You can't prioritize risk effectively without accurate data about successful exploits in your environment. Start compiling that data now.
In an election year, particularly one in which we’re all bracing for a downturn, the 1992 Clinton campaign’s famous catchphrase “It's the economy, stupid!” can’t help but come to mind. Apply that same commonsense thinking to computer security and you get: “It's the data, stupid!”
We suffer from a dearth of data and quality analytics on how we’re exploited and compromised. We know most of the likely root causes: unpatched software, social engineering, eavesdropping, password cracking/guessing, data leaks, misconfiguration issues, denial of service, insider threats, zero days, and so on. But we lack good metrics on how often they occur inside our environment.
