Risk Management
57% complete
3 sections left
Back to Courses
Chapter 1: Introduction to Risk Management for vCISOs
Chapter 2: Building a Risk Management Framework
Chapter 3: Conducting a Risk Assessment
Chapter 4: Mitigating Risk
Chapter 5: Communicating Risk
Chapter 6: The Future of Risk Management for vCISOs
Risk Management: Key Takeaways & Conclusion

Chapter 4: Mitigating Risk

Risk Mitigation vs. Risk Acceptance

When a risk is identified, business leaders, not the vCISO, must ultimately decide how to address it. The four primary risk treatment strategies are:

  1. Avoidance – Eliminate the source of risk entirely.
  2. Transfer – Shift responsibility to a third party.
  3. Acceptance – Prepare contingency plans for unavoidable risks.
  4. Mitigation – Reduce the likelihood or impact of the risk.

Risk Treatment Plans and Mitigation Strategies

A risk treatment plan outlines how an organization will manage each identified risk, bringing it within acceptable levels. For each risk, the business determines the best course of action using one of the four strategies.

Avoiding Risk: Eliminating the cause of risk entirely. Example: If a legacy application poses security risks and can’t be updated, replacing it with a modern system eliminates the threat.
Transferring Risk: Shifting responsibility to an external party. Example: Businesses often transfer risk to MSPs/MSSPs through managed security services or cyber insurance providers who assume liability for security events under contractual agreements.
Accepting Risk: Planning for risks that cannot be prevented. Example: Natural disasters (earthquakes, floods, fires) cannot be avoided. Instead, businesses implement disaster recovery (DR) plans and alternative work arrangements to minimize operational disruption.
Mitigating Risk: Reducing the likelihood or impact of an event. Example: To defend against ransomware, organizations deploy endpoint detection and response (EDR) solutions, firewalls, and backups to minimize exposure and ensure quick recovery.

How to Create a Risk Mitigation Plan

How to do it:

  • Create action items: For each prioritized risk, define specific actions that need to be taken, who will be responsible, and the timeline for completion.
  • Assign resources: Determine the budget, tools, and personnel needed to implement each mitigation strategy.
  • Communicate the plan: Share the mitigation plan with key stakeholders to ensure everyone understands the risks and the actions being taken to address them.

Leveraging Security Controls to Reduce Risk

Security controls play a crucial role in risk mitigation. These include:

  • Preventative Controls – firewalls, MFA, patch management
  • Detective Controls – SIEM, intrusion detection systems
  • Corrective Controls – incident response plans, automated remediation
  • Compensating Controls – backups, air-gapped storage

By strategically implementing security controls, MSPs and MSSPs help clients lower risk exposure while optimizing security investments.

Incident Response Planning

For risks that cannot be fully avoided, transferred, or mitigated, a well-defined incident response plan (IRP) ensures organizations can quickly detect, contain, and recover from security incidents.

« Previous Chapter Next »