In today’s world, IT and security leaders are faced with an ever changing and growing list of issues and projects that need their time and attention. In these fields, we are faced with an ever growing list of issues that need attention: audit findings, security assessments, vulnerability scans, threat intelligence feeds, etc. There is an endless supply of problems that all seem to need immediate attention. Because of this, the one question we consistently hear from clients is: how do we prioritize our work?
Prioritization is all about decision making. In order to set priorities, you need to evaluate the issues at hand and then decide which issues are most important. From the rating of importance, you then decide which issues you will work on first, second, third, etc.
Sounds pretty simple, right? Unfortunately, the actual struggle that every organization faces isn’t quite so easy. How and when we prioritize has a big impact on what we focus on and whether or not we focus on the right things.
Habit # 3 in Steven Covey’s 7 Habits of Highly Effective People is: “put first things first.” While this concept is simple, in security and IT this can be very challenging. The reality is that there is only so much time in the day, so much money in the budget, and only so many staff members to get things done. In other words, we have a limited amount of resources trying to fix and resolve an unlimited number of issues. Now, we’re suddenly in a sticky situation as a decision maker.
Most people have acknowledged that the need to prioritize drives our security decisions. These decisions rely heavily on the assessment of risk an issue presents. This means utilizing risk as one of the key factors in establishing our priorities. After evaluating all options, and making sure to weigh risk heavily, your focus should first be on the riskiest issues: the things that have a high likelihood and impact.
To add even more complexity to the matter, it is often difficult to make heads or tails of the risky issues because there can be a list of 50+ issues labeled as “critical” or “important.” So, how do you manage a long list of issues with the same level of risk severity? Shifting priorities based on business need and changing risk landscape is key to ensuring success in managing issues effectively.
Step one is to identify the organization’s priorities:
In our line of work, these are the three priorities of our customers:
- Patient safety
- Financial loss
Step two is answering the following questions:
- How do the issues impact these three priorities?
- Which issues have the greatest likelihood and impact on these?
- What is the impact of a service or system interruption?
- What is the impact of a breach?
Step three is determining budget and staffing needs / justifying requests:
- How do these things affect our risk?
- Do they changes our assumptions?
- Do they have a material impact on the risk factors in our models?
- Do we need to update/refine our models?
- Do the changes comply with or affect our policies and standards?
- Do we need to update our policies / standards?
Once you have evaluated all of these questions and found your answers, you have arrived to the stage in the game in which you have to make key decisions
- Deciding if additional information is needed to make an informed decision.
- Deciding on what to ask for or recommend.
- Deciding on how to allocate the resources you are allocate.
- Deciding on what project/issue needs to be tackled first.
At this point, you’ll have a well thought out, prioritized list that you can begin to work through. However, an important aspect to be constantly aware of is that risk changes and with it, so must our priorities. In Agile development, one of the core principles is to be adaptive. Without adapting, priorities will be skewed and inaccurate, potentially causing you to miss a much bigger, more risky development while focusing on out of date data and issues. Making sure to pause in your work and complete the prioritization process periodically and regularly will ensure the greatest success in combating your risks.