ABSTRACT
Most of us have paid for or participated in hiring outside vendors or consultants to conduct risk assessments of our enterprise. They run their tools, conduct interviews, and produce a final deliverable that reads like scare-tactic propaganda with a list of remediation items (that they would gladly help you remediate for a nominal fee). The remediation items tend to be constructed out of some industry best-practice template and typically do not consider the technological constraints of your environment, the political climate needed to get the right momentum, and the budget needed to accomplish the recommended mitigation initiatives. Returning to a key point in chapter 1: Industry best practices may not always be practical for your environment. These security assessments can cost tens of thousands of dollars, tie up valuable resources, take up valuable time, and send you down the impractical path of addressing risks according to best practices as opposed to dealing with threats that can cripple your environment.
