Last updated at Fri, 19 Jun 2020 13:18:21 GMT

It’s no secret that in the world of vulnerability management, reducing your risk is the name of the game, but eradicating it entirely is, well, impossible. The result is a world in which organizations need to define what they believe to be an acceptable amount of risk to take on, then work their hardest to meet that goal.

But because it can be difficult to know exactly how you’re supposed to determine what constitutes “acceptable” risk, we decided to ask some of our customers to weigh in on their approach. Read on to learn about how these security professionals approach risk in their organizations and their best advice for others looking to better their approach to risk management:

Chris Bailey, Security Architect

I look at what type of data it is (confidential, sensitive, or public), then determine which controls protect that data. Based on that information, a security assessment is performed and a recommendation is provided to the business about whether the risk is low, medium, or high.

Steven Maske, Information Security Manager

Acceptable risk all boils down to probability and impact vs. reward or cost. An oversimplified example would be, you wouldn’t spend $1 million to protect a $100,000 asset.

Anonymous, Biotechnology Company

Risk always changes. Technology is always changing and businesses adapt to the new technologies, so there are always new risks inherent with the technology. Even if you avoid risk by not changing, you risk going out of business because your services will become stale or irrelevant.

Chad Kliewer, Information Security Officer at Pioneer Telephone Cooperative, Inc.

I look at risk from the opposite side. When considering a security initiative to mitigate a perceived risk, we have to think about the risk that our mitigation poses to the organization. Is it really reducing the initial risk, or are we just introducing additional risk with more complex solutions?

Anonymous, Valuation Company

I think the difficulty is accurately explaining the need for acceptable risk in an organization. We’ve recently been tasked with writing a “remediation” document on a critical server that cannot be upgraded due to legacy software. The trouble is getting across that the remediation in this instance simply isn’t possible in the way it’s expected.

Anonymous, Healthcare Organization

Risk starts with culture and significant buy-in from C-level management. Without vision from the top, no one will make time for cyber. And without setting the culture of cyber first, a company won’t be able to properly manage or even identify their riskiest areas.

David Johnson, Systems Security Analyst, Energy Organization

Operations or the purpose of the business should always be the first consideration. Sometimes applying “mitigating” controls can introduce more risk than not applying.


I think risk management in some regards is more important than deciding on the inherent security merits of a particular project. “No” and “Can’t be done” are pretty much unacceptable answers to most of today's business technology questions. So, since we have to do it anyway, it’s the risk management angle that dictates whether the undertaking is a success, both from a business and a security perspective.

Brandon Cox, Information Security Engineer at Curvature

I agree, but remediation seems to be the only focus many organizations have when it comes to infosec.

Anonymous, Media Organization

There are well-known formulas for quantitative and qualitative risk, but it is ultimately up to the security and business professionals to understand the nature of their organization and apply these formulas appropriately based on the needs of the business. Understanding the needs of a particular business and appropriately managing that risk based on the needs of the business is what will help transform an infosec department from a cost center to a value-added business function.

Darren Waldron, Sr. Security Engineer

Agree with the commonality of opinion here. We’ve spent moons focusing on risk but it really comes down to the scenario at hand. Formulas are a guideline, but never the final decision.

Rick Heil, IT Director / InfoSec Officer

The classic quantitative risk formulas are well-known, but it is up to us as security professionals to apply the qualitative nature of business to them and mitigate. We’ve done a lot of work to transition infosec from the “Department of No” to the “Department of Yes-and-We’ll-Help”.


The risk fluctuates with technology. Today, you are fully patched and your risk is minimized—tomorrow, you have to deal with the new exposure. As you long as you lay out the exposure and the impact, you let the business decide how much they are willing to take and accept while you try to keep the light on.

Want to learn more about how other security professionals approach risk management in their organization? Check out Rapid7 customer Steven Maske’s in-depth blog post, “How to Define and Communicate Vulnerability Risk Across Your Company.”