Risk

Are we managing risk, or just managing findings?

Let's Start with the Basics: What Is a Finding, and What Is a Risk?\n\nI see it all the time: dashboards and reports listing "open risks by severity," where every item is just a control gap. \nNo scenario. No threat actor. No business impact. Just a missing control labeled as a "high risk." I myself was guilty of building out a version of one of these dashboards over a decade ago, before I took the time to educate myself on what risk truly is.\n\nThis kind of thinking isn't just inaccurate, it's expensive.\n\nA finding is not a risk.\n\nA finding is a control deficiency. It might increase vulnerability, but it's not a risk on its own. Risk is a scenario: a threat acting against an asset, resulting in loss. It's quantified by how often it might happen and how bad it could be.\nA missing control doesn't tell you that. It's just one very small piece of the puzzle.\n\n==Severity doesn't equal risk.==\n\nJust because a finding is labeled "critical" doesn't mean it represents material risk. Severity scores are often based on technical impact or compliance urgency, not business context. Without a credible threat and a meaningful asset at stake, a "high severity" finding might have zero real-world risk.\n\nHere's an analogy because I love a good analogy 😊\n\nThink about a swimming pool without a lifeguard. That's a finding. Is it a risk?\nIt depends.\n\nIf the pool is locked, only accessible to trained staff, has surveillance cameras, and is rarely used, the absence of a lifeguard may not pose a meaningful risk. The likelihood of an incident is low, and the environment is already controlled.\n\nNow imagine that same pool is part of an after-school care center. Suddenly, the context changes. The pool is accessible to children, used frequently, and the consequences of an incident are far more severe. The same missing control, no lifeguard, now contributes to a much higher risk scenario.\nThis is why context matters. Risk isn't about isolated gaps. It's about understanding the full picture: threat, asset, impact, and probability.\nThis matters because it drives up security spend.\n\nWhen every finding is treated as a risk, organizations chase remediation for issues that may not materially affect loss exposure. Budgets balloon. Teams lose sight of what actually needs to be actively managed. Instead of strategic investment, we get reactive spending, driven by fear, not by data.\n\nRisk isn't a red dot on a heat map. It's a story. And we need to tell it with context, not just control severity.