Mitigation vs Remediation

3 min readNov 24, 2020

In the world of risk there are only 4 ways to address identified risks. Accept them. Mitigate them. Remediate them. Heed them.

Accept is simply that. You accept that there is a risk and you will suffer the consequences.

Heed is equal simple. The risk is too high so you don’t take the action or build the product that causes the risk.

Mitigation and Remediation are the dice throws.

Mitigation means that you see the risk and are going to put controls and systems in place to minimize its impact. Those controls/systems can be policies and procedures, monitors, insurance, penalties etc. Mitigation is not about addressing the risk. It is about addressing the impact of the risk. Minimize the impact and the risk is not as significant. But this assumes that the controls and systems put in place work. This will require regular maintenance and upkeep as well testing to assure all is working appropriately.

And for the record, it never does. Mitigating a risk actually creates other risks. And if the mitigation is not done correctly or completely, the mitigation actions compounds the original risk.

Uniquely most of the cyber security/information security industry is anchored to the world of risk mitigation. And as such when it fails, i.e. a misconfigured alert, unpatched system or human error, the risk being mitigated is exponentially increased. Concepts like zero-trust are the extreme end of mitigation because it is intended to question everything and all credentials in a live environment.

Too much of society and business address risk through mitigation rather than the other option; Remediation.

Remediation is the act of remedying something. It means to actually fix the item that is causing the risk or problem.

Not all risks can be fixed because every action and lack of action incurs some risk. But when the risk you are taking potentially causes issues to others beyond yourself and those who are fully aware of the risk…. Well that is where we have problems.

So how do we remediate risk? We don’t look at actions in a bubble. We look at consequences of each item. We use a fresh set of eyes to evaluate and suggest answers.

Industry calls it SecDev, or at least in they do in the tech world. SecDev is supposed to be the inclusion of security in the development process to view each item with an eye toward how can…

Mitigation vs Remediation

Written by E.J. Hilbert

More from E.J. Hilbert

Advice From a Mom on School Drop-off (NSFW)

My wife got this from a friend of her’s on FB and I had to share. Some parts are “raw” but if you have ever driven the “school run” this…

Honest Ads? The Act that’s Not Enough!

Senators Klobuchar, McCain and Warner recently got together and proposed a law that is intended to regulate political ads on Facebook and…

UC Data Breach- What Do I Do Now?

Recommendations for those affected by the data breach

Today, I Am A Hacker.

I have breached your system; I have stolen your customer and employee data, your financial account information and your intellectual…

Recommended from Medium

5 Reasons Why People Fail To Land Their First Cybersecurity Job

Avoid these mistakes when searching for that first cybersecurity job

The ChatGPT Hype Is Over — Now Watch How Google Will Kill ChatGPT.

It never happens instantly. The business game is longer than you know.

Lists

Natural Language Processing

Building a Secure Cybersecurity Research Lab: A Journey of Isolation and Exploration

Introduction

10 Seconds That Ended My 20 Year Marriage

It’s August in Northern Virginia, hot and humid. I still haven’t showered from my morning trail run. I’m wearing my stay-at-home mom…

TOOLS FOR CYBER THREAT HUNTING (PART - I)

Cyber Threat Hunting

How did I get 3300$ With Just FFUF!!

By searching inside one of the Bitcoin platforms I found there a place to document accounts by sending documents such as ID or passport…