In my last blog, I discussed the importance of Vulnerability Risk Management. Security professionals know for an IT security organization to protect a company against today’s threats, processes, tools, procedures and enablers must be implemented to create a holistic strategy. The idea of a multidimensional program with a continuous cycle that flows from prevention to detection to response and a feedback loop to ensure that threats are proactively managed is the dream of all CISOs. To wield the power of a proactive and responsive organization CISOs must balance investment across many different needs. While no organization can prevent every threat or patch every vulnerability, the goal should be to identify and prevent as much as possible, effectively detect and respond to active threats, learn from events and incidents, and improve going forward. That is why Vulnerability Risk Management is a key part of a security management strategy. But when you look at this problem, it can seem almost inconceivable that a large infrastructure – that keeps expanding and expanding – can be put in check. So an important thing to keep in mind is to Not Boil the Ocean.