Why do CISOs often talk about risk tolerance? How to determine it?
07 Mar 2025
Businesses face a persistent challenge. They might know the level of cyber risks they might be exposed to, but it is highly challenging for them to determine how those risks would impact their business’s continuity. It is the main reason why CISOs often talk about risk tolerance.
What is risk tolerance? Why is it important? How do you determine the risk tolerance of your organization? Let’s find out.
What do CISOs mean when they say risk tolerance?
CISOs struggle to juggle between business needs and cybersecurity. This is where risk tolerance comes into the picture. It helps determine the level of risk an organization can tolerate and set the cybersecurity controls in line with business needs.
Even well-prepared systems can face disruption in operations. The CrowdStrike outage caused massive disruption in businesses worldwide. Similarly, a cyber-attack on Starbucks’ supply chain management solution provider caused a massive disruption in its operations worldwide.
It points towards why it is important to understand risks and be prepared as per the business objectives and goals. For this, it is essential to understand risk tolerance and risk appetite.
In simple terms, risk tolerance is how much risk an organization can handle. It is about knowing how a cyber incident can impact your organization. It necessitates organizations to be more aware of the risks that they are exposed to and evaluate the impact of the risk on multiple aspects of their business.
Risk tolerance means answering questions like
“How would an attack impact different assets of an organization?”, To “what extent can an organization take risks without affecting operations, finance, data, and reputation?” and “How to align cybersecurity investments with business needs?”
For example, for an educational institution, a data breach could not only interrupt academics. It could also expose their critical research and student data. The organization cannot afford disrupted classes, lost student data, etc.
However, an educational institution’s risk tolerance might be higher than a healthcare institution, where a cyber-attack could disrupt emergency services or even cause loss of life.
What is risk appetite and how is it different from risk tolerance?
Risk appetite is how much risk an organization is willing to take to achieve its business objectives. Risk tolerance is all about quantifying and specifying the risk an organization can tolerate. While risk tolerance applies to specific aspects of business based on metrics and insights, risk appetite applies to overall business.
Why is cybersecurity risk tolerance important?
Here are some more reasons why risk tolerance is important:
- Risk tolerance enables management to make an informed investment decision, telling them where they should invest (the kinds of tools and resources needed to secure their organization) and how much they should invest in cybersecurity.
- It helps organizations realign cybersecurity to business needs.
- By knowing their risk tolerance, organizations can have a clear picture of the areas where they would need to focus their cybersecurity resources (areas with low-risk tolerance).
How to measure/determine cybersecurity risk tolerance?
In larger organizations, there is a dedicated head (cyber risk officer) and a team for risk, along with its impact on the different aspects of the business. It might not be true for small and medium-sized businesses.
Here is a way to determine cybersecurity risk tolerance
Determine your business goals
Ask questions like “What your business intends to achieve in the future? It could include long-term plans like expanding to another product division or a business merger, including everything that forms part of your long-term plan while deciding risk tolerance.
Evaluate your exposure to cyber risks and threats
Conduct a comprehensive risk assessment to evaluate all the risks and threats your organization might be vulnerable to. Take the assistance of security experts who can provide you with better insights on risk and threat exposure.
Ascertain how your company might attract risk
Evaluate how your company might attract risks. Think of all the possible ways and reasons it can be targeted by cyber threats and other risks.
For example, if it is a company that provides supply chain management services to a renowned company, it is more likely to be targeted by cybercriminals.
Check what compliance regulations are applicable
Check what compliance regulations, cybersecurity frameworks, and standards are applicable to your organization. There are data security and privacy regulations like GPDR and PCI DSS, and statutory regulations like the New York Cybersecurity Regulations.
Determine risk tolerance
Based on all the factors, determine the risk tolerance. For example, for a startup focused on growth and innovation, the risk tolerance might be higher than for a highly regulated organization like a critical infrastructure organization. Since determining risk tolerance cannot be formed without organizational participation, it is essential to encourage the participation of leaders and stakeholders.
To summarize it
We have explored what risk tolerance and risk appetite are and how important they are together in helping businesses align cybersecurity with their business goals. It can help CISOs, and C-suite make informed investment decisions for cybersecurity.