A few years back, I knew a guy who had a mole on his forehead, which started to grow and change shape. As a survivor of melanoma, I know this is not a good thing.
Some friends and I urged him to go to the doctor to have it looked at, but he refused. “I don’t want to go to the doctor – it might be cancer.”
Sounds ridiculous, doesn’t it? But that argument is similar to what I hear from information security professionals all the time.
They don’t want to confirm the issues they already know they have (through vulnerability scans, pen tests, security assessments, configuration audits, etc.) because they know it will likely turn up a list of things they don’t want to deal with.
One of the big inhibitors is resource limitations – time, money, people, tools. I get it – we all have constraints. To me, this is why risk-based security is so important.
By integrating elements of risk ranking, business-oriented value mapping, and objective prioritization you can stack rank the problems you’d like to solve and apply your resources against the biggest or most impactful items first.
Another problem is the fact that you can’t “un-know” something once you know it, and you might have to report it to your boss, a regulator, your board, etc. Doesn’t this sound a lot like what the guy with the mole used to say?
Remember, just because you know about an issue doesn’t mean you have to do anything about it. The choice of how, when, and where to act is yours — but pretending a problem doesn’t exist doesn’t help anyone.