All too often we hear people say not to boil the ocean or get lost in the weeds. Although such advice is often good, it’s important to be able to recognize when such details really matter. In my professional opinion, the first six of the top 20 CIS controls require attention to detail and a mind mapping approach that aligns what you have to your business processes so that assets requiring protection are not just understood as systems and applications, but as information lifecycles with ebbs and flows that can only be understood with a visual explanation. Dr. Fred Kaplan, Jeffrey Ritter, and the eDiscovery work of George Socha and Tom Gelbmann are what inspired this approach to preparing a sound security operations program. It is difficult to protect and assess risk for what you don’t understand. It’s harder to communicate it to the stakeholders if you don’t know who they are or how they are potentially impacted. Although such insight should seem to be common sense, sadly it’s not very common. In fact, all too often organizations skip understanding and throw in products without really understanding how the products align to the specific controls in a meaningful and measurable manner. When considering metrics, consider value conveyed from a better, faster, cheaper perspective. Did you gain operational efficiency? Can you lower activity costs? Can you reduce the signal to noise ratio? Can you accelerate resilience capabilities for recovery and continuity purposes? Although we all love to say we stop bad actors, our real value is in knowing how to best recover from as well as mitigate various threats to our overall landscape. With COVID-19 and remote work, that landscape has grown substantially. Taking the time to understand this so that an awareness culture is cultivated around your program, will do wonders for mitigating risk.