In cybersecurity, one of the more challenging issues is deciding when a security hole is a big deal, requiring an immediate fix or workaround, and when it’s trivial enough to ignore or at least deprioritize. The tricky part is that much of this involves the dreaded security by obscurity, where a vulnerability is left in place and those in the know hope no one finds it. (Classic example: leaving a sensitive web page unprotected, but hoping that its very long and non-intuitive URL isn’t accidentally found.)
And then there’s the real problem: in the hands of a creative and well-resourced bad guy, almost any hole can be leveraged in non-traditional ways. But — there is always a but in cybersecurity — IT and security pros can’t pragmatically fix every single hole anywhere in the environment.