A big problem in the computer security world is that practitioners aren’t skeptical enough, don’t question purported authority statements, and often don’t ask the right questions. It’s a theme I see over and over, and it leads defenders to enacting the wrong computer security defenses or worrying about the wrong metrics.
Many defenders are asked to come up with hundreds of controls and metrics that are supposed to accurately define the security risk of their environment. A handful of controls, like those around social engineering and patch management, will quantify the vast majority of computer security risk in most environments. Even then, for those controls, most defenders get it wrong.
For example, defenders often think that they need to do 100 percent patching on all computers, especially concerning the Windows operating system, to be secure.