Many security vendors publish “top 10” or “top 5” lists of terrible things that can happen to you as a pretext for then telling you how their products or services help you avoid such a fate. It’s classic marketing – and actually an well-know debate strategy – define the problem for your prospect and then describe how you alone can solve it. While perhaps an effective marketing hook, its a bit disingenuous. A top 5 list implies a value calculation has been made – but usually, they are just statements of fact that support buying that vendors wares. From now on, think of those lists are simply features of the seller’s offering.
Now at Redspin, we’re not as pure as driven snow, but we are grounded in objectivity. We have no products or services to sell or up-sell. We view IT security assessments as a series of true or false conditions. When we find vulnerabilities, we list them in risk-adjusted order depending on the criticality of the data or systems that may be impacted and the likelihood that such a breach may occur. Our “Top 5” therefore is truly in context, relative to your specific environment.