Cybersecurity Risk Needs to be Simplified

cybersecurity riskIntroduction

I believe complexity is the enemy of execution and unnecessary complication is often tied to ego and lack of clarity. In cybersecurity just about everything is overly complicated. I’m not sure why. I sometimes even wonder if I understand cybersecurity. With all the frameworks, best practices, maturity models, team/hacker colors, next-gen appliances, etc., it’s hard to keep up. The cybersecurity industry seems to want to learn new methods to slam dunk, without learning how to dribble first. I get it – slam dunking is sexy; dribbling is boring. The fact of the matter though is most people that master a skill get very good at a few key moves and ignore the rest.

In cybersecurity, there’s this notion that you need to master 100 things to be secure. This doesn’t work. The reality is mastering the Top 5 to 6 things is often enough, especially if you know your critical assets (data and systems) and the risk facing them.

Risk – Traditional Definition

Risk is a misunderstood and elusive topic in cybersecurity. Over my career I’ve met very few cybersecurity professionals that actually understand risk. Sure, they read about it in a book or learn about it preparing for the CISSP or Security+ certification exams, but they don’t really understand risk.  They’ll tell you the formula:

Risk = Threat X Vulnerability

This is what the academics say. What does this really mean though?

What is a threat? What is a vulnerability?

What about impact or probability?  These aren’t even listed in the equation above, yet they are the most important parts.

A threat is something that could cause damage.

A vulnerability is an exposure to a threat.

cybersecurity risk

So, using the formula that most cybersecurity professionals have been taught for risk, it’s understandable why it’s not understood.

If a threat is water from rain and the vulnerability is an open car window, what’s the risk?

Risk = Water X Open Car Window ?

This is where most cybersecurity professionals start mumbling about frameworks, qualitative, quantitative, and other lingo with the intent to complicate something that should be simple. And, there’s not much you can do with that formula – very little value.

The problem is how do you prioritize which open car windows to close first? If you are a nationwide organization with 1000 cars and 800 of them have an open window, what do you do? You only have so many resources.

Let’s dig a little deeper on this.

Of the 800 cars with open windows, they fall in different categories:


  • 50 brand new cars parked in garages
  • 50 brand new cars parked outside
  • 200 old cars parked in garages
  • 100 old cars parked outside


  • 50 brand new cars parked in garages
  • 50 brand new cars parked outside
  • 200 old cars parked in garages
  • 100 old cars parked outside

So, using the risk formula, what do you do?  Risk = Threat X Vulnerability

Exactly. The formula is kind of useless. You can’t close all the car windows at once – you have limited resources.

Risk – Practical Explanation

A more useful risk formula is Risk = Probability X Impact

Risk = Probability of Threat Being Realized X Impact if Threat is Realized

Probability can also be referenced as likelihood.

Impact can also be referenced as a consequence.

To me, this makes more sense than Threat X Vulnerability, which is what CISSP and other cybersecurity certs teach us.

Let’s take the open car window scenario:


  • 50 brand new cars parked in garages
  • 50 brand new cars parked outside
  • 200 old cars parked in garages
  • 100 old cars parked outside


  • 50 brand new cars parked in garages
  • 50 brand new cars parked outside
  • 200 old cars parked in garages
  • 100 old cars parked outside

Likelihood of rain (water)

Alpine Security Risk Matrix
Simple Risk Matrix
  1. Seattle = Near Certain
  2. Arizona = Likely
  3. In Garage (location doesn’t matter) = Rare


  1. New car = Significant
  2. Old car = Minor

Which windows do we close first? Let’s use the matrix as a guide.

  • Seattle, New Car

    • Near Certain X Significant = Critical Riskcybersecurity risk

  • Seattle, Old Car

    • Near Certain X Minor = High Risk

  • Arizona, New Car

    • Likely X Significant = Medium

  • Arizona, Old Car

    • Likely X Minor = Low

  • Garage, New Car

    • Rare X Significant = Medium

  • Garage, Old Car

    • Rare X minor = Informational

So, we would prioritize the windows to close in order of risk:

  1. Critical Risk = Seattle, New Car
  2. High Risk = Seattle, Old Car
  3. Medium Risk = Arizona, New Car
  4. Medium Risk = Garage, New Car
  5. Low Risk = Arizona, Old Car
  6. Informational Risk = Garage, Old Car


Think of risk in terms of probability and impact, not threat times vulnerability.

Risk Comprehension Is a Basic Cybersecurity Skill, Yet Most Practitioners Lack It

cybersecurity riskA foundation of cybersecurity is, where is the risk? Based on risk comprehension, professionals map out a cybersecurity framework and strategy. While risk assessment is essential to executing proactive and reactive cybersecurity plans, the gap is that a deep understanding of risk is not as widespread as you’d imagine.

The reality is that risk comprehension is a basic cybersecurity skill, yet most practitioners lack it. In this post, we’ll be breaking down:

  • What is risk comprehension?
  • Why is there a gap in professional proficiency in the area?
  • How to ensure professionals gain this expertise and know how to execute it in cybersecurity operations.

What Is Risk Comprehension?

Simply put, it’s having a full technical understanding of risk fundamentals within the cybersecurity ecosystem. Beyond just the confines of cybersecurity, life is about risk, in general. So, the inability to grasp it in cybersecurity directly relates to the bigger picture of people not comprehending risk.

Quantifying Risk

In most areas of certification or academic, risk is a formula:

Risk = Threat x Vulnerability

In unpacking this formula, you can see it’s easy for it to be confusing. How are threats and vulnerabilities quantifiable?

In my book, The Smartest Person in the Room, I describe a more palatable formula:

Risk = Probability x Impact

In other words, how likely is something to happen, and what’s the consequence if it does?

The answer to this formula will identify three kinds of risk:

  • Low risk has a low probability and impact.
  • Medium risk could have high probability and low impact or low probability and high impact.
  • High risk is highly probable and impactful.

Cybersecurity Risk Is Just Another Operational Risk

The risk of cybersecurity incidents falls into the broader category of operational risk. The types of risk include those that could involve:

  • Financials
  • Reputation
  • Operations
  • Productivity
  • Accessibility
  • Regulatory
  • Damage to equipment or hardware

With many opportunities for impact in this area of risk, hackers can seize on vulnerabilities. Further, cybercriminals will take advantage of risk indecision. Thus, it’s imperative to have risk literate cybersecurity professionals.

Why Cybersecurity Professionals Need to Grasp Risk

The concept of a cybersecurity professional is one that mitigates risk and secures data. It’s the two-second job description. Knowing, you’d think these people would be risk experts. Yet based on my experience running a cybersecurity firm and teaching cybersecurity to college students, I can tell you there’s a gap.

This lack of understanding risk is complicating the industry. It should be a simple connection that will enable cybersecurity professionals to do the best job. Instead, we’re seeing an influx of paper tigers in the industry. These are the folks with cybersecurity certifications on their resume. They look ideal on paper, but when hired, are immediately like a fish out of water. They don’t have the necessary skills to fall back on, so they begin a routine of destructive behaviors affecting your company and their ability to succeed.

You’ll find those who don’t have this risk knowledge to begin posturing to cover this deficit. Posturing is a defensive response that involves overcomplicating processes and a pursuit by the professional to always be right and the smartest person in the room.

While professionals are busy doing this, hackers are seeking out ways to find vulnerabilities and exploit them.

Shifting to a Risk-Based Approach to Cybersecurity

In talking about cyber risk, there has been a migration from maturity-based to risk-based. To successfully change to this approach, cybersecurity teams need to improve risk comprehension.

The model is dependent upon identifying and focusing on the most probable and high impact risks. Doing this requires a full understanding of the threat landscape and the ability to prioritize them.

What Is Maturity-Based?

The traditional maturity-based approach focused on a level of maturity for capabilities in the realm. The goal was to reach maturity in assessing, monitoring, and reacting to potential risks. Additionally, the model used access controls like two-factor authentication. Maturity-based isn’t completely obsolete. It can be a good jumping-off point for building a cybersecurity program.

However, most organizations are past this step. The maturity-based method has unfortunately led to unmanageable scaling. Will you monitor everything? Can you? Spending becomes out of control for this approach, as well.

The most limiting part of such a model is it can paralyze implementation efforts. However, many professionals in the field will promote and follow maturity-based methods over risk-based. Why? You don’t have to understand risk to pull it off.

What Is Risk-Based?

The key elements of being risk-based include:

  • Full comprehension of cyber risk
  • Prioritization of risks based on probability and impact
  • Measuring security controls to understand your performance against risk
  • Inclusion of all stakeholders in the cybersecurity space

The objective of risk-based is to make risk reduction an outcome. Organizations must focus on the right controls, processes, skillsets, and investment to reach these outcomes. Before you can achieve a risk-based approach, you have to excel at all the elements. Number one is risk comprehension.

Improving Risk Comprehension for Cybersecurity Professionals

The first question that comes up is why don’t professionals have this skillset? Didn’t they learn about it during training? It must have been a question on the certification?

Next, we’ll look at why risk comprehension is lacking and how to improve it.

Better Training

Educational courses obviously talk about risk, but many just teach the student to score well enough on a multiple-choice test. Thus, they simply have to memorize answers, and they pass.

Hands-on, real-world training is much more than choosing the right letter. They prepare individuals more holistically to succeed in the field. If you want your team of cybersecurity professionals to operate in a risk-based scheme, then you need to ensure they know what it is! Look for candidates with training from organizations recognized for being more than a certification mill.

If your current team lacks this knowledge, then find ways to upskill them so they can grasp the concept. If they posture and affirm they don’t need it, they might not be the best fit. They must admit they don’t know everything and change their mindset. Not all are capable of this.

Embracing a Growth Mindset

Fixed mindsets aren’t going to get your organization to a better risk posture. Those with fixed mindsets aren’t open to change or evolution, whereas a growth mindset is. Associated with this mindset are soft skills. They are much harder to learn and adopt as habits than hard skills. Professionals must have the desire to adapt, which will include working on communication and collaboration efforts.

Keep in mind that communication is more than what you say. What matters most is the tone you use and your body language. While some may be eloquent or articulate, that doesn’t mean they have great communication skills. The most important communication adjustments are asking the right questions about risk and really listening to the answers from all stakeholders. You have to think about it from a technical and business side.

Tempering Change with Acknowledgement

If you’re a technology leader and want people to improve their skillsets, it’s good to acknowledge what they are doing well. When you do this, people will be more open to the next part of the conversation.

As your team evolves to become risk-based and practices soft skills, keep acknowledging them to keep them motivated.

Rewiring for Monotasking

We think that multi-tasking illustrates great productivity and time management. In cybersecurity, multi-tasking can cause errors and distractions. Monotasking helps keep the focus on quality. It may take longer to get certain things completed, but it also means that you’re less likely to have to redo something or be open to more significant threats because of mistakes.

Cultivating Connection with Empathy

Empathy is probably the greatest attribute anyone could have in any situation. Cybersecurity professionals who possess compassion are better leaders and better at risk comprehension. They can communicate and collaborate better. They also think outside small boxes of “what is risk?”

Helping individuals become more empathetic has lots of consequences beyond being better at risk.

Building Better Cybersecurity Teams

Many of the things discussed are part of my Secure Methodology, which is part of my book, The Smartest Person in the Room. I’ve devised a seven-step process to improve cybersecurity professional skills and thus boost risk-based methodologies. It’s a unique approach that builds on fundamentals.

Learn all about it by ordering the book today!

Your Cybersecurity Framework Is Overcomplicated – Here’s Why

cybersecurity framework - christian espinosaRarely in life is complicated better than simple. However, in advanced disciplines, there’s the misconception that complexity signals thoroughness or expertise. That’s where the world of cybersecurity lives. In most organizations, they thrive on complication. They believe it demonstrates sophistication.

Let’s be frank and honest — your cybersecurity framework is overcomplicated. Many use long “checklists” to prove they are experts when, in reality, few of those things matter.

Instead, organizations should focus on the top five CIS (Center for Internet Security) Controls®. In my book, The Smartest Person in the Room, I discuss why you need to toss out the lists and master these five controls. Most importantly because they stop 85 percent of all cyber-attacks. Knowing this, doesn’t it make sense they should be the priority? Until you have these five controls in place, nothing much else matters.

Why Overcomplication of the Cybersecurity Framework Is Rampant

If you put credence into the CIS and its expertise, why would so many cybersecurity professionals go off-script? Well, it has a lot to do with the challenges covered in my book about the degradation of the industry. The truth is that cybersecurity professionals are the reason cybersecurity methods are failing. Their actions lead to unnecessary complexity and ignorance of the basic principles.

The people problem and why they cling to their massive lists comes down to a few key areas. It starts with the paper tigers, who are professionals with lots of certifications or degrees that look good on paper. However, these paper tigers don’t have the skillset to perform effectively to protect your data and networks.

These paper tigers or others that have experience but don’t continue to learn and be open often bring in these traits to your team.

  • Insecurity: They never want to be wrong. They live to be right. It’s important for them to look like the superior one on the topic, so they manipulate the cybersecurity framework to prove their worth, often at the detriment of the business.
  • Fear: These individuals are afraid to look like they don’t have all the answers. They never ask questions or invite discussion. They live in constant fear that others will discover their ineptitude.
  • Defensiveness: Fearful people are also defensive. Their listening skills devolve into what they can agree or disagree with, meaning they don’t hear much at all. They care too much about being the smartest one; they’ll react negatively to anyone questioning that.
  • Posturing: People who are insecure, afraid, and defensive use posturing like it’s their job. Their posture is to develop a complex cybersecurity framework, and then they hide behind it.
  • Poor communication: Technical folks live with the stereotype they are bad communicators. This isn’t always true, but in the scope of this discussion, paper tigers with the above traits do not excel at communication. They love jargon and buzzwords that make them sound smart.

How Did the Industry Get Here?

As noted earlier, over-certification has been a big driver. Paper tigers also continue to water down a cybersecurity team by hiring those that don’t intimate them. Entire teams or firms could be paper tigers, and they’ll hold dear to their long, complex lists. It’s their safeguard for them. And it’s junk.

What they should care about are the basics:

  • What does the company do?
  • What do they need to protect?
  • What’s important to the business?

The responses to these questions are the foundation for building a cybersecurity approach. Without this information, you can’t understand the risk or create a personalized strategy. Instead of keeping it simple, paper tigers just refer to their checklist.

Ditch the Checklist, Focus on the Five

If any organizational leader is reading this, I urge you to ditch your checklist immediately. It’s not providing value. It’s a front. Instead, it’s time to get back to the basics and truly execute consistently on the five CIS controls.

Control One: Inventory of Authorized and Unauthorized Devices

This control represents hardware inventory. You need to manage all hardware devices on your network actively. Management includes:

  • Inventorying
  • Tracking
  • Correcting

These activities are necessary to ensure that any unauthorized devices do not gain access to the network. This is an essential control because hackers are always scanning and waiting for an unprotected system to enter your network. They are eager to find devices that connect and disconnect from the network, most commonly BYOD (bring your own device).

If BYOD is prevalent on your network, your IT team may not have administration of that hardware. It could be lacking essential updates or patches, which a threat actor will exploit. BYOD is a challenge for large enterprises, but you need to get this under control.

The best approach is to use an active discovery tool to identify and update authorized devices. You also need an accurate inventory of assets, including those not connected to the network.

Control Two: Inventory of Authorized and Unauthorized Software

On the other side of the IT is software, and you need to manage it just as you do hardware. Your network needs to prevent any unauthorized software from downloading. Hackers love to get in through software failures. There are plenty of cybersecurity incidents that started with software exploitation. If unauthorized software makes it into your network, hackers can install backdoor programs easily. If you don’t know what software is on your network, how can you protect it?

Management of software requires software inventory tools for automation. Another best practice is whitelisting safe technology. This control point is also vital in planning for incident response, backup, and recovery.

Control Three: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

For all hardware and software, you need to manage the security configurations constantly. It involves a robust change control process. The default settings for most hardware and software are for ease of use, not protecting a network.

You can’t leave them at default! It’s crucial to develop a configuration strategy that reduces risk and allows people to do their job. It’s a balancing act. And that strategy can’t stay stagnant either. It requires frequent evaluation and adjusting. A Security Content Automation Protocol (SCAP) configuration is a good guide for monitoring and verifying.

Control Four: Continuous Vulnerability Assessment and Remediation

Cybersecurity is ever-changing, and hackers get smarter all the time. That’s why you must continuously assess vulnerabilities and remediate them quickly. New information is always streaming in, from software patches to security advisories. Your team needs to stay on top of this to identify vulnerabilities proactively.

Without constant scanning and assessments, your organization is in danger every day of an incident. To execute this well, use a SCAP-compliant scanner. You should also deploy automated software updates as soon as they are available.

Control Five: Controlled Use of Administrative Privileges

Who has access to your systems? Access is another component that attackers target to cause havoc. You’ll need a tool that allows you to track, control, and assign administrative privileges.

Uncontrolled administrative privileges are a hacker’s dream. They can get in with phishing tactics that get a user to click or download something that’s not safe. If that user has administrative privileges, the hacker can take over fast. They can also get in by cracking easy passwords for admin accounts. Things like this occur when lots of people have admin access with identical passwords.

The best way to protect against this is ensuring admin users have a dedicated account for these activities. It should not be used for anything other than admin functions. Additionally, set up a log entry and alerts for admin account closures or openings.

These controls are not easy to implement and manage. They are continuous activities that a team has to control. Until an organization has these in good order, everything else is meaningless. It doesn’t matter how many items are on the “list” or how professional they sound. They are just words, and when you go by such a list, there is rarely a full and competent execution. Getting back to the basics is what really matters.

Simplify Your Cybersecurity Framework

The first step to simplify your cybersecurity framework is making sure your employees grasp the five CIS Controls. Do they have this foundational knowledge? Or are they posturing paper tigers? To master these controls, you need to get your people “in shape.” I go over this in detail and more in my book, The Smartest Person in the Room. Order it today to get your cybersecurity framework back on track.