Many organizations are facing complex risk management issues and are ill equipped to sufficiently mitigate risk in a focused manner. Studies have shown that an astonishing 57% of senior level executives label “risk and compliance” as the two top categories they feel least prepared to address (Quantivate, 2019, para. 1). Consequently, only 6% of directors maintain confidence that their organization is effectively managing risk (Guis, Mieszala, Panayiotou & Poppensieker, 2018, para. 4). With so many organizations facing an existential risk management crisis, this beckons the question how many organizations have implemented a mature information security risk management program through the use of a focused risk assessment to drive the creation and maintenance of the information security program and are enforced through IT auditing (Streff, 2019). The existence of assessing risk and using the results to create and maintain the information security program and enforcing through auditing are listed in order or relative importance. This paper will aim to discuss the importance of each pillar and explain the reasoning behind the priority between the three concepts.