Someone sent me this quote in an attempt to convince me that we should focus on vulnerabilities and not threats…I don’t think they are mutually exclusive, but here nor there…
Our data tells us that focusing on vulnerabilities is more effective in reducing risk than focusing on threats. In fact, of nine specific types of threats we examined in our survey, none proved to be statistically significantly related to increased risk, although many vulnerabilities were. The enterprise can do little at best to control threats, especially external ones, but it can do a lot to control vulnerabilities. Focusing on vulnerabilities reduces an enterprise’s tendency to react to what is apparently most urgent – such as the threat reported in yesterday’s newspaper – and helps the enterprise act instead to reduce vulnerabilities that might be exploited by any number of threats. No nation can control the level of the sea, but a nation can build dikes to reduce the vulnerabilities of its lands to high waters; no enterprise can control a sea of external hackers, but an enterprise can plug the holes in its network dike that hackers might otherwise exploit.
In short, vulnerabilities, not threats, are the root cause for high risk exposure, and it’s best to focus on the root cause.
– IT Risk: Turning Business Threats into Competitive Advantage by George Westerman, Richard Hunter, page 126
My response: If you live in the Ghetto, what contributes to your high risk exposure, your lack of steel doors and bullet proof glass or the shitty neighborhood you live in that is full of gangs, thugs, crack whores, and meth addicts?