The goal of a security program should ultimately be to minimize and mitigate risk, with the understanding that risk can never be eliminated. Before an organization can understand its operational needs, it must first understand the risk it faces. Building out a matrix of operational requirements can assist greatly in evaluating security products and services. Using the matrix to identify where gaps exist allows an organization to strategically acquire the necessary people, process, and technology to address remaining challenges. The resulting matrix spells out what is needed operationally to ensure an adequate security posture for the organization.”]