THE KEY TO RISK PRIORITIZATION IS RISK ASSESSMENT
- Defining assets criticality comes down to the commercial consequences of exposing that asset, and how that translates into a loss for the business.
- A low-risk vulnerability can have a big impact if it results in a breach, just as exposure of a low-value asset can have business impacts far greater than the value of the asset itself.
“Security departments often scan everything except the most critical things because they’re afraid they might break something. My argument is if you don’t break it then someone else will.”
“If you don’t know specifically where the risks are or how they impact the business, then you’re going to have considerable issues in mitigating any of that risk,” says Surinder Lall, senior director of information security at Viacom. “If you don’t know where it’s coming from, how you’re going to address it, and what platforms you need to put in place, you could be randomly performing vulnerability scans on your IT infrastructure for hours on end and running generalized reports but not really getting anywhere.” This is especially challenging in the media space where technology and new ways of monetizing content are always necessitating innovative security strategies.