When you're faced with risk from an app security gap or vulnerability, you have more options than you think: you can avoid it, accept it, mitigate it, or transfer it. The only option you don’t have: ignoring it.
You get briefed about a security vulnerability in one of your company-developed apps. It sounds serious. You might think that the only answer is to throw a technology solution at it. But such solutions can be complicated—and costly. Still, you have no choice.
Or do you?
Take heart. When faced with an app security gap or vulnerability, you have more options than you think—four, to be exact.
Avoid the risk
Sometimes the easiest path is to stop doing the risky action, and plug the security hole in the process. Perhaps you have a customer-facing web app that collects personally identifiable information that you don’t need. Stop collecting it. Perhaps your app stores customer credit card numbers. You can stop storing them. Problem solved. It’s like the old joke. Patient: “Doctor, it hurts when I do this.” Doctor: “Then don’t do it.”
Accept the risk
Another possibility is to just accept the risk. Say you discover vulnerabilities in one of your apps, but the likelihood that it would be exploited is minimal to nonexistent, the data in the system is virtually public, and you don’t consider the source code valuable intellectual property. Your appetite for risk might not be high, but this could be acceptable. Sometimes it will simply cost more to fix the problem than it would cost to clean up a breach or attack. If you perform a risk analysis and decide to accept (rather than mitigate) the risk, the good news is that effort alone displays due diligence and due care, as you have made your decision based on reasonable assurances that the risks will not be exploited—or if they are, they are acceptable to the business.
Mitigate the risk
You may have thought your only option was to mitigate risk by deploying a technology solution. This is the sort of thing that your security team routinely does—implementing tools or services that can detect, prevent, or respond to an attack. You will choose this option for some of your risks, but mitigation may not be the most cost-effective or effective way to proceed.
Transfer the risk
You can also transfer security risk to a third party. There are a couple of ways to do this depending on the situation. First, you can transfer the risk to a managed service provider or Software as a Service application provider who assumes responsibility (risk) for protecting customer data. Second, you can protect yourself through cyber insurance. You decide how much risk you can accept and insure the rest.
The only option you don’t have: ignoring the risk
Rather than dealing with security vulnerabilities, some executives choose to stick their heads in the sand and ignore problems rather than deal with them. This leaves their businesses open to litigation, compliance penalties, fees, and other expenses should a breach occur.
Never ignore your legal obligations. When it comes to risk, you must execute both due diligence and due care when making important decisions. Due diligence means you’ve fulfilled your responsibility to identify and assess risk; due care means that you have actively explored potential solutions to those risks and made the best possible decisions—one of the four outlined above. These twin concepts of due diligence and due care are foundational to every form of risk—including cyber risk. By carefully considering the type of vulnerabilities you face with your IT environment, and choosing whichever of each of these options you deem optimal, you are fulfilling your responsibilities to your company and to your customers.
Alice LaPlante is an award-winning and best-selling American author of numerous books, including A Circle of Wives and The New York Times bestseller Turn of Mind, which was the winner of the Wellcome Trust’s Book Prize and a B&N Discover Award finalist. She was a Wallace Stegner Fellow and a Jones Lecturer at Stanford University, and taught creative writing at both Stanford and San Francisco State University. She has written for Forbes ASAP, BusinessWeek, ComputerWorld, InformationWeek, and Discover. Her corporate clients include some of the best-known brands in the technology industry, including IBM, Microsoft, Oracle, Symantec, Deloitte, and HP.