Many cybersecurity practitioners has misconception that technical controls are means to secure the cyber environment. They insist for encryption, MFA, session time out, catch up with security patches, deploy latest version, mandate anomalies detection in virtual environment etc.
Sometimes, excessive controls will not increase the level of security much. Even worst, new controls will bring to new risks not to mention degrading productivity.
Have a thorough understanding the business, cyber environment and attack surface is the essential element. Conducting a risk assessment is to strike the right balance what to invest and what risks can be tolerated.
Example #1, if the system is fully isolated, remote exploit thru network even with CVSS score of 10 doesn’t matter.
Example #2, RFiD tags won’t be stick to each piece of commodity in the supermarket. Only high value items are tagged. This is the business risk to accept when running the self-service operating model.