Security is not generic. It’s important not to treat every system and asset the same. Some stuff is important and should be protected at all costs. Some stuff isn’t, and therefore resources shouldn’t be expended to protect it. The executive managers have to decide what’s important, and they need to tell the security team. Help them understand the choices they need to make.
