Cyber Risk Prioritization Framework: Part One

You may have heard of the book “7 Habits of Highly Effective People.” This 30 year old book written by Steven Covey lays out an approach to being effective in work and in life. For you “Covey nerds,” here is a refresher on the 7 Habits:

1) Be proactive

2) Begin with the end in mind

3) Put first thing first

4) Think win-win

5) Seek first to understand, then to be understood

6) Synergize

7) Sharpen the Saw

I won’t dive into the details behind these (although I find them very interesting). I will, however, borrow one of Covey’s tools—the Urgent-Important matrix (see below for a graphic).

This graph forces you to examine how you spend your time by bucketing each task into one of the Important-Urgent quadrants. The aha moment comes when you realize: 1) the inordinate amount of time spent in the ‘time suck’ quadrant of Urgent – Not Important, and 2) the dearth of time spent on tasks in the most powerful Not Urgent – Important quadrant. The conclusion…no planning + firedrills ≠ success.

This provides a graceful transition to Cybersecurity. The cyber profession is famous for the crush of alerts and activities that occur. This crush is a real thing. A majority of these alerts fit in the Urgent column. But it is debatable which portion fits in the Important category. At any rate, most cyber professionals cannot afford the luxury of even thinking about this exercise before scrambling to address the issues.

There is a lot that goes into creating an effective prioritization strategy, both for the operational security experts all the way up to the CISOs who lead them. I would like to modify Covey’s quadrants as a simple starting point for just such a prioritization strategy.

Allow me to introduce the Success-Impact matrix (see below for illustration). Playing off of Covey’s Important-Urgent matrix, this forces an inspection of each alert or task and applying the following two questions:

What is the potential IMPACT to my business of this particular task or alert? What is the likelihood of SUCCESS for each alert? Remember, an alert does not mean a breach is imminent.

This arguably simplified method introduces a different, but powerful, approach to prioritizing cyber risks. Here is a visual representation of the Success-Impact quadrant with an attempt to populate the quadrants with typical alerts or tasks:

This prioritization tool can be extremely effective in the journey toward becoming a “Highly Effective CISO.” By relying on metrics like success and impact, you can frame a problem from the perspective of how it impacts the business.

Let’s examine the process of filling this graph out. Let’s say you, as the CISO, have the following tasks/risks you want to prioritize:

-Unpatched software alerts

-DDoS alert

-Phishing alerts

-Social engineering trojans

-Ransomware

-Malvertising

This list can get quite long! We can start by arranging these priorities in the buckets below, using the following order:

HIGH IMPACT – HIGH SUCCESS: Unpatched software alerts, DDoS alert

LOW IMPACT – HIGH SUCCESS: Phishing alerts, social engineering trojans

HIGH IMPACT – LOW SUCCESS: Ransomware

LOW IMPACT – LOW SUCCESS: Malvertising

You will have your own alerts and tasks. These will be general items that regularly populate your and your team’s task lists. They will also include the occasional surprises that pop up throughout the week. The prevailing concept at work is to ask yourself “What impact could this have on the business?”, and “What is the likelihood this alert is successful at impacting my business?” These two quick evaluations will empower you to know whether to push items to the top or the bottom of the list. Additionally, here are some steps to get started with building such a list:

-Take inventory of all known threats your company faces today

-Graph the relative impact of each threat to the business

-Outline the relative success of avoiding each of these threats from a business point of view

-Arrange all of these threats on your quadrant.

-Become a HEC (Highly Effective CISO)!

Putting this approach in motion encourages a more tangible way of showing how important certain initiatives are (the MOST tangible way is to show risk in terms of dollars and cents). In addition, you will end up saving time in your day, as well as your team’s day by not treating everything as a fire drill.

Stay tuned for part two which will include more concrete prioritization examples and case studies.