In my previous article, I raised a red flag about the diminishing practical returns of \u201cmom and pop\u201d threat research as a proxy for mitigating vulnerabilities and bad consequences. Threat assessment is often both difficult and incomplete, and sometimes best left to those who have timely access to the best possible data (and the even then, left to those with the military and intelligence means to act on it).In that piece, I also begged an obvious question.If chasing threats are not the best allocation of an organization\u2019s security resources, what is? Where should we be focused and how can we best translate that attention to more effective\u2014and efficient\u2014cybersecurity?Allow me to answer that with a brief portrait of a driven, iconoclastic, 20th century American financial entrepreneur named William Francis Sutton, Jr. Beginning in the early 1930s, Sutton began his extremely successful and profitable 40-year career\u2014as a bank robber. Not only did his particular skill set net him an estimated $2 million and earn him the nicknames \u201cSlick Willie\u201d and \u201cWillie the Actor,\u201d his most famous insight also left us with a truism that is now referred to as \u201cSutton\u2019s Law.\u201dUpon arrest, the legend goes, Sutton was asked by a newspaper reporter why he robbed all those banks. Sutton replied, \u201cBecause that\u2019s where the money is.\u201dWhich is why we should consider Sutton\u2019s quote as particularly relevant to cybersecurity today: Why do threat actors go after cyber assets? Because that\u2019s where the consequences of significance are.From financial information and personal data, to access to trade secrets, customer information and patterns\u2014data has become the most consequential asset for many organizations, and the most valuable target for threat actors. Whether their motive is financial gain or maliciousness, they are hoping for two things: easy access to what they are after and maximum impact for their efforts.Which aligns directly to the cybersecurity risk paradigm: a triangle comprising and illustrating three components of risk: Threat, Vulnerability and Consequence. We have already established it is challenging for individual companies to accurately characterize threat, or successfully mitigate it even if characterized. That leaves Vulnerability and Consequence.Vulnerability and Consequence are the two components of cybersecurity that organizations have the most control over and can most efficiently use to dramatically improve their level of protection.Not necessarily in that order though\u2014unfortunately, many organizations are not nearly focused enough on closing known vulnerabilities that allow breaches. I won\u2019t name names here\u2014any news site on any day will give plenty of examples, and many CISOs breathe silent sighs of relief that it\u2019s not their turn today. It\u2019s remarkable to think about how much damage can be prevented with just fundamental, basic security hygiene. Most people would be stunned at how much that inattention to vulnerability management is responsible for the data breaches we so often hear about.That said\u2014and for the sake of discussion, assuming basic hygiene protocols are indeed followed and signature-based blocking of known threats is employed\u2014let\u2019s apply Sutton\u2019s quip of \u201cthat\u2019s where the money is\u201d to the most-overlooked aspect of cybersecurity risk: avoiding bad consequences.We need to identify the most destructive potential results of a realized threat or exploited vulnerability, and engineer-out those consequences so they cannot happen or so the damage incurred is not as big if they do. Either can be effective threat mitigation\u2014because threat actors will quickly conclude that their attempts require too much difficulty, or there would be little or no return on investment for their efforts even if they successfully penetrate a system.Were he alive today, Willie would surely advise us: Don\u2019t make it easy to get to the money, and don\u2019t put the money all in one place. When we focus our attention on the things we can control\u2014Vulnerabilities and Consequences \u2014we create a dramatic increase in protection, and fully comply with Sutton\u2019s Law. Next time, we will use these principles to explore some fundamental best practices of cybersecurity\u2014some obvious, some not and some controversial\u2014that can greatly improve the security of any network.