IT security pros have a mountain of work on their hands trying to ensure every possible weakness in their infrastructure is defended. It rarely is.

Frustrating? You bet. But they shouldn’t be discouraged. Computer security expert Roger Grimes has boiled what they need to understand into six hard truths IT pros need to learn, which not only will toughen their hides will also help mitigate most attacks.

Last on his list but the biggest lesson is the inability of administrators to appropriately prioritize competing risks. “Some of the hundreds of possible ways to exploit a company are far more likely to happen than others,” he writes. “This makes for a huge gulf between your highest-rated threats and your most likely ones. Success belongs to those who focus their security efforts more often on the latter.”

Other truths:

–Thanks to the proliferation of mobile devices belonging to staff and partners, forget about trying to put protective software on every device that accesses your network. So at the very least any security solution has to be able to tell you which devices  are having problems with AV software. Then look for commonalities and try to get the software installed on as many devices as possible.;

–You’ll never have enough staff to help install and maintain security solutions. Instead, get a plausible staffing solution in place before buying more security technology;

–No matter how good you are at patching, attackers only need to find one vulnerability;

–Attackers are still faster at finding new vectors to use than defenders are at putting up walls;

–The anonymity the Internet affords is one of the biggest aids to attackers.

Sounds like an impossible challenge. It isn’t — it’s merely hard. But these are truths to be faced.

Read the whole column here.