First off, I’m thrilled the original post hit a nerve—the good kind, mostly. But it seems some folks thought I was saying we should throw risk assessments out the window and just YOLO our way through cybersecurity. That was not the point.
So let me clarify: Risk assessments are absolutely a core part of any real security program. If you don’t understand your environment, your assets, your exposure, and what could go wrong, then you’re not doing security—you’re just playing whack-a-mole with firewalls.
But here’s where things go off the rails: somewhere along the way, risk management became synonymous with security. And even worse, we decided that accepting risk was just as valid as mitigating it.
Security vs. Risk Management: Two Different Jobs
Let’s break it down:
- Risk Management is about understanding, evaluating, and prioritizing risk. It’s essential for making informed decisions. Think of it like an insurance underwriter—calculate the odds, assign a value, and document the risk.
- Security is about stopping bad things from happening. It’s technical. It’s operational. It’s messy. It’s hands-on. And it has one goal: reduce the likelihood and impact of a successful attack.
If your security team is acting like a bunch of underwriters instead of defenders, you’re gonna have a bad time.
The Risk Acceptance Trap
Accepting risk is not inherently wrong—but it should be the exception, not the plan. It should be reserved for cases where:
- There is no feasible technical mitigation.
- The exposure is limited and monitored.
- Leadership has made an informed, time-bound decision.
And let me be blunt here: risk acceptance should never happen without the CISO’s strong objection being documented, discussed, and understood. If security leaders are just rubber-stamping business decisions to accept risk, then we’ve traded our role as protectors for the role of note-takers. That’s not why we’re here.
The CISO’s job is to say, loudly and clearly, “This is a bad idea.” And if the business still chooses to accept the risk? Fine. But everyone should walk away from that meeting knowing full well that the defender of the realm raised the red flag.
Far too often, risk acceptance becomes the default:
- “We don’t have budget for that.” Accept the risk.
- “It’s been like that for years.” Accept the risk.
- “The vendor said it’s fine.” Accept the risk.
At that point, you’re not managing risk—you’re just giving up and filing paperwork to make it look intentional.
What Security Actually Is
Let’s get back to basics. Security is:
- Hygiene: Patching, hardening configs, removing legacy crap, and eliminating known weaknesses.
- Preventative Controls: Least privilege, segmentation, MFA, EDR, and all the other stuff that makes it harder for attackers to succeed.
- Detection and Response: Assume breach, monitor everything, and respond quickly when something goes sideways.
Notice what’s not in that list? Writing down the problem and moving on.
And yes, before anyone lights up the comments again—risk quantification has its place. We absolutely need to understand potential impact and likelihood so we can prioritize wisely, especially when we’re fighting for resources. But let’s not confuse calculating the odds with actually reducing them. Security isn’t just an actuarial exercise—it’s a contact sport.
Risk Assessments Should Drive Action
A good risk assessment isn’t an end-state. It’s a call to arms. It should say:
- Here’s what’s broken.
- Here’s how bad it is.
- Here’s how we’re fixing it.
And if we can’t fix it, we document it while actively trying to eliminate or reduce it.
Security is a fight. It’s a grind. It’s never-ending. But it’s not an actuarial exercise. If the output of your security team is a risk register with a long list of “accepted” items and very few actual changes to your attack surface, you’re not defending—you’re deferring.
The Bottom Line
Yes, assess your risks. No, don’t accept them by default. Security is about changing the outcome, not predicting it.
So let’s stop acting like underwriters and start acting like defenders. Let’s use risk assessments as fuel for action, not an excuse for inaction.
Now, back to work. That patch isn’t going to deploy itself.