Mitigation vs Remediation

E.J. Hilbert
3 min readNov 24, 2020

In the world of risk there are only 4 ways to address identified risks. Accept them. Mitigate them. Remediate them. Heed them.

Accept is simply that. You accept that there is a risk and you will suffer the consequences.

Heed is equal simple. The risk is too high so you don’t take the action or build the product that causes the risk.

Mitigation and Remediation are the dice throws.

Mitigation means that you see the risk and are going to put controls and systems in place to minimize its impact. Those controls/systems can be policies and procedures, monitors, insurance, penalties etc. Mitigation is not about addressing the risk. It is about addressing the impact of the risk. Minimize the impact and the risk is not as significant. But this assumes that the controls and systems put in place work. This will require regular maintenance and upkeep as well testing to assure all is working appropriately.

And for the record, it never does. Mitigating a risk actually creates other risks. And if the mitigation is not done correctly or completely, the mitigation actions compounds the original risk.

Uniquely most of the cyber security/information security industry is anchored to the world of risk mitigation. And as such when it fails, i.e. a misconfigured alert, unpatched system or human error, the risk being mitigated is exponentially increased. Concepts like zero-trust are the extreme end of mitigation because it is intended to question everything and all credentials in a live environment.

Too much of society and business address risk through mitigation rather than the other option; Remediation.

Remediation is the act of remedying something. It means to actually fix the item that is causing the risk or problem.

Not all risks can be fixed because every action and lack of action incurs some risk. But when the risk you are taking potentially causes issues to others beyond yourself and those who are fully aware of the risk…. Well that is where we have problems.

So how do we remediate risk? We don’t look at actions in a bubble. We look at consequences of each item. We use a fresh set of eyes to evaluate and suggest answers.

Industry calls it SecDev, or at least in they do in the tech world. SecDev is supposed to be the inclusion of security in the development process to view each item with an eye toward how can…

--

--

E.J. Hilbert

Work in the CyberSecurity and Privacy Arena worldwide, Owner of KCECyber, Ex-FBI. All opinions posted are my own !!!