What’s Really Driving Your Cybersecurity Strategy?

What is driving the decisions behind your cybersecurity strategy?

If it’s not based on your own cyber risks and leveraging ‘frameworks’, then it could be missing some critical steps that are leaving you open to an attack.

Today’s article is going to explore that further and provide some ideas that can help make sure your strategy is as effective as possible.

This all ties into a free webinar series starting on Tuesday, January 13^th at 1pm ET. If you know this is an area that you would like help, register here and we’ll dig deeper into this in our first session: https://rlsconsulting.co/2026cyberstrategyprogram/

Leveraging Your Risk in Your Cyber Strategy

There’s a lot of noise out there around the threats that are after us and the types of attacks we need to fear.

That fear, uncertainty and doubt (FUD) that news outlets and marketers love to lean on leaves most people confused about what’s really going on.

An analogy I like to point to here is the idea of the “A House and A Storm”:

We can come up with all kinds of scenarios of what can happen and what storms the future may bring, but there’s nothing we can do to stop the storm. Instead, we can focus on what we actually have control over and turn to our home.

How will our roof handle wind? Will trees or structures blow into our house? Is flooding going to be an issue? Etc.

These things help us identify what could be at risk and where to focus our energy.

In cybersecurity, it’s the same. People get caught up in all of the noise and end up in more of a reactive approach.

Instead, if we were to turn our focus to our environment and look at the factors that attribute to our risks, we can be more impactful and proactive in addressing them.

So, with that in mind, I’ll teach you some simple ways to look at those areas of risks to identify where your attention is needed.

And we’ll talk about some of the ways to address your cyber risks without experimenting by using cybersecurity frameworks and best practices that are already well established.

Simpler Ways to Understand Your Cyber Risk

In risk-based cybersecurity, we look at two key factors related to your environment:

Risk = Likelihood x Impact

This equation actually derives from the Expected Value equation in mathematics and can be used to better understand outcomes related to various events based on their probability and possible outcomes.

In cybersecurity, the probability is measured by Likelihood and those possible outcomes by Impact.

More specifically:

Likelihood is based on “how” an attack may happen and considers threats and the vulnerabilities (weaknesses) that exist in your environment. With our vulnerabilities, it matters whether they are easy to detect, easy to attack, if attackers are aware they exist, and what we can do to protect or monitor them.

This is often the more technical side of things when it comes to really digging into vulnerabilities and addressing them. However, at a higher level, you can still start to weigh the level of likelihood or compare it across systems to understand where its highest.

Impact is based on what can happen “if” you have an attack and can be measured based on the CIA of Cybersecurity where we consider the potential impacts of a Compromise of Confidentiality, Integrity, and Availability related to how you use your technology and data.

Impact is more related to how the business operates, especially when looking at it at a higher level or considering how to reduce the level of impact. Just like with likelihood, really digging into them and addressing the level of risk will require a deeper technical understanding, but there is still a lot that can be understood and compared across systems to get a picture of the risk.

To properly assess these, this is where services like Cybersecurity Risk Assessments, Penetration Tests, or even Vulnerability Assessments from qualified professionals provide the appropriate level of depth and analysis you need to really break everything down within your risk.

However, I want to show how even a high-level understanding can be used to help point us in the right direction.

Likelihood and Impact Example

Let’s look at our business email and consider the likelihood and impact at a very high level for an easy example that most people are familiar with:

Likelihood:

• What vulnerabilities might exist and where? Think about the mail-flow, authentication, integrations, rules and automations, or other processes.
• What’s easy to detect? People can find your email address/domain, they can see various configurations you have for security or sometimes what security tools are in place (or potentially missing), and it’s pretty easy to automate a campaign that can find a sucker to click on a phishing email (detecting a human vulnerability)
• What’s easy to attack? This will depend on what security configurations or tools are in place like MFA, or tuning SPF, DKIM, and DMARC settings. Whether users are trained to take caution with emails or if there are security filters that can keep malicious messages out of inboxes. Are messages encrypted or are there other practices that can add layers of security.
• What vulnerabilities are attackers aware of? Aside from maybe some unique integrations or automations you have, threat actors are pretty well versed on the vulnerabilities related to email systems.

Impact:

• Compromise of Confidentiality:
  • What kind of information in your email needs to stay private? Is there sensitive data, intellectual property, or other communications that are non-public?
  • This may not be the highest level of risk for everyone, but there can be a lot we want to keep private in our email. This one will depend on what is in your email inboxes, and if a compromise also means other systems (like SharePoint files) can be accessed.
• Compromise of Integrity:
  • Where is trust involved in our email system? When our system is compromised, where does that trust break, what can an attacker manipulate without us knowing? Do any emails trigger or take part in an automation? Could someone intercept or hijack a communication if they got in?
  • Maintaining integrity is often critical in email and other systems used for communication. Someone going undetected in there has the potential to cause a lot of problems.
• Compromise of Availability:
  • What does it mean for our ability to work if this system, process or data is unavailable? What if it’s an hour, a week, longer, or completely deleted/destroyed? Can we get availability restored quickly? What else will this affect?
  • For email, this is another high-risk area. We store things we need to refer back to, we have communications that are often only on email, and it’s often tied to other ways we work or even our calendar and schedule. People could be trying to reach you and you would have limited ways to reach them back or tell them your email is down. While not as likely, the impact is often high here for most offices (one reason why we measure likelihood separately).

There’s not much we can change about our impact because of how much it’s tied into the way we do business. We can work on the likelihood but the front-line security comes down to our users. One user having a bad day or being distracted can have serious impacts depending on which way the attack could go.

All of this considered, your email is going to be a high-risk system just by the nature of how it’s used.

This probably isn’t too surprising given how frequently we see Business Email Compromises and Phishing involved in attacks.

To apply this ‘quick risk analysis’ to other systems, use the prompts I laid out above to get a sense for how your different systems stack up to each other and start to piece together an idea of your overall risk.

When you do this, don’t forget your Third-Party Service Providers.

Quick Tip

Where I often see people leave themselves exposed is by letting (often subconscious) biases skew their perspective of their Likelihood and failing to look at Impact as its own factor.

Typically, it plays out with them getting surprised by an attack they didn’t expect could happen. They weren’t ready to respond and scrambled. And, because they weren’t seeing the full potential of what could happen, they hadn’t done anything proactive to try to minimize the impacts.

You have to consider the “if” regardless of the “how”.

Creating a Strategy

Your strategy needs to start with an understanding of the risk because it basically acts as your GPS for the path you hope to follow.

Like the “House and Storm” analogy, when you turn to your environment and look at what you have control over, you can start to make better decisions about reducing the chances of something happening, and the impact if it does.

Understanding the Likelihood begins to tell us more about what best practices can reduce our vulnerabilities, or weaknesses.

And understanding the Impact helps us begin to identify ways to work smarter to reduce the potential of an attack or if anything be prepared for what one could mean for us.

Cyber Strategy Program

If you want to continue to learn more about how to apply these concepts, I am running a free Cyber Strategy Program for businesses to follow along with me throughout 2026 as we build, implement, and follow an annual cyber strategy together.

There are monthly webinars packed with tips and action items that will help you follow a repeatable cadence with us throughout the year.

Our first event will dig deeper into ideas introduced in today’s article, so don’t miss that on Tuesday, January 13^th at 1pm ET.

Each month, we add a new part of the process with education, action items, and the Q&A for live help.

When you sign up for the webinars, I’ll also share other resources including my Cybersecurity Playbook to give you a more detailed guide on what to do and how to approach cybersecurity more holistically.

Learn more and register here: https://rlsconsulting.co/2026cyberstrategyprogram/