Detective strategies such as and analysis should be prioritized on those key assets where important, valuable information is living. Protective controls -- encryption, configuration controls, etc. -- should be analyzed and adjusted based on business criticality.

In the example regarding the 30,000 files outlined above, when the technology company found the files, the remediation was based on the business need. Some files were deleted; some were encrypted. Some files were products of business processes that needed more engagement by the security team to adjust the business process to better protect the data.

In the end, business risk management strives to adjust behavior to reduce the impact of threats to business strategies and objectives. In IT security, risk management is the fundamental goal. We understand many of the threats already -- , criminal elements, , etc. The methods that threat actors utilize continue to evolve and it is an endless battle between security teams and the bad guys. Any analogy will do at this point -- fencing (protect the point areas), chess (protect the king), tiddlywinks ... OK, maybe not every analogy.

My point is that security functions need a risk-based, agile, contextual approach that is core to risk management. IT security is evolving toward risk management-based methods. IT security can be risk-based to know what needs to be done and where; agile to react and adjust based on incoming information; and contextual to not get lost in the ones and zeros and know what security means to the business.

Fundamental risk management approaches are more important now to IT security than ever before. Without a sense of asset acuity and risk-based adjustment of controls, companies will tire of chasing threats around the enterprise and leave themselves open for the "kill shot" that will eventually come.