for protecting information assets. But as cloud scales, security becomes more complex:

  • Cloud-native tools don’t provide visibility across different providers or on-premise environments.
  • Security teams must learn different security tools with complex settings and manage separate systems for logging alerts, access controls, encryption, and compliance.
  • Manual provisioning lacks standardization and control, complicating infrastructure management.
  • Secrets are often spread across many different servers resulting in secret sprawl.
  • Policy regulations are challenging to enforce consistently across environments, especially as mandates change.

To strengthen cloud security and governance, many organizations are moving to a unified approach for infrastructure and security lifecycle management. This removes much of the complexity associated with securing multi-/hybrid cloud environments and reduces risk by empowering organizations to apply effective countermeasures for many common threats, such as cloud misconfigurations, inconsistent policy enforcement, credential theft, and unauthorized data access.

A platform-based system, such as The Infrastructure Cloud from HashiCorp, enables enterprises to:

  • Standardize provisioning using infrastructure as code (IaC)
  • Centralize visibility and control
  • Automate secrets management
  • Deploy identity-based access control and encryption
  • Adopt a proactive risk mitigation posture
  • Create guardrails that prevent misconfigurations and other infrastructure vulnerabilities
  • Enhance compliance posture through strong governance and simple auditing

Cloud security is about balancing costs, risks, and rewards, mitigating vulnerabilities whenever possible and investing in key technologies to enhance your security posture in alignment with your organization’s risk appetite.

For more information on this platform-based approach, read our white paper: Do cloud right with The Infrastructure Cloud.

Sign up for the latest HashiCorp news

By submitting this form, you acknowledge and agree that HashiCorp will process your personal information in accordance with the Privacy Policy.

More blog posts like this one

Why we need short-lived credentials and how to adopt them
March 31 2025 | Strategy and Insights
Why we need short-lived credentials and how to adopt them

Go from static credentials, to auto-rotation, to fully ephemeral “dynamic” credentials with two example roadmaps and see why short-lived credentials are so important.

Preventative beats reactive: Modern risk management for infrastructure vulnerabilities
March 27 2025 | Strategy and Insights
Preventative beats reactive: Modern risk management for infrastructure vulnerabilities

Vulnerability scanning is a last line of defense. Your first line should be preventative risk management strategies that shift security left and narrow the window for exploits.

How to reduce cloud waste: It boils down to 3 steps
February 04 2025 | Strategy and Insights
How to reduce cloud waste: It boils down to 3 steps

One insurer cut an app’s operating expenses by almost $100 million a year with step one.