Rightsizing information security for the organization

It is crucial to strike a balance between the implementation of security controls, the usability of an information system, and the risk appetite for an organization. The implementation of unnecessary security controls within an information system can lead to unnecessary complexity, a reduction in mission effectiveness, unnecessary financial expenditures, and ultimately a lack of confidence in the information security program.