This is a good point: > Part of the problem is that we are constantly handed lists…list of required > controls…list of things we are being asked to fix or improve…lists of new > projects…lists of threats, and so on, that are not ranked for risks. For > example, we are often given a cybersecurity guideline (e.g., PCI-DSS, HIPAA, > SOX, NIST, etc.) with hundreds of recommendations. They are all great > recommendations, which if followed, will reduce risk in your environment. > > What they do not tell you is which of the recommended things will have the > most impact on best reducing risk in your environment. They do not tell you > that one, two or three of these things…among the hundreds that have been given > to you, will reduce more risk than all the others...