Ivanti Blog: Posts by

Risk Appetite, CRQ and Exposure Management: Closing the Loop on Cyber Risk

Tue, 13 Jan 2026 13:54:57 Z

Executives today operate in a constant state of pressure. Regulatory demands grow faster than budgets, customers expect proof of resilience and every system outage becomes a business event. When each function manages risk in isolation, leaders spend more time reacting than advancing strategy.

The real issue is coherence. Most organizations still rely on partial instruments: dashboards filled with red and amber, but no clarity on which risks matter or what an outage would actually cost. Anyone updating risks once a year in a spreadsheet is flying the enterprise through fog without instruments. Cyber risk quantification (CRQ) brings those instruments in the form of credible metrics, realistic scenarios and ROI-based priorities.

But measurement alone isn’t enough. Risk appetite defines how much uncertainty an organization is willing to accept; exposure management operationalizes that boundary. When CRQ, risk appetite and exposure management operate together, risk becomes a controllable variable — a closed loop that ties monitoring to strategy and action.

The result is a system that reduces noise, sharpens priorities and enables leaders to balance security, profitability and innovation. And while measurement by itself is insufficient, it is the crucial first step for IT leaders.

Why measurement is the first act of leadership

You cannot manage what you cannot measure. A single “critical” label might conceal a $50,000 nuisance or a $5.4 million disaster. Without quantification, leadership decisions rely on instinct dressed up as process.

Measurement is the first act of control. When risk is expressed in financial terms (e.g., probability of loss, potential impact, return on mitigation) security becomes a business function rather than a technical debate. It re-enters the language of value, cost and return. Investors and boards increasingly judge resilience as an indicator of governance maturity. Quantified risk doesn’t just support better posture — it stabilizes valuation and reinforces confidence in executive judgment.

Cyber risk quantification (CRQ): Turning guesswork into dollars

Cyber risk quantification provides the translation layer that business leaders need. It models what a specific threat could cost in dollars, how likely it is to occur and which factors amplify or reduce exposure. Inputs include internal metrics (e.g., production revenue per hour, contractual penalties, data-handling costs) augmented by actuarial models, such as those from Munich Re.

CRQ reframes risk through three primary business impact categories. Each category has its own drivers and timeline, and ignoring those distinctions leads to flawed prioritization.

Business interruption: When systems fail, the cost clock starts running as production outages, penalties and lost revenues accumulate by the hour.
Data breach: Where damage unfolds in waves and cleanup, fines, legal action and the erosion of customer trust linger for years.
Financial theft and fraud: Compromised accounts, tampered transfers or false payment orders that inflict immediate losses.

CRQ also reverses the usual IT tunnel vision. Rather than starting with vulnerabilities, it begins at the business-model level. It asks: what would this cost us and which processes would cause the greatest financial impact if they failed?

The analysis uses company-specific data, such as hourly production revenue and contract penalties, cross-referenced with Munich Re’s actuarial models. The result: credible, actionable numbers. Executives can compare cyber investments to any other capital decision. Instead of "patch all vulnerabilities," the question becomes: which action reduces the most financial risk per dollar spent?

That shift marks the moment cybersecurity joins the CFO’s balance sheet. And, when CISOs talk in dollars instead of acronyms, cybersecurity becomes a language of enterprise value rather than fear management.

Risk appetite: Setting the boundary of ambition

Quantification alone is instrumentation — not leadership. Leadership requires defining how much risk your organization is willing to accept in pursuit of its goals. That definition (i.e., your organization’s risk appetite) is the hinge between measurement and management.

Every company balances ambition against exposure. A high-growth startup accepts volatility for potential upside while a regulated utility prizes stability over experimentation. Risk appetite transforms those instincts into policy, linking goals to thresholds, such as maximum loss, acceptable downtime and tolerance for reputational impact.

Defining risk appetite is both a quantitative and moral exercise. It signals not only how much loss a company is willing to bear but what kind of company it intends to be. Metrics like maximum loss and ROI coexist with softer judgments about values, reputation and ethics.

When a risk appetite statement (RAS) codifies those boundaries (distinguishing between risk capacity, tolerance and hard limits), leaders gain a common language for decision-making. For example, many organizations distinguish high appetite for innovation, moderate appetite for operations, minimal for security and low for compliance. Each organization must make these tradeoffs explicit.

