/tidal-point-20/images/tidalpoint_logo2024_hori_blk_med.png){kind=logo}
CONNECT
Today’s most common cyber threats are familiar—not just to security professionals but often even to the victims themselves. It’s not that we don’t know how to protect against a given threat—it’s that we often didn’t.
We understand the threat actors and their motivations (even if they ebb and flow over time). We understand the technology they use, the type of infrastructure they target, and we even catalogue the vulnerabilities attackers are using operationally. Most incidents are preventable, provided certain measures had been in place ahead of time. And that’s the rub—it’s easy to say “should have mitigated that specific risk” in hindsight, but hard to do it ahead of time, efficiently in terms of time, cost, people, and process.
How do you know which security measures to put in place, and when to do it?
The Flaws of the Maturity-Based Model
Most organizations—even smaller ones—are overwhelmed by technical data, rapidly evolving threats, and sprawling digital estates. Moreover, from a cybersecurity lens, there’s a critical lack of business context: cybersecurity teams, executive teams, and business units are often too far removed from one another. As a result, the default investment is to attempt to monitor everything, patch everything, and invest in everything—often without knowing what matters most to the business or what attackers are likely to target. This leads to control fatigue, inefficient spending, and gridlock that paralyzes the very teams tasked with defense.
What I just described could be characterized as a maturity-based approach—a checklist-driven model that focuses on achieving a set level of capability across controls. It’s easy to measure and helps get basic programs off the ground. However, in more advanced environments, it becomes a blunt tool. It treats all assets, applications, and processes as equally important and often drives spending into areas that don’t move the needle in risk reduction. Worse, it can create unnecessary overhead and delay without clearly connecting investments to outcomes.
This is where risk-based cybersecurity comes in. Unlike the maturity-based approach, the risk-based approach prioritizes security actions based on real, evolving threats and the business impact of their exploitation. It doesn’t just ask, “Are we monitoring this asset?” but instead, “What would it cost the business if this asset were compromised, and how likely is that event?” This reframing allows for far more precise, efficient, and impactful security programs.
To succeed with a risk-based approach, organizations must understand their networks, the threat landscape, and how the two meet. That means knowing your assets, identifying critical systems, and contextualizing threats in real time.This ensures defenses are aligned with actual risk exposure and can drastically reduce costs by avoiding overprotection in low-risk areas. For example, a misalignment might result in overinvesting in endpoint detection while underinvesting in cloud configuration security—despite the latter being a larger attack vector for the organization.
The Role of AI: From Overwhelmed to Insightful
The problem? Implementing risk-based management is hard with conventional technology. The volume and velocity of data from logs, vulnerabilities, threat feeds, and business systems is enormous and constantly changing. No human team can process and prioritize it all manually. There’s good news, however. With the technological step change presented by the advent of Large Language Models (LLMs), we can change the equation. To an LLM, processing huge amounts of unstructured data is a cakewalk. And AI applications can encode the decision process of expert practitioners. The technology can highlight what’s material and surface insights that guide human decision-makers more effectively than traditional tools (or automate decision-making in the right circumstances!)
AI excels at pattern recognition, anomaly detection, and correlating disparate datasets—all core challenges in risk-based cyber programs. For instance, LLMs can interpret incident reports, asset inventories, and threat intelligence in natural language, and then answer strategic questions like, “Which of our crown-jewel assets are exposed to this zero-day exploit?” or “What are the top three gaps in our MFA coverage across critical systems?”
Shifting to a risk-based model isn’t just about tools—it’s about mindset, process, and organizational alignment. According to Gartner, success comes from integrating risk-based thinking into threat detection, incident response, and executive reporting. It means building strong relationships between security and business leaders, making good budget decisions, using metrics that connect security actions directly to business outcomes, and continuously enriching detection and investigation with business context.
It also means evolving the operating model: from seeing cybersecurity as a standalone IT function to embedding it across the business as a partner in digital innovation.
Risk-based cybersecurity, when implemented thoughtfully, becomes more than just a defense mechanism. It becomes a strategic lever. It turns cyber from a cost center to a value protector—ensuring resilience where it matters, enabling innovation without reckless exposure, and turning threat data into boardroom insights. That’s the future we should be building toward.