An effort vs. impact analysis provides visibility into the value associated with the operational requirements of a security project. This allows for dynamic prioritization of initiatives as priorities and capabilities change. This piece provides an effort vs. impact template you can use to assess risks and threats relative to the work needed to address those issues.
Security Project Prioritization Is Essential
All security programs operate within the limitations of the resources provided by their organization. Successful leaders can prioritize security activities from most to least important. They acknowledge that not all tasks can be completed, but they ensure the highest priorities are addressed and the least important are recognized. This requires a well-thought out, clearly articulated priority scheme that is understood and accepted by organizational leadership. This method should be adjustable and dynamic to meet current needs, as the security environment changes rapidly and resource availability ebbs and flows. The ability to quickly reprioritize and republish is fundamental.
Choose the Right Priority Matrix for Leadership
Simplicity is essential when communicating with leaders. A four-quadrant graph with roots in the Eisenhower Matrix is one of the simplest and most effective visual tools you can use. The Eisenhower Matrix was developed to prioritize tasks according to their relative importance and urgency (see Figure 1). This matrix is less effective when addressing security programs because importance and urgency in security cannot be separated—they are codependent.
Figure 1
As an alternative, consider a similar matrix based on impact vs. effort (Figure 2). The advantage of looking at impact vs. effort over importance vs. urgency is that these two axes are relatively independent. It is possible to estimate effort for any project in terms of resources. Substantial work remains, however, to determine the relative impact of a project.
Figure 2
How to Clearly Explain Security Project Impact
When assessing the impact of a security improvement project, it is critical to provide a clear basis for your analysis.
For best-in-class risk-based security programs, look at the relative reduction in risk. Have a unified and pragmatic definition of “risk”—for example, defining risk as a set of circumstances that can lead to harm. Secondly, be clear in the definition of “harm.” Harm often results from a security incident, but it could also be defined as any number of events that degrade the organization’s mission.
Examples of security incidents resulting in harm:
- Failure to meet legal and regulatory requirements
- Failure to obtain or retain third-party certification
- Failure to meet contractual requirements, including third-party contracts and insurance prerequisites
- An event compromising data and/or systems, leading to operational and legal impacts
Organizations can define this list more specifically based on their own circumstances. They should order it based on the magnitude of harm such an incident could result in. When properly curated, this becomes your ordered threat list.
Next, consider threat mitigation priority. Some mitigation efforts are not optional, while others are more discretionary, and others fall under basic security hygiene. Order this list according to how much harm the threats you are mitigating against involve. To do so, consider providing a range of potential “value lost” if the risk is not mitigated. This helps clarify the impact of your improvement projects.
When obtaining leadership and stakeholder buy-in, this can be a more formal exercise. Regardless of approach, an ordered list of threats enables you to rank the relative impact of each security project and its ability to stop threats from turning into incidents. The list of threats should be presented, accepted and periodically reviewed by the organization’s top leadership.
Consider Security Project and Risks and Threats Impact
Understanding and representing the effort involved in any security mitigation is important, but it is not the most significant factor in determining how to proceed. Look at the top and bottom 5% to 10% of projects in terms of effort:
- Very low-effort projects with any substantive impact should be completed as soon as possible.
- Extremely high-effort projects require careful elaboration about their impact to justify the extra effort or may simply be unattainable.
- The vast majority of projects fall in the middle. These are more discretionary and rely on impact estimates to determine their prioritization.
- One size does not fit all. Consider other formulations of the simple 2x2 high/low graphic. In some cases, an impact vs. urgency plot of projects, with each represented by a circle whose area is proportional to effort, can be quite informative.
No matter which format or visual device you choose, it is critical to get a broad consensus of the risks and threat order to build credibility for prioritizing projects.
Access In-Depth Budget, Career and Comp Insights - Take the 2024-2025 CISO Compensation and Budget Survey
Make data-driven decisions around your security project budget, compensation and your career development to meet the needs of your organization. Be the first to receive real time compensation and career data. Join hundreds of your fellow CISOs and InfoSec peers across the U.S. and Canada and take this year’s benchmark survey:
Take the Survey: CISO Compensation and Budget Benchmark Survey
As a participant, in our survey you’ll be the first to receive a series of in-depth reports featuring current data sets, takeaways, and market-based insights to help you fine-tune your current role, security budget, function, and career path.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.