A clear RAS ensures alignment. Without it, departments drift; marketing pushes for speed while legal demands caution. Well-defined risk appetite balances that friction. It also supports trust — investors and regulators can see that risk governance is intentional, transparent and measurable. Key risk indicators then track performance against these thresholds, providing early warning before conditions deteriorate.

Exposure management: Where visibility meets control

Until it meets daily operations, risk appetite is theoretical. Exposure management operationalizes that boundary by unifying three disciplines: attack surface management (ASM), risk-based vulnerability management (RBVM) and validation and remediation. This aligns with Gartner’s Continuous Threat Exposure Management (CTEM) model of scope, discover, prioritize, validate and mobilize.

Attack surface management (ASM): Provides visibility into every asset that could be attacked, including shadow IT.
Risk-based vulnerability management (RBVM): Contextualizes vulnerabilities by exploitability and business impact.
Validation and remediation: Confirms which threats are truly exploitable and whether fixes are effective.

In practice, exposure management is a living feedback loop between visibility and governance. Data aggregation breaks down silos by correlating vulnerabilities with asset value, while validation ensures theoretical models match reality. Remediation closes the loop automatically (through integrated ITSM workflows).

An online retailer, for example, may choose to tolerate higher risk on Black Friday to maximize revenue, but does so with heightened visibility and rapid mitigation. Security thus becomes dynamic equilibrium rather than reactive crisis management.

Where traditional vulnerability management is reactive and incomplete, modern exposure management spans assets, endpoints, applications and clouds, adapting continuously to the organization’s defined risk appetite. Automation, escalation and real-time reporting ensure that leadership always knows where your organization stands, what an outage would cost and which actions deliver the greatest reduction in financial exposure.

The closed loop: Turning cyber risk into a controllable system

When cyber risk quantification, risk appetite and exposure management operate together, risk becomes a controllable variable — a closed economic and operational feedback loop.

CRQ shows how much financial damage a vulnerability could cause. Risk appetite defines how much of that risk the organization is willing to accept. Exposure management ensures that the company’s attack surface aligns precisely with this threshold. Together, these three form a system of measurement, direction and control.

Without CRQ, the foundation is missing.
Without risk appetite, there is no strategy.
Without exposure management, there is no enforcement.

This closed loop converts cybersecurity from a compliance obligation into a performance discipline. It gives executives the same levers they use everywhere else (metrics, thresholds and continuous feedback). Imagine board meetings where risk variance is discussed with the same fluency as margin variance, where resilience becomes a competitive KPI.

For years, cybersecurity was the department of “no,” blocking ideas to prevent incidents. Quantification and exposure management transform it into the department of “how.” Leadership can now take calculated risks, prove the ROI of resilience and communicate in a language investors and regulators share: impact, probability and value at risk.

Measured risk becomes managed value — and leadership finally regains forward momentum. Cybersecurity, once a brake on innovation, becomes the steering system for strategic confidence — the new language of foresight. Anything less is gambling and, in the end, only the attacker wins.

Leaky Apps – How Banning Them Builds App Security

Fri, 29 Sep 2023 15:00:02 Z

Banning apps is sometimes necessary to protect your organization from malicious or misused applications. In particular, leaky apps can be a significant threat, and identifying and banning them is an essential app security measure.

Some organizations choose a more flexible approach by allowing employees to use unsanctioned apps and monitor their usage for suspicious activity. Yet others don’t monitor employee app use at all, which is the riskiest approach imaginable.

Employees rely on software to help them do their jobs more efficiently, save time and increase their productivity. But not all software is created equal, and not all apps are implemented securely. Even a massive global organization can be threatened by leaky apps that create massive risk, as this Toyota example demonstrates.

The risks of leaky apps and poor app security

Deciding whether to ban an app on corporate devices should be based on A) how much value that app provides versus B) the likelihood of its misuse at the individual or organizational level. In deciding, the organization should consider several types of risk caused by leaky apps or other software.

Insider threats

The risk from insider threats is a major concern in app security, due to the difficulty of detecting malicious insiders who already have legitimate access to systems and data.

