Mitigation vs Remediation

In the world of risk there are only 4 ways to address identified risks. Accept them. Mitigate them. Remediate them. Heed them.

Accept is simply that. You accept that there is a risk and you will suffer the consequences.

Heed is equal simple. The risk is too high so you don’t take the action or build the product that causes the risk.

Mitigation and Remediation are the dice throws.

Mitigation means that you see the risk and are going to put controls and systems in place to minimize its impact. Those controls/systems can be policies and procedures, monitors, insurance, penalties etc. Mitigation is not about addressing the risk. It is about addressing the impact of the risk. Minimize the impact and the risk is not as significant. But this assumes that the controls and systems put in place work. This will require regular maintenance and upkeep as well testing to assure all is working appropriately.

And for the record, it never does. Mitigating a risk actually creates other risks. And if the mitigation is not done correctly or completely, the mitigation actions compounds the original risk.

Uniquely most of the cyber security/information security industry is anchored to the world of risk mitigation. And as such when it fails, i.e. a misconfigured alert, unpatched system or human error, the risk being mitigated is exponentially increased. Concepts like zero-trust are the extreme end of mitigation because it is intended to question everything and…