What you found is not risk

You don't discover risks when doing security reviews. You discover issues about some of your security controls. You find out in what ways they are vulnerable.

A risk is an uncertain future event with meaningful consequences.

You describe security risks through scenarios that might happen in the future:

"During <a time period>, <a threat> abuses <a set of vulnerabilities> in the <security controls> protecting <a set of systems>, reducing the likelihood of reaching a <business goal> by <a ratio>".

Vulnerability is only one part of the story.

Until you provide every component of the risk scenario, you won't know if the impact is meaningful.

  1. Adjust <time periods> to the event horizon you are looking at.
  2. Conduct inventory management and architecture reviews to get a list of your <systems> and <security controls>.
  3. Do vulnerability assessments, configuration reviews, and penetration tests to identify <vulnerabilities>.
  4. Perform threat modeling and gather threat intelligence to identify <threats>.

Use forecasting to estimate the impact on the bottom-line, and focus on protecting business goals.

Measuring risk will help you prioritize potential remediations with the other important things that your budget can buy.