A recent report found that 48% of cybersecurity professionals agree that insider attacks are tougher to detect and prevent than external attacks. And according to Verizon, internal actors are responsible for 19% of all data breaches.

This makes implementing zero trust capabilities essential to reducing the attack surfaces available to these cybercriminals. Although the magnitude of this threat isn’t as substantial as others, such as phishing, it can still carry a hefty price tag. Recent research shows that the average cost of a data breach is $4.45 million.

Malicious software

Apps can contain malicious software that can harm connected devices and your network. And these threats have increased in recent years:

According to the 2023 State of Malware Report from Malwarebytes, 71% of companies worldwide were affected by ransomware.
By the end of November 2022, over 22,500 new vulnerabilities had been added to the worldwide CVE database, already 10% more than in all of 2021.
The United Nations Office on Drugs and Crime (UNODC) reported that more than 3.2 million cyberattacks were reported to law enforcement officials in 2022, with more than 1.13 million of them involving malicious software.

On top of malicious software, apps can provide unauthorized access to your system, allowing attackers to gain access and exploit your data. Think of this as malware targeting your systems, not your users. The potential risk of malicious insiders magnifies this threat. Malicious apps are also able to monitor or inject traffic, leading to a loss of privacy, disruption of services or attacks on weak targets.

Banning certain apps, whether leaky apps or deliberately malicious ones, can help reduce the likelihood of exploits. Otherwise, bad actors can target other endpoints on trusted networks behind a corporate firewall.

Leaky app issues

Leaky apps can result in user data, such as phone numbers and email addresses, being leaked to third-party servers. In one example, a security researcher discovered that TikTok was leaking user data without the user's consent, and a report from the Washington Post found that TikTok was sending user data to Chinese servers.

To prevent this, banning leaky apps can ensure that only trusted apps are allowed to access user data. Unfortunately, many commercial apps (especially those that are “free” or ad-supported) don’t always make it clear what data they collect and whom they share it with.

Another potential cost of leaky apps? The regulators behind mandates like the GDPR and CCPA aren’t going to be forgiving of a company that was negligent in defending against data breaches. The fact that bad external actors may be involved is no excuse for not taking measures to prevent leaky apps and malware from invading a network.

Siloing and data exfiltration hazards

Using unauthorized applications can lead to the formation of silos when everyone isn’t working with the same app, resulting in decreased efficiency and productivity for the entire organization.

Not only can unapproved downloads create a security risk, but cloud-based SaaS applications can also open the door to unintentional and intentional data exfiltration, as well as data loss if files are misplaced or forgotten. In some cases, employees may even use non-SaaS desktop or laptop applications that haven’t been updated in years because they’re more comfortable with them. But they often still pose risks.

If cybersecurity teams can't see unsanctioned “shadow IT” apps, they can’t take app security measures to assess risk and monitor usage. This lack of visibility leaves the organization vulnerable.

Solving app security issues

There are fairly straightforward ways to solve the problem of monitoring and, if necessary, banning apps. These involve educating your organization about the risks involved to forge a “culture of app security” and by using software tools to control the apps that are installed on networked devices and that are being accessed from the cloud.

You should start by explaining the risks involved to employees and leadership. Educating everyone on zero trust principles and good cyberhygiene should be an ongoing, ever-evolving process that makes them aware of the dangers posed by leaky apps and unsanctioned downloads. In educating them on how to recognize and report possible security threats, you can also make them aware of the benefits their diligence brings for everyone.
To control device-based apps, Mobile Threat Defense (MTD) software is used. This is often coupled with endpoint management software to monitor the app that’s being installed (or may already be in use) to detect any risks, in which case access to the app is blocked.
Security Service Edge (SSE) software regulates using cloud-based applications. It can assess risk levels for SaaS apps, allowing security teams to allow and disallowed software based on that assessment. Plus, SSE software can conditionally monitor data transited by SaaS apps to ensure sensitive information isn’t stored in the cloud while still allowing the app to be used.

Learn more about the threats posed by unmonitored and unsecured mobile devices, the need for cyberhygiene for Internet of Things (IoT) devices, and the impact of zero trust adoption on organizations that have taken that step to protect themselves from the threats, leaky apps or otherwise, that every enterprise is facing.