Balancing risk

Article | September 13, 2023

Living with risk

For some, security can seem like a chokehold—but too little of it is also a problem. Here’s how to find balance in cybersecurity risk management.

By Jennifer Alsever, Workflow contributor

Risk is everywhere. That’s especially true when sending a rocket into space. 

In the 1990s, some engineers at NASA were eager to try out a new system that would allow them to track and control a spacecraft’s location in real-time. The system relied on a signal between the ground and the rocket—one that was unsecured, keeping it lightweight to ensure speedier communication. Ross Leo, who was chief security architect for the NASA Johnson Space Center’s Mission Control Center at the time, pointed out that the unprotected signal could be vulnerable to interference by bad actors who could send false data about the rocket back to earth. But the engineers resisted.

“Back in those days, computers were slow enough and a lot weaker than they are today, and encryption ate up an awful lot of computing cycles, so signal delay and possible corruption of the signal was going to be a problem,” recalls Leo, who is now chief security officer for ObservSmart InvisAlert Solutions, which makes healthcare security software.

While Leo was clear on the need for security, ultimately, he and his team recognized the significance of the new system for space exploration, concluding that “intermittent” coverage would be enough if they found the right tools. The teams landed on encryption that used a new set of hardware and faster signal processors, which also had the added benefit of upgrading some of the systems the team used.

“It taught me that creativity can be one of our best aids as long as we're willing to bring it to the table,” says Leo.

 Workflow Quarterly

Making risk pay

Risk is everywhere in business, and a study by ThoughtLab shows that companies are putting more attention on it. In a survey this year of 1,000 C-level executives in 13 countries, 18% reported that they are risk-ready, 60% are moderately prepared, and 22% are least prepared. The larger the company, the more prepared: Businesses with revenue of $1 billion-plus were in better shape than “smaller” companies, and financial services were the most prepared of all. Where are they putting their attention? The respondents in this survey had their eye on risks from cyberattacks (53%), technological change (44%), customer expectations (42%), and macroeconomic shocks (40%). Ready or not, risk isn’t ever an organization’s singular concern.


of C-level executives reported that they are risk-ready.

There will always be competing interests in any organization, and the tension between cybersecurity and other departments can be especially acute, even if the stakes aren’t as high as NASA's space missions. Yet cybersecurity needn’t always lose out to exhortations to “move fast and break things,” and innovation and growth opportunities needn’t be hindered by vigilance around keeping a company’s operations safe from bad actors. It’s a case of “both things are true”—so how do you find that sweet spot of cybersecurity risk management that everyone can live with?

To find that balance between business goals and risks—which goes beyond cyber to include volatile geographic locations, remote workers, unknown variables with vendors, and other factors—companies are finding the level of risk that everyone can live with via active coordination and identifying where the red lines exist.

Companies are finding the level of risk that everyone can live with via active coordination and identifying where the red lines exist.

Security teams are often seen as the first to say no. And when the product team at James McQuiggan’s company wanted to send confidential information to a vendor via a free file-sharing service, the swift response was, indeed, no. Sending it over the company’s encrypted email servers wasn’t an option either because the files were too large, so the product team manager made the case to the IT team that the vendor needed the information to meet their deliverable requirements, recalls McQuiggan, who is now a security advocate at cybersecurity firm KnowBe4.

After better understanding the product team’s needs, the IT team conceded to using a third-party platform, but one with better security controls and encryption. “While the product department did have to wait a week for the project to finalize and gain access to the file-sharing platform, the cybersecurity team didn't need to say no to the file sharing request,” he says.

When risk is everywhere, it’s a bigger task to prioritize where to take more chances. Many companies learned this the hard way in the COVID-19 pandemic when their workforce was suddenly remote. They faced a risk quandary: Halt operations or keep the business going even as many employees were working in situations far less secure and more variable than when they were in the company’s offices. A 2023 survey by Fortinet found that 62% of organizations offering remote work ended up suffering data breaches that could have been prevented if people had been in the office. 

Technology and security services provider ConvergeOne treated security in a remote environment as a sort of stress test, says Chris Ripkey, the company's senior director of cybersecurity. Leadership wanted to know: What would happen if data were lost due to insecure networks? How much data could be lost before it caused disruption to the business, and what would that negative impact look like? A data analysis program evaluated all of the company’s critical assets, their level of vulnerability, and which assets were more likely to have the most impact on the business if subject to attack. Then, it prioritized security efforts with remote work machines, software, and connectivity, knowing the company would still be living with some level of risk.

Workers were also charged with following certain measures to keep things safe. “There is a lot of trust established with remote workers to be security conscious,” he says. 

This may be one of the pandemic’s lasting organizational lessons, that risk is an acceptable component of business.

This may be one of the pandemic’s lasting organizational lessons, that risk is an acceptable component of business. For Leo, that’s as it should be: “I always come back to this, which is that you should only use security in a way that is commensurate with the value of what you’re trying to protect,” he says. “Don’t go overboard, because that is what leads to loggerheads.”


Automating risk and compliance

Related articles

Resilience and risk management
The Data
Resilience and risk management

New research highlights the risk management strategies of risk-ready organizations.

Lock down those supply chains
Lock down those supply chains

Organizations are only as secure as their most vulnerable suppliers. Technology can help address these third-party risks.

How banks can conquer technology risk
How banks can conquer technology risk

Rapid digital innovation in the financial services sector can expose new vulnerabilities. Addressing them intelligently drives competitive advantage

Accounting for technology risk
Accounting for technology risk

Banks are transforming themselves to better meet the latest challenges and risks, yet a new survey of global banking executives reveals there’s still a lot more to do


For more than two decades, Jennifer Alsever has contributed to a wide variety of national publications, including Fortune Magazine, the New York Times, the Wall Street Journal, Wired, and Fast Company.

Loading spinner