The checklist mentality

According to the WEF (World Economic Forum) Global Cyber Security Outlook 2023, attitudes have shifted, with many now seeing cyber security frameworks as an effective tool for improving cyber security accross the private sector. Following a cyber security framework such as Cyber Essentials or ISO 27001 has been shown to reduce the chances of a data breach by up to 86%.

But it’s a double edged sword. Now, many people think of cyber security and security standard compliance as the same thing. It has encouraged a “checklist mentality” that actually goes against a security program’s primary goal: reducing risks.

The problems with a checklist mentality

A checklist mentality is more focused on simply checking boxes required by standards, such as ISO 27001 or NIST, rather than taking a hollistic, risk-based approach. While this approach may get you certified, it does not really address the specific risks faced by an organisation. For example, a company that relies heavily on cloud-based services may face different threats than a company that primarily uses on-premise systems. A one-size-fits-all approach to cyber security simply cannot adequately address the unique risks and vulnerabilities of every organization.

Also, a checklist mentality can create a false sense of security. Organisations may believe that if they have followed all the required steps and implemented all the necessary controls, they are fully protected against cyber attacks. However, cyber security is more complicated than that. There will always be risk, security is about keeping risk within acceptable levels to conduct business. While there are commonalities, an organisation’s risks are generally unique to them. A checklist approach may provide a baseline level of protection, but it is not enough to adequately protect against attacks.

What is a Risk-Based Approach?

A risk-based approach to cybersecurity involves, analysing potential threats, assessing the likelihood and impact of risks, and prioritising the allocation of resources to mitigate those risks. It takes into account specific risks faced by an organisation and tailors security measures accordingly. It’s important to prioritise:

  • The things that are most valuable to you
  • The things that are most at risk
  • The things that are easiest to secure

It’s a delicate balance that is admittedly harder to achieve but that has many benefits over a compliance-based approach.

The benefits of a risk-based approach

First and foremost, a risk-based approach provides a more effective way to safeguard against cyber attacks. By focusing on the specific risks faced by an organization, security measures can be tailored to provide the most comprehensive protection. This approach also allows for more efficient use of resources, as controls can be prioritized based on their potential impact and likelihood of occurrence.

In addition, a risk-based approach to cyber security can help organizations comply with established standards. While a checklist mentality may ensure compliance with a particular standard, a risk-based approach can provide a more comprehensive and effective means of meeting the requirements of the standard. By addressing specific risks and vulnerabilities, an organization can more effectively meet the intent of the standard.


Established cyber security standards provide a useful framework for developing a comprehensive cyber security strategy. However, a checklist mentality approach to these standards can create a false sense of security and fail to adequately address the unique risks faced by each organization. By taking a risk-based approach, organizations can more effectively safeguard against cyber threats and comply with established standards.

The benefits of a risk-based approach include more effective protection, efficient use of resources, and improved compliance. In today’s constantly evolving cyber threat landscape, a risk-based approach to cyber security is essential for any organization looking to protect its sensitive data and systems.

Rebasoft provides a cyber security solution with useful criticality and prioritisation tools. To find out more on how Rebasoft can help your organisation and to book a demo: