"If everything is important, then nothing is." ― Patrick Lencioni
We’ve all seen this concept applied to time management and other decision-making tools. The idea that you need to give yourself some focus with the tasks at hand to sift out what you should be doing and what can wait.
Coincidentally, this also can be used to improve your information security program.
That might be putting it conservatively because, without a method of prioritization, you can spend a lot of time chasing after the things that just aren’t that important. In today’s information security landscape of daily news breaks of the latest vulnerability, or breach-of-the-week, it can be difficult to sort through it all and not get distracted.
Good news: your risk assessment can, and should, help with this. A clear action plan should be a deliverable from your risk assessment. It should be a tool for helping you decide what to do next. If that’s not what you’re getting out of it, then you are probably just going through the motions to satisfy examiners.
Before we go any further, a quick primer on risk assessments:
Risk = likelihood x impact. Likelihood being the chance that a vulnerability will be exploited; impact being how bad it will be if that vulnerability is exploited. The typical risk assessment has you calculate this for each vulnerability for all of your information assets. Then you rank them from high to low, based on this calculation (I know, a good risk assessment is much more than this, but that’s another topic altogether.)
Ok. Back to the purpose of this post.
The prioritization pitfall that most people run into in this process is that they over-rate many of their moderate risks by scoring a vulnerability as being more likely or more impactful than it really is. This can make it really crowded at the top, and really confusing as to what controls you should implement to take care of your most serious threats.
Vendor management is another area that can fall victim to a lack of risk-based focus. Anyone who has ever been involved in service provider oversight knows how time-consuming it can be to pull together each year. Lack of proper prioritization can make this task very daunting.
I still remember my first vendor management program; we treated our moderate service providers with the same scrutiny as our critical ones because we didn’t have a good way of delineating between the two. This was very ineffective and even more impractical.
When we finally outlined clear thresholds of the difference between the different risk levels of our service providers and how we would approach each one, it actually became an effective, efficient process.
So, what are some tips to help prioritize in information security? Here are a few: