# Risk Management ### What is the primary reason most companies haven’t fixed their vulnerabilities? ### What’s the goal of information security within an organization? ### If you were to start a job as head engineer or CSO at a Fortune 500 company due to the previous guy being fired for incompetence, what would your priorities be? (Imagine you start on day one with no knowledge of the environment. ) - Where is the important data? - Who interacts with it? - What’s being logged an audited? - Network diagrams. - Visibility touch points. - Ingress and egress filtering. - Previous vulnerability assessments. The key is to see that they could quickly prioritize, in just a few seconds, what would be the most important things to learn in an unknown situation. ### As a corporate Information Security professional, what’s more important to focus on: threats or vulnerabilities? Vulnerabilities should usually be the main focus since we in the corporate world usually have little control over the threats. Threats (in terms of vectors) will always remain the same, and that the vulnerabilities we are fixing are only the known ones. Therefore we should be applying defense-in-depth based on threat modeling in addition to just keeping ourselves up to date.