I've always been a fan of the SANS Institute's Top 10 Vulnerabilities list, even after it morphed into a Top 20 Vulnerabilities list. It's encouraged other useful lists as well, such as the Top 20 Programming Errors and Top 20 Most Critical Security Controls. The OWASP Top 10 Web Application Security Vulnerabilities is just as useful -- and the fact that most of the items on the list haven't changed over the past decade is very telling. These types of lists are great for corralling consensus about what the biggest problems are so that they can be addressed in a focused manner.

My question for you is, does your organization have a top 10 computer security problems list? If so, is the list well known by all members of IT management, computer security staff, programmers, and infrastructure support folks? If you don't have a list -- or if no one else knows about it -- how can you be sure that your IT department is focusing the right amount of resources on the right problems?

[ Learn how a rough economy creates opportunities for better IT security. | Tune in to the InfoWorld Security Central channel for the latest IT security news and reviews. ]

I constantly run across organizations that do not adequately address high-risk problems; rather, they get sidetracked into solving midtier problems that are easier to crack. For example, an organization's biggest problem might be that of end-users installing Trojan horse malware. Meanwhile, the company is pouring money and manpower into stopping remote buffer overflows or trying to achieve 100 percent patching compliance -- even though these solutions resolve but a small percentage of the organization's overall computer security issues.

Building a top 10 computer security list for your organization starts with identifying and ranking threats based on the best metrics you have. You should then get team and management approval for the items that make the final list. This forces everyone to affirm and focus on the biggest problems.

Once you've created your list, be sure to communicate it using the normal computer security education methods (such as e-mail, posters, newsletters, and so on) to ensure all the relevant teams are working to tackle your top security issue in their own special-interest way.