New Year, New Priorities - So, what to fix first?

The most common phrase we hear from our prospects is, “We are overwhelmed, and we aren’t sure what to tackle first.” It’s a tale as old as time when you work in security. Ultimately, everything is reported to the defensive team and executives as critical issues, and everything that’s reported must be prioritized. But when everything is a priority, nothing is a priority, which leaves teams feeling overwhelmed, underperforming, and dreading the work. The fix to this is simple, but the recognition of the issue is not. Why? Mainly because you, or more likely the vendors you hired, confuse theoretical severity on a spreadsheet or vulnerability scanner with what actually constitutes a critical risk for your organization in the real world.  As we enter 2026, which is likely to be another year of increased cyber and non-traditional crime, let's discuss how we tackle this so you can prioritize what's important.

First, let's talk context. Context is by far the most important element in understanding risk. Why? The true danger of vulnerabilities only becomes clear when you account for how likely they are to be exploited, what your mitigating controls are, and how deeply the affected assets are connected to the rest of the environment. There is a reason we at EC often emphasize mitigating factors when discussing a particular vulnerability: they are critical to understanding the context and, therefore, the risk. The truth is, though, this is quite difficult to conceptualize, mainly because cyber is non-corporeal; psychologically we don’t associate the risks in the same way we do in the physical world. Let's look at it another way. It's safe to assume most of us lock our doors before we go to bed at night, not because we live in unsafe neighborhoods, but because it’s a “what if” and we don’t want to make it easy for someone to just enter.  The truth: locking the door is just a mitigating factor. Why? Because we have windows, which are easily breakable and usually large enough for an intruder to get through. Now think about having that offensive security vendor you hired last year run their “pentest” on your house. They would likely point out that your windows are a critical security risk and subsequently advise you to seal them or install “compliance”-spaced metal bars. You might find this advice silly, because you know your mitigating factors: you live on the third floor or near a police station, your alarm system would trigger, or the sound of glass breaking would give you enough time to enact an action plan. The point is that there are many other factors that typically give us the peace of mind to accept the risk of only locking the doors. Cyber is no different. Sometimes its acceptable to push off patching the Eternal Blue host on the network, not because it's not a risk, but because it doesn’t exist in the domain, there is no network login capability, and it's only connected to a CNC router that a guy named “Dale” uses for his personal projects, even though it’s a work system. You don’t have to prioritize that “critical” vulnerability, because context dictates it poses a relatively low risk. When reviewing a vulnerability or penetration testing report and seeing the many critical findings the vendor identified, the first question asked should be about the context of the risk in your environment, how it impacts the integrity of your security, and how it leads to business impact. Ask the hard questions they should be able to answer as the offensive security experts. That’s their job after all.

Equally critical to prioritization is understanding the effectiveness of your mitigating factors and controls. Often, when we first evaluate a client, we find that the controls and tools in place are not operating at the level the trusted agent has communicated to us. Missed alerts, no alerts, no action, no boundaries, etc., etc. There are many reasons for these issues, but usually it comes down to the tools being sold as one-stop, no-setup products. If a product like that really existed, the world would see a decrease in crime, not an increase, and it would be the de facto go-to product across all environments. Ultimately, this means many tools are left in default configurations or are misconfigured for the environment in which they are installed. This isn’t to say you should prioritize configuration and pull away from other items; instead, it's to say that you shouldn’t trust a mitigating control just until you have confirmed its efficacy. Tools, controls, and processes should be tested to determine that they are working properly against the threats you would likely face. They are likely going to work at some level in default deployment mode, but not as well as they would if properly tuned for your environment. If you say you are safe from ransomware, but are running your EDR in its default deployment mode, which could be passive collection (we have seen it), you aren’t going to prevent it. Going back to the door example. Let's say the door is misaligned and the deadbolt doesn’t seem to fully seat. You are likely going to trust that control a bit less, right? At least until you re-seat the door so it's properly positioned or hire someone to fix it. The same should apply to cyber. You need to determine whether that door is installed correctly. You do that with good testing vendors who can help you properly configure and build trust in the tools and controls you use.

Once you have a solid understanding of your mitigating controls and are translating the hypothetical risk into a real-world context, you are cooking with fire. Honestly, that’s it. You will find it much easier to prioritize and implement fixes, controls, policies, and updates, and you will be far less reactive to everything. You will also be able to implement initiatives you have wanted to do for years.  It's that simple, yet still quite complex without practice. If you are unsure about the risk, don’t be afraid to ask someone who can break it down in a way that makes sense to you. As we like to say, it doesn’t cost a dime to have a conversation with us, so if you need that second opinion, we are always happy to help.

From our team to yours, Happy New Year, and we hope it's an uneventful year for you, at least security-wise.