Security experts are great at details and evaluation, but you can never delegate the question of priority. Beyond the basics (improving level), there’s not a lot of low-hanging fruit—mitigations aren’t free, and threats aren’t so dire as to be obviously necessary. The question of what a mitigation costs and what shape of protection it brings becomes the main decision point.
Once you’ve done the fairly standard basics (solid access control and logging, encryption in flight and at rest, regular and traceable processes for deployments and operational changes, etc.), there are only tradeoffs that remain—generally things that take time/energy away from your actual mission, or worse, things that get in your way and slow you down as you pursue your mission. Many of these will be worthwhile for at least some of your data/operations. But many won’t be, or at least won’t be this year.
Security experts are great at details and evaluation, but you can never delegate the question of priority. Beyond the basics (improving level), there’s not a lot of low-hanging fruit—mitigations aren’t free, and threats aren’t so dire as to be obviously necessary. The question of what a mitigation costs and what shape of protection it brings becomes the main decision point.
Once you’ve done the fairly standard basics (solid access control and logging, encryption in flight and at rest, regular and traceable processes for deployments and operational changes, etc.), there are only tradeoffs that remain—generally things that take time/energy away from your actual mission, or worse, things that get in your way and slow you down as you pursue your mission. Many of these will be worthwhile for at least some of your data/operations. But many won’t be, or at least won’t be this year.