security plan will start tackling the risks identified with the highest numbers.

Many organizations set thresholds as follows:

1-250: Will not focus on threats at this level

250-350: Will focus on these threats as time and budget allow

350-450: Will address these threats by the end of the next budget year

450-500: Will focus immediate attention on these threats

These thresholds are just examples, and in practice, the results will likely be skewed either toward the top or bottom of the scale, so organizations should adjust responses accordingly.

The goal of the risk assessment exercise is to lay a foundation for sensible security planning. Going through a risk assessment exercise alone will not actually fix security problems; the real work -- building protective, risk-reducing solutions -- still lies ahead.

Organizations should align security spending with specific threats and focus on cost-effective measures, CDW-G said. Having a prioritized list of threats enables organizations to focus their efforts on the areas that matter most and avoid spending on security technologies or activities that are less essential or irrelevant to fixing identified problems.