SysAdmin Weekly - 038 - Making Security Decisions Based on Data, Not Fear

[asyrewicze]

In the new episode of SysAdmin Weekly we just released today, Paul and I dig into a topic that keeps coming up again and again in modern IT security: how easy it is to make bad security decisions when fear replaces evidence.

Security marketing, headlines, and even well-meaning guidance often push SysAdmins toward worst-case thinking. That said, worst-case thinking is not the same thing as good threat modeling, right?. In this discussion, we focus on why data-driven security decisions matter, how to evaluate risk realistically, and where many organizations end up over-engineering protections for unlikely threats while leaving common attack paths wide open.

We talk about:

• Why humans are terrible at assessing risk (and how that leaks into security strategy)
• Using real telemetry and reports instead of headlines and..... vibes
• Identity attacks: what’s actually common vs. what’s rare
• Why prioritization matters when time, budget, and staff are limited
• How to explain security risk in business terms instead of technical panic
• Etc...etc.

This episode is especially relevant if you’ve ever felt pressure to “do something” security-related without clear evidence that the proposed path actually reduces risk.

🎧 Listen to Episode 038:

• Episode 038 Transcript
• Episode 038 on YouTube > https://youtu.be/_mdi_LsUZBE?si=6sQ3YdrchOLAbHkT
• Episode 038 on Spotify > https://open.spotify.com/episode/1O2Rn0jfgYQvCfl5ZHYWBF?si=YCrGez8ZSlq1l5AsedjYog
• Episode 038 on Apple Podcasts > https://podcasts.apple.com/us/podcast/038-making-security-decisions-based-on-data-not-fear/id1809209683?i=1000747395039
• All links for the show > https://www.sysadminweekly.com
• SysAdmin Weekly Companion Newsletter > https://newsletter.sysadminweekly.com

💬 Discussion:

How do you decide which security risks deserve attention first in your environment? What data sources do you trust when making those calls? Let us know in the comments below!

As always, keep it civil, practical, and SysAdmin-real.