Ranking your top security priorities keeps everyone focused on the real problems I’ve always been a fan of the SANS Institute’s Top 10 Vulnerabilities list, even after it morphed into a Top 20 Vulnerabilities list. It’s encouraged other useful lists as well, such as the Top 20 Programming Errors and Top 20 Most Critical Security Controls. The OWASP Top 10 Web Application Security Vulnerabilities is just as useful — and the fact that most of the items on the list haven’t changed over the past decade is very telling. These types of lists are great for corralling consensus about what the biggest problems are so that they can be addressed in a focused manner.My question for you is, does your organization have a top 10 computer security problems list? If so, is the list well known by all members of IT management, computer security staff, programmers, and infrastructure support folks? If you don’t have a list — or if no one else knows about it — how can you be sure that your IT department is focusing the right amount of resources on the right problems?[ Learn how a rough economy creates opportunities for better IT security. | Tune in to the InfoWorld Security Central channel for the latest IT security news and reviews. ]I constantly run across organizations that do not adequately address high-risk problems; rather, they get sidetracked into solving midtier problems that are easier to crack. For example, an organization’s biggest problem might be that of end-users installing Trojan horse malware. Meanwhile, the company is pouring money and manpower into stopping remote buffer overflows or trying to achieve 100 percent patching compliance — even though these solutions resolve but a small percentage of the organization’s overall computer security issues. Building a top 10 computer security list for your organization starts with identifying and ranking threats based on the best metrics you have. You should then get team and management approval for the items that make the final list. This forces everyone to affirm and focus on the biggest problems.Once you’ve created your list, be sure to communicate it using the normal computer security education methods (such as e-mail, posters, newsletters, and so on) to ensure all the relevant teams are working to tackle your top security issue in their own special-interest way. For instance, suppose JavaScript exploits are the biggest problem. The workstation configuration team can focus on locking down the browser(s) to prevent rogue JavaScript applets. The programming/development team can focus on preventing XSS (cross-site scripting) attacks in their own code. Groups purchasing new software can be on the lookout for applications that rely on JavaScript and communicate to the potential vendor about the concern of JavaScript exploits. If you don’t focus people on the big problems, they might remain fixated on addressing issues within their individual spheres of influence. A top 10 list helps everyone see the health of the forest while working in the weeds.Tracking progress is also critical to success. Someone should be responsible for measuring the metrics of each item on the list and delivering a progress report to the larger group each year. At that time, the group should review the list to determine if any problems can be removed and if any newly growing security issues should be added. If metrics grew worse for a particular item, the team will need to devise a new plan of attack, perhaps built around effective strategies used to combat problems that have been knocked off the list.Once created, your top 10 computer security list will likely never go away; rather, items will move around or be replaced by other more pressing issues. However, this is an idea that gives the organization a means of focusing on the most important ways to reduce risk and to draw a virtual line in the sand to measure against each year.Related content Good security in recessionary times A rough economy can be a good opportunity for your company to pay attention to the basics of IT securityThe killer app for mashing malware Security software needs to take a multipronged approach to stopping Trojan horse executablesThe one essential truth of computer security Unless you solve the all-important problem of locking down end-user PCs, all of your other security defenses will fail you Related content analysis The 5 types of cyber attack you're most likely to face Don't be distracted by the exploit of the week. Invest your time and money defending against the threats you're apt to confront By Roger Grimes Aug 21, 2017 7 mins Phishing Malware Social Engineering analysis 'Jump boxes' and SAWs improve security, if you set them up right Organizations consistently and reliably using one or both of these approaches have far less risk than those that do not. By Roger Grimes Jul 26, 2017 13 mins Authentication Access Control Data and Information Security analysis Attention, 'red team' hackers: Stay on target You hire elite hackers to break your defenses and expose vulnerabilities -- not to be distracted by the pursuit of obscure flaws By Roger Grimes Dec 08, 2015 4 mins Hacking Data and Information Security Network Security analysis 4 do's and don'ts for safer holiday computing It's the season for scams, hacks, and malware attacks. But contrary to what you've heard, you can avoid being a victim pretty easily By Roger Grimes Dec 01, 2015 4 mins Phishing Malware Patch Management Software Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe