Security is a constant balancing act. As security professionals, we understand a fundamental truth: not every risk will, or even can, be remediated. Some risks are constrained by technical limitations, others by business priorities, and some simply aren’t worth addressing given their real-world impact.
What is essential, however, is understanding the risks that exist in your environment and the potential impact of addressing or not addressing them. The role of security teams is to identify risks, analyze them in context, and provide clear, informed recommendations on what should be fixed, deferred, or accepted.
Your organization’s Risk Management strategy will help you determine how to move forward.
Why Some Risks Aren’t Fixed
Over time, organizations accumulate known risks that remain unresolved for several common reasons:
- Resource constraints
Time, budget, staffing, or system feasibility may limit what can realistically be addressed. - Business impact
Security changes can affect usability, customer experience, or revenue. - Internal policies and standards
Configuration requirements, regulatory interpretations, or leadership decisions can influence outcomes.
This is why documenting risk and clearly stating what will and will not be addressed is a cornerstone of effective risk management.
Common Risk Management Outcomes
Once identified, risks typically fall into one of the following categories:
- Remediated immediately
- Scheduled for remediation at a later date
- Offset by compensating controls
- Formally accepted for a defined period
- Accepted indefinitely
Each outcome is valid when supported by proper analysis and documentation.
Real-World Examples
Below are some examples of how risk management really works.
Risk 1: A cross-site scripting (XSS) vulnerability in an externally facing website. [Attackers could inject malicious scripts to steal session cookies, hijack accounts, redirect users, or deface the site.]
Decision: Fix immediately.
The risk is high, the impact is severe, and exploitation is likely.
Risk 2: Cookies flagged during a penetration test are not securely configured but contain no sensitive or session-related data. They are used solely for analytics.
Decision: Remediate in upcoming development sprints.
The risk is low, and delaying remediation does not create immediate exposure.
Risk 3: A vulnerable WordPress plugin cannot be upgraded due to compatibility issues. Wordfence is in place and actively blocks exploit attempts.
Decision: Compensating control accepted.
Existing protections sufficiently reduce risk for now.
Risk 4: A customer-facing web application does not enforce inactivity timeouts. Industry best practices and internal standards require a timeout of 30 minutes or less.
Decision: Accept risk for six months.
Implementing this change requires customer communication and application redesign.
Risk 5: Multifactor authentication (MFA) is offered via SMS, which is known to be less secure than modern alternatives.
Decision: Accept risk indefinitely.
Management deems SMS MFA acceptable for the application’s risk profile, and there have been no customer concerns.
You Can’t Fix What You Don’t Know
At the end of the day, visibility is everything. You cannot remediate risks you haven’t identified. Organizations should assess their security posture:
- Annually
- After major environmental or system changes
- When new vulnerabilities emerge that could impact the environment
A clear understanding of your risk landscape ensures everyone, from technical teams to leadership, has shared awareness of the organization’s security posture.
Need help evaluating your security stance?
Give us a call—we’re here to help.
Here are a few resources if you are looking for more information on Risk Management Frameworks to follow.