- Failure to maintain a complete physical asset inventory
- Failure to maintain a complete logical connectivity and data flow diagram
- Failure to maintain a complete digital asset/intellectual property inventory
- Failure to maintain digital situational awareness
- Failure to prepare for incidents
The first three items revolve around knowing your environment. If you don't know what houses your data (item 1), how that data is transported (item 2), and what data you are trying to protect (item 3), you have little chance of success.
Once you know your environment, you should learn who is trying to exploit your vulnerabilities to steal, corrupt, or deny access to your data (item 4). Security incidents will occur, so you should have policies, tools, techniques, and trained and exercised personnel ready to respond (item 5).