“What is your cyber risk strategy?”, this is a common question asked by your board of directors and executives.

People often answer it from the angles of risk assessment,  security governance, department budget, resource plan, or awareness training. While all of these elements are important, have you ever thought about a fundamental question:

What is your dimension of cyber risk strategy?  

I know many cybersecurity professionals.  Before they entered this field, they thought about their life would be like this:

Yes, it’s like a Superman: You have total control, you master everything, you can touch everything, and you can say NO to most of the people.

But very soon, they realize their life is actually like this:

They are firefighters. Every day they are facing issues, vulnerabilities, or incidents, and it leaves them almost no time to think about long-term.

But when you are promoted to manager, director, or CISO (Chief Information Security Officer), you have to face this very important question called “Cyber Risk Strategy”.


It sounds like a big topic, but to many many corporations, it actually looks like this.

It is like a line. On the extreme left-hand side,  you have something called convenience; On the extreme right-hand side, you have something called security.So, what is your cyber risk strategy? It is to find a point on this line. You can move a little bit to the left, you get more convenience less security,  or move to the right you get more security less convenience.  For example, for a large financial institute,  probably you are on the right-hand side;  For a startup or technology company, you are likely on the left-hand side.

This is a model most corporates are operating. But, is it good enough?

I’d like to show you another picture.


Anyone familiar with Gartner Magic Quadrant or Time Management Quadrant? You have important/urgent or important/not urgent. So, it looks like this. You have four quadrants: convenient/secure, inconvenient/secure, inconvenient/insecure,  and convenient/ insecure. The goal is to move your company to this quadrant called convenient and secure, to achieve both of them.

How do you get there? There are many ways. Oftentimes, you have to leverage technology and process. For example, Apple, in their iPhone, Face Detection, it can let you log in very quickly and offer the good security.  There’s another concept called secure DevOps. So, it incorporates security in the software development lifecycle. It also helps integrate the development,  testing, and production in one seamless process. And improves productivity.

Okay, sounds like it’s a very good picture right now, but the question is, is it good enough?

I’d like to show you another picture.


Even though you achieve the perfect score internally for your cybersecurity risk management,  but you are not living alone.  You have to be working with your partners,  vendors,  customers,  your suppliers.  You have to not only take care of your own security but also consider other people’s cybersecurity or risk strategy.

The hackers,  they find it’s difficult to penetrate a bank.  They often turn around to smaller law firms or accounting firms because they have a less security.  And so, when they get the sensitive information, let’s say client information, then they can come back and attack the large organization like a bank.

So, in other words, you have to live in this ecosystem, not only for your own cybersecurity or risk strategy but also include other people’s,  other organizations’ security and strategy.

But, is it good enough?

Let me show you one more picture.

Even though you take care of the whole ecosystem, your decision or strategy is based on what? It is based on the past – the things happened before,  the incidents, the devices you had,  the strategy you had it before.

It is like in a company, when they do the financial forecast, what do they do? They normally just get the last year’s (Financial Report) or the year before that,  modify some parameters, then they try to predict the future.  It is not enough!

We have to think about the future because the technology is moving fast every day,  we have AI,  we have blockchain. Hackers are using different ways to attack companies, and the policies, security compliance are changing.

We have to take care of not only now, past, and also future. In other words, we have to consider the “Time Factor” in your cybersecurity or risk strategy.

Alright, let’s quickly recap.

We have four pictures right now related to your security strategy.


If you think those pictures deeper, we can call it 1D, 2D, 3D, and 4D of the risk strategy.

In one dimension, you only consider: do I need more convenience or do I need more security? In two dimensions,  you have to try to achieve both convenient and the security. In three dimensions, you want to not only take care of yourself but your ecosystem. But in 4D,  you have to live in right now,  based on the past, but also predict the future!

So, the question for you is: “What is your dimension of risk strategy?”

And your answer to this question will largely decide the whole strategy of your risk management system, or cybersecurity management system.


By the way, I also I created a short video on this topic as follows. Hope you will find it helpful.