During a recent round of phone interviews while expanding my team at work I was amazed at how many security professionals have a hard time clearly answering the following question:
“What’s the difference between a threat, a vulnerability and a risk?”
I think being able to do so is a key to being a good security professional. I really like to use this analogy to try to help explain these three concepts clearly:
Understanding and applying these three terms is the first step to being able to do great risk analysis and is the only way to effect change in most organizations. The next step is writing risk statements.
But remember doing this exercise is as much for you as it is for who you are trying to secure. It wouldn’t make much sense to use your limited cycles to protect yourself against bears in Dallas, Texas would it?