Once you've conducted an assessment and have the threat intelligence you need, you can use that information to inform your overall threat management and cyber security strategy.
Prioritizing which assets to protect requires a clear understanding of your organization's security goals, available resources and each security vulnerability. It's also important to understand that while you can mitigate threats, there's no such thing as zero risks. Your goal should be to protect your most critical data and systems—however you define them—and minimize the risk of a breach that could lead to significant business disruptions, reputational harm and financial risks.
You can prioritize what to protect in several ways, including assessing the likelihood of an attack, how easy it would be to contain the threat and the potential business impact. For example, a legacy government database that is used to store citizen data for a social service program may represent a high risk because it stores high-value information and has several security vulnerabilities hackers can easily exploit in the form of malware.
However, your organization may also face risks due to weak email security, which increases the risk of a successful phishing attack, or issues with privileged access, which increases your risk of leaked credentials or insider threats. You may also face security vulnerabilities and a greater risk of ransomware due to a rarely used virtual private network (VPN) that lacks multi-factor authentication and allows hackers to gain access to your main network. In this case, you may decide it's better to retire the VPN and provide the highest level of protection for the legacy database and your email programs since they are widely used by your employees and store highly sensitive information.
You also may decide to provide the highest level of security for one system over another because it is used enterprise-wide and supports your core business processes, compared to another system that is only used by a single business unit or department for one specific process and doesn't store highly regulated information.