By Craig Burland, CISO, Inversion6
In a world driven by technology, innovation and rapid change, companies often find themselves touting the mantra of “ruthless prioritization.” The idea sounds pragmatic: with limited resources and time, you must mercilessly cut away the unnecessary to focus on the truly important. Yet, the reality for many companies is that they’re ill-equipped to genuinely practice this level of prioritization. This is especially true in the cyber security domain as the overwhelming barrage of project and operational demands, coupled with finite resources, puts mid-level managers in a precarious position. These leaders must constantly juggling priorities, often having to choose between stretching resources to the limit, defaulting on commitments, or both. The veneer of “ruthlessness” fades quickly, revealing a chaotic mess of competing interests and tasks. Instead of the much-touted ruthlessness, there’s a more grounded, practical approach for cyber teams: prioritize based on risk reduction.
The Illusion of Ruthless Prioritization
The very notion of “ruthless prioritization” evokes images of decisive leaders making hard choices with an unwavering focus on the most critical tasks and sharing those decisions clearly to the teams doing the work. With clear goals in front of them, teams make great progress, striving together reach a common objective. However, the implementation of this principle in real-world scenarios often falls short. In the intricate web of a company’s operational requirements, deciding which projects are the most “critical” requires discipline, data and collaboration. Leaders must continually assess new opportunities, evaluate available resources and collectively agree on any change. Both large and small companies fail on multiple elements of this process. Even pulling back from project level to determining the critical strategies is beyond the ability of most organizations. The result is a form of project Darwinism that may or may not yield the best outcomes for the organization. The projects that survive may have the most persistent project managers, C-level visibility or an urgent deadline – all attributes that may or may not make them valuable to the organization’s success.
Within cyber security, where the stakes are high and the threats are dynamic, this question becomes even more complex. Mid-level managers in cyber security find themselves overwhelmed with an array of operational demands. From patching vulnerabilities to ensuring compliance, from monitoring threats to implementing new security solutions, the list is extensive and ever-growing. Without a finely tuned system of ruthless prioritization, these managers often find themselves in a conundrum. Do they stretch resources farther, risking burnout or reduced efficiency? Do they opt to ignore operational threats to weigh in on a new effort, risking a potential incident? Do they choose to say ‘No’ – a principle of Ruthless Prioritization — risking the political fallout of not being a good partner? These are all lose-lose scenarios.
Risk-less Prioritization: A Practical Alternative
Given the challenges of implementing ruthless prioritization, it’s time for cyber security professionals to consider an alternative approach: risk-less prioritization. Instead of trying to decide which tasks or projects are more “important” in abstract terms, this method emphasizes understanding and reducing the most significant risks.
In the realm of cyber security, not all tasks are created equal. Some actions might mitigate severe threats that could cripple an organization, while others address minor vulnerabilities that have a low likelihood of exploitation. By prioritizing based on risk, cyber teams can focus their energy and resources where they will have the most substantial impact. This approach aligns with the very essence of cyber security: protecting critical assets from the most significant threats.
Implementing risk-less prioritization involves a few key steps:
- Risk Assessment: Regularly assess the cyber security landscape to understand the most pressing threats to the organization. Use tools, analytics, and threat intelligence to gain insights into potential vulnerabilities and the likelihood of their exploitation.
- Quantify Impact: Understand the potential consequences of different threats. Which vulnerabilities could lead to significant financial losses? Which ones might damage the company’s reputation or result in regulatory penalties?
- Allocate Resources: Once the risks are assessed and quantified, allocate resources based on the potential impact. Focus on the most significant threats first, ensuring that they’re mitigated before attending to the lesser ones.
- Communicate: Ensure that the right people know the risks being mitigated and which ones are being temporarily accepted. This is key to validating the decisions made during the assessment phase and solidifying support.
- Iterate and Review: The cyber landscape is dynamic, with new threats emerging regularly. It’s vital to continuously revisit the risk assessment, ensuring that priorities shift as the threat landscape changes.
Ruthless prioritization, while a commendable ideal, often remains a myth for many companies. Especially within cyber security, the challenges of implementing such an approach are many, given the array of pressing demands. However, by shifting the focus from a vague notion of “importance” to concrete risk reduction, cyber teams can navigate their priorities more effectively. Risk-less prioritization provides a practical, impactful and grounded approach, ensuring that cyber teams protect their organizations against the most significant threats first. In a world riddled with cyber threats, it’s time to prioritize not ruthlessly, but wisely.
About the Author
Craig Burland is CISO of Inversion6. Craig brings decades of pertinent industry experience to Inversion6, including his most recent role leading information security operations for a Fortune 200 Company. He is also a former Technical Co-Chair of the Northeast Ohio Cyber Consortium and a former Customer Advisory Board Member for Solutionary MSSP, NTT Global Security, and Oracle Web Center. Craig can be reached online at LinkedIn and at our company website http://www.inversion6.com.