Next, look at all the attack vectors and figure out which security defense mitigations would be most likely to work against the highest-ranking initial attacks. This should be your defense plan to most efficiently reduce your company's security risk.
The mitigations that should be applied first are not always the easiest ones, in technical or political terms. For instance, the No. 1 mitigation needed in many environments is removing elevated access from non-admin users, thus preventing them from accidentally installing Trojans. The companies that have not already done this usually tell me it's too politically difficult to accomplish in their environment, so they would rather start with simple mitigations -- the low-hanging fruit.
I usually ask if their senior management knows they are not addressing their biggest security risk and leaving the company at a higher risk of future compromise than reasonable. I mean, what's the worst thing that could happen to you, your career, and your company? Worst-case scenario is a complete compromise of all privileged information, your company's security practices in the news headlines, and possibly lawsuits from regulators, shareholders, and customers. This is not a fantasy. It happens to a few companies every year.
If you end up in court, the prosecuting attorney will ask if you did everything a "reasonable person" using "due care" would do in your position, or if you ignored the highest-risk warnings and concentrated on lower-hanging fruit. Every lawsuit in the land is settled on the basis of due care from a reasonable person in a similar position. Don't be the person who has to make excuses.
In reality, you may not be able to implement the best mitigation first. Politics is politics. Operations must go on. But make sure your recommendations to management are hedged in the right direction, placing the mitigations most likely to reduce the greatest amount of risk at the top of the list. Management can choose to ignore them, but you'll have acted like a reasonable person in your position.
Most important, don't let one of your secondary concerns distract you from accomplishing the most important task you need to accomplish.
This story, "Don't let company politics dictate your security priorities," was originally published at InfoWorld.com. Follow the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com.