Taking a Risk to Talk About Risk When it comes to cybersecurity, one of the first things I’m often asked to do is perform a gap analysis. This helps businesses identify the areas in their security posture that need improvement.
It’s a crucial step, but surprisingly, I often encounter a glaring red flag at the very start of this process. When I ask for any existing cybersecurity documentation, I frequently receive a collection of
“policies”— often generic templates downloaded from the internet with tweaks to make them seem relevant to the organisation.
While they may look professional and comprehensive, they rarely provide much value. The problem? These documents often fail to reflect the organisation’s true risk landscape.
They are generic, one-size-fits-all policies that may look good on paper but offer little in terms of actionable insights or security improvements. But it doesn’t stop there. The second question I typically ask is, “Can I see your Risk Assessment and Management plan?”
Often, the answer is the same: “We don’t have one.” To put it bluntly, this is the Achilles’ heel of most cybersecurity efforts. Without a thorough understanding of your business’s
risks, how can you implement the right protections?
A risk assessment is a critical starting point for any meaningful cybersecurity initiative. It helps a business identify its greatest vulnerabilities, what assets need protection, and what threats are most likely to exploit weaknesses. Without this foundational knowledge, all other security efforts are like shooting in the dark.
Yet, it’s astonishing how many businesses operate without any formal risk assessment or risk management plan. They invest in firewalls, anti-virus software, and encryption technologies—often because they’ve heard these are “best practices”—but have no real understanding of whether these solutions address their most pressing risks.
For example, a business may invest in robust endpoint protection while ignoring that their outdated web applications are their weakest link. Or they may focus on securing physical infrastructure when the real risk comes from poor password management across cloud services. Without a risk assessment, businesses treat symptoms without understanding the underlying causes, creating a false sense of security.
Two Types of Risk Treatment:
Policies and Technology When it comes to mitigating risks, there are generally two broad categories of controls: policies and technology. Policies guide behaviour—these are the rules and standards that dictate how data should be handled, who has access to sensitive information, and what should happen in the event of a security incident.
Technology, on the other hand, provides the tools—firewalls, encryption, multi-factor authentication, and so on—that help enforce those policies and protect your systems. But here’s the crux of the issue: if you don’t know what your specific risks are, how can you be sure that your policies and technologies are addressing the right problems?
A generic security policy downloaded from the internet might say that employees should update their passwords every 90 days, but is password hygiene your most significant risk? Without a risk assessment, you won’t know. Maybe the real risk lies in an insecure API or an outdated legacy system. Simply ticking boxes in a policy doesn’t mean those boxes are the ones that will keep your organisation secure.
The Danger of Ignoring Risk
The reality is that businesses can and do get breached because they focus on the wrong things. They may spend time and money on fancy new technologies, but without understanding their risk landscape, these efforts are misaligned.
Meanwhile, the true vulnerabilities are left unaddressed. Risk assessments not only identify vulnerabilities, but they also prioritise them. Not every risk is created equal, and an effective risk assessment will guide you in focusing your resources on the most significant threats.
It’s about mitigating the risks that matter most to your business.
Final Thoughts: Don’t Let Risk Management Be an Afterthought
Risk management isn’t a “nice to have”—it’s an essential component of any cybersecurity strategy. Businesses that skip this step are leaving themselves exposed. While policies and technology are important, they are only effective if they are designed and implemented with a clear understanding of the unique risks your organisation faces. So, the next time someone suggests downloading a security policy template off the internet, take a moment to ask: does this policy reflect the actual risks we face?
If the answer is no, then it’s time to take a step back and start with a proper risk assessment. It’s only by understanding your risks that you can truly protect your business. I will be retaking Risk Management appointments beginning in February of next year, so book early. Govern with confidence. Securing tomorrow, today.
Author: Tom is the owner of Govern Cybersecurity. He has over 18 years in the cybersecurity and IT industry at management level, and for the past 6 years has been a lecturer in cybersecurity at the Eastern Institute of Technology. He has earned certifications in ISO 27001 Lead Auditing, Lead Implementation, SOC2, and Ethical Hacking. These certifications are considered the international gold standard for business security.
