In information security, a recurring theme has re‐emerged: security is not a checklist. Traditionally a concept confined to security practitioners, it is now also being communicated to business leaders and everyday users alike. This principle emphasises that protecting a digital estate requires far more than simply ticking items off a list.
In this article, we explore the concept by examining both physical and digital scenarios, illustrating how flexibility, adaptability, and contextual awareness are essential to effective security.
A Physical Scenario
Imagine a security team assigned to safeguard an asset, at the request of a regular client. The team leader immediately consults a standardised checklist. The team organises a convoy, assigns personnel, and equips itself with an array of weaponry and specialised gear. The checklist is followed to the letter, with air support arranged and local authorities coordinated until every action item is complete.
However, during the same period the team is tasked with an additional protection mission. When the leader attempts to rely on the same checklist for the second mission, a critical problem emerges: the team’s resources—personnel, equipment, and funding—are already depleted. As a result, only minimal protection can be provided for this new assignment.
A closer look at the context reveals stark differences between the two missions:
- Mission A: The individual under protection was actually an associate of the regular client, requiring minimal security for a low-risk event at a local venue.
- Mission B: The individual was a VIP travelling through hostile territory under multiple known threats.
Although the standard measures were applied in both cases, the one-size-fits-all approach failed when circumstances varied, ultimately leaving the VIP exposed to heightened risk.
A Digital Scenario
Now consider a digital counterpart. An organisation chooses to implement CIS Critical Security Controls across its digital estate. Following the recommended guidelines, the organisation begins deploying controls over its known assets and environments. After a prolonged and resource-intensive rollout—and with the ongoing administrative burden of maintaining the initial controls—the IT budget is completely exhausted for the year.
Meanwhile, unbeknownst to both the security team and business leaders, the R&D department independently adopts a new cloud service for file storage and sharing. This low-cost service bypasses the standard approval process and thus remains unnoticed throughout the rest of the organisation. Even more worrisome, critical intellectual property—a cornerstone of the organisation’s business model—is stored on this unvetted platform.
Adding to the complexity, this cloud service is known to face active threats—unlike many of the assets now protected by the recently implemented controls. When the security team eventually uncovers the service and assesses the risk, they decide to apply the same controls used for other systems. However, they soon realise that these controls cannot be consistently or efficiently implemented in the cloud environment.
Consequently, additional mitigation measures become necessary, further straining limited resources and/or delaying effective resolution. Ultimately, the organisation’s most critical digital asset remains vulnerable in the meantime.
The Missing Elements
Security frameworks and standards are undeniably valuable for organisations and businesses, especially the security teams. Yet they are often misapplied as blanket solutions—either due to a lack of contextual guidance or a misunderstanding of their intended purpose. In both our fictitious scenarios and in actuality, four key factors are often overlooked when applying security measures.
Criticality: Understanding the True Value of Assets
Not every asset carries the same level of importance or risk. In the physical scenario, the VIP in Mission B required significantly stronger protection compared to the associate in Mission A, yet both were treated identically, needlessly depleting resources. Similarly, in information security, applying identical security controls across all systems without assessing their individual significance can lead to misaligned protection. For example, storing critical intellectual property on an inadequately secured cloud platform poses a far greater risk than safeguarding standard public-facing data. Failing to prioritise high-value assets results in overstretched security efforts and can inadvertently leave these assets vulnerable.
Threats: Identifying and Adapting to Evolving Risks
Threats represent the avenues through which an asset can be compromised—whether in the physical or digital realm. In Mission B, the failure stemmed from an inadequate assessment of the environment surrounding the VIP, where high-risk conditions demanded much stronger security measures. In the digital scenario, the organisation had failed to recognise the threats posed by shadow IT—when employees independently adopt unapproved cloud services. This lack of visibility left a critical asset exposed, undermining the overall security posture.
Vulnerabilities: Recognising Weaknesses Beyond Checklists
A vulnerability is any weakness that a threat can exploit, whether technological, procedural, environmental, or human. Checklists provide a crucial starting point for security guidance; however, they rarely capture evolving or situational weaknesses. In both scenarios, although vulnerabilities were not explicitly highlighted, they were inherent in the failure to consider the full spectrum of criticality, threats, and resource constraints. This oversight became a vulnerability in itself, increasing risk to the protected assets.
Resources: Balancing Security Efforts with Practical Constraints
Security efforts are inherently limited by available resources—whether personnel, finances, technology or otherwise. In the physical scenario, applying the same level of protection to two vastly different missions resulted in premature resource depletion, leaving the VIP inadequately protected. Similarly, in the digital example, resource exhaustion led to a failure to secure the newly adopted cloud service effectively. A balanced allocation of resources is essential to ensure that security measures are both effective and adaptable to varying situations.
Conclusion
By carefully weighing criticality, threats, vulnerabilities, and resource constraints, we arrive at a fundamental principle of information security: prioritisation. In today’s rapidly evolving digital landscape, achieving the right balance is crucial.
A context-aware security posture not only ensures that frameworks and standards are applied effectively but also minimises risks by avoiding the pitfalls of a one-size-fits-all approach. Moreover, by adopting these factors within a risk-based strategy, organisations can expand their security posture beyond the limitations of any current standard or framework. As new risks emerge, it is imperative for organisations to remain agile and proactive, continuously adapting and refining their security measures well beyond conventional guidelines.
