Reading Time: 4 minutes

Yogi SchulzCybersecurity lapses continue to make headlines and undermine the fiscal health and reputation of the targeted organizations. Executives are under constant pressure to accommodate all the demands made on them. Providing a little leadership on cybersecurity doesn’t fit well on the to-do list. Meetings with IT specialists often frustrate executives for one or more of the following reasons:

  1. Overloaded with detail and analysis.
  2. Long-winded presentations.
  3. Exaggerated risks.
  4. Short on actionable recommendations.
  5. Complex, long-running implementation plans.
  6. Expensive spending recommendations.
cyber security
Related Stories
9 habits that lead to successful cyber security

Canada must take a stand against China’s totalitarian use of tech

Hybrid warfare is a threat to our way of life

Executives can replace these excruciatingly unproductive meetings with this simple formula for understanding and then reducing the risk of cybersecurity incidents:

Cybersecurity risk = Threats x Vulnerabilities

Executives can use this generic formula to assess many risks to business continuity. Here we’ll apply it to focus on the cybersecurity risk discussion with IT specialists. Using this formula will first lead to clarity about the nature of the cybersecurity risks the organization is facing. Clarity then leads to targeted actions that expeditiously and cost-effectively reduce cybersecurity risk.


First, list cybersecurity threats to your organization and the surrounding environment. Example of threat assessment questions include:

  1. Do you sell products that organized crime finds easy or lucrative to resell? This threat increases the risk of attackers hijacking your shipments and fraudulently using fake customers to purchase your products.
  2. Do you own intellectual property or store private information that attackers can resell easily? Typical examples include proprietary designs or processes and personal information, including credit card numbers and social insurance numbers. This threat increases the risk of attacks that cause data breaches.
  3. Do you have low employee morale or high turnover? This threat increases the risk of insider attacks to steal products or embarrass your organization publicly.
  4. Does your organization own a widely recognized brand prone to attacks from script kiddies or unsophisticated attackers motivated by vandalism and social media reputation? This threat increases the risk of damage to your data.
  5. Does the existence of your organization annoy some nation-states or terrorist organizations? This threat increases the risk of attacks that interfere with your business continuity.
  6. Are you experiencing high turnover in your IS department? This turnover threat creates a risk of loss of organizational knowledge.
  7. Are your operations at risk of being disrupted by attacks against others, such as the electrical utility, important suppliers or neighbouring organizations? These threats can cause collateral damage to your balance sheet.

Consider involving your staff in gathering threat information through a short survey. Involving more people in the threat assessment always adds to its comprehensiveness.


Second, list cybersecurity vulnerabilities in your organization that attackers can exploit to gain access more easily. Example vulnerability assessment questions include:

  1. Do you have unpatched operating systems on workstations and servers? Attackers almost always use these vulnerable computers to gain access.
  2. Do some employees have access to too many active accounts with excessive system access privileges? Attackers can greatly multiply their destructive impact when they hijack these vulnerable accounts.
  3. Have you experienced puzzling outages of your computer systems? Outages are often indicators of inadequate management of your computing infrastructure. Poor management creates vulnerabilities that increase the likelihood of successful attacks.
  4. Do you have gaps in the physical access controls at your facilities? Gaps make your organization more vulnerable to attackers seeking physical access to your computer or production systems.
  5. Is the elapsed time between announcing a patch for a critical or high-rated software vulnerability and when your organization remediates the vulnerability acceptable to you? The longer this window of opportunity is open, the more vulnerable your organization is to a successful attack.
  6. Do you conduct vulnerability scans, attack and penetration tests with reasonable frequency? If not, you are more vulnerable to successful attacks.


Third, based on the threat and vulnerability assessment findings, create an action plan that addresses higher likelihood threats and higher impact vulnerabilities. Actions typically fall into one or more of the following four categories:

  1. Reduce the risk of threats with added security measures.
  2. Remove vulnerabilities by taking remedial steps such as updating operating systems.
  3. Mitigate vulnerabilities by making process improvements, such as monitoring logs more carefully.
  4. Share vulnerabilities by buying risk insurance.

This four-step process can materially reduce the risk of cybersecurity incidents adversely impacting your organization’s future. Click here for more detail on performing a comprehensive threat and vulnerability assessment.

Yogi Schulz has over 40 years of information technology experience in various industries. Yogi works extensively in the petroleum industry. He manages projects that arise from changes in business requirements, the need to leverage technology opportunities, and mergers. His specialties include IT strategy, web strategy and project management.

For interview requests, click here.

The opinions expressed by our columnists and contributors are theirs alone and do not inherently or expressly reflect the views of our publication.

© Troy Media
Troy Media is an editorial content provider to media outlets and its own hosted community news outlets across Canada.