This series explores five tips to build a sustainable, repeatable, and effective C+ security effort—one that can pass security audits and comply with regulations, while still maintaining a strong dose of practicality. Time to go from F to C+, baby!
Tip #2: Do not only consider security risk in your security effort
Many in security only evaluate situations from a purely security risk management perspective. They do security risk assessments, which can be quite complex or maybe even simple, and then present reports to management that only present security risk related data with a high, medium, or low score. Nothing about alignment to organizational core values as a prioritization criterion, or efficiency, or anything. When you use this approach, which is done by most, you will always have the "high" security risks bubble to the top, and with no other prioritization criterion included, this will always lead to a recommendation that solely represents the A+ security approach to remediate all those high security risks.
The C+ security professional understands this, and knows that the way to dilute your security effort is to include other criterion aside from purely risk within the decision equation for what you are trying to accomplish. And by the way, if you are not sure what these extra things should be, no problem, simply ask the leadership at your organization what is an important business focused prioritization criterion. This is the kind of stuff they are experts in and actually will want to talk with you about.