CISO Series - Organisation

Being in a leadership role in information security requries bringing together a level of technical understanding, strategic thinking, leadership, business skills and communication abilities. This can be a lot to manage all at once, as well as projects and the security hot topic of the day. One way to manage all of this is through good organsiation strategies, over many engagements with clients I have tried different methods, these are the ones which I use today to help me stay organised and strike a balance across competing priorities.


I have spoken in a previous article that not everything can be priority number one, you are doomed to fail with trying to do everything at once. The first step towards being well-organised is learning to prioritise. In security leadership, you will most likely be flooded with a vast array of tasks, from risk decisions to meeting with stakeholders, managing multiple security initiatives all at once, and of course everything in between.

How do you prioritise effectively?

  • Leverage a Priority Matrix: When I have a lot on my plate I make a quick 2x2 matrix to help. One axis represents the impact of tasks and the other represents their urgency, this helps in quickly identifying tasks that require immediate attention and those that can wait.

  • Focus on High-Risk Areas: I lean towards prioritising areas that are higher risk, what is public facing. Prioritise threats that could have a significant impact on your organisation’s operations or reputation.

2x2 matrix prioritisation method

Time Management

Time is a finite resource. Effective time management is about ensuring that you are focusing on the right activities. I fell victim to pushing tasks to the end of the day in the past, I’ll catchup on the train home, or on the train in the morning on the way to the office. It wasn’t effective and I found the time better spent thinking, catching up on podcasts which ultimately gave me lots of new ideas on how to approach the challenges being faced at the time in my projects.

Here is how I got out of that and structured my work during the day:

  • Adopt Time Management Techniques: Techniques like the Pomodoro Technique, which involves breaking work into intervals (traditionally 25 minutes), can help increase productivity. I recommend avoiding multitasking and focusing on one task at a time for maximum efficiency for short period of time. It just takes one phone call, one slack message or a quick office conversation to throw your concentration across multiple tasks and can take time to focus again. It is easier if you are focused on just one task.

  • Set Realistic Deadlines: Having clear deadlines can help keep you and your team on track. It provides a timeframe that fosters focus and productivity. Don’t over commit on when you can realistically have an answer, that paper ready or a view on a good strategy for a business risk. It sounds great you can have it ready tomorrow but in reality you then have to put everything else on hold in the interim to have the right focus.


Place a high value on delegation, recognising it as a critical organisational skill for leaders, you are not always the best person to handle everything that comes your way. As a CISO, you must trust your team and allocate tasks effectively.

  • Know Your Team’s Strengths: It was key in the Fortnight Foundation. Evaluate the skills and capabilities of your team members. Knowing who excels in what area can help you get support on those tasks more effectively.

  • Communicate Clearly: Clear communication is key when delegating. Your team needs to know what they are expected to do, the standards they should adhere to, and the deadlines they need to meet.

  • Project Management Tools: Tools like Trello or Asana can be invaluable for organising tasks and monitoring progress. They provide clear overviews of projects and can help keep everyone on the same page. It is good to review these in advance of conversations with teams to prepare questions you might have on progress and the direction of travel.

Effective Note-Taking

Underpinning all of this, and I can’t stress how important this is, is an ability to keep track of everything.

I use an iPad to keep my notes organised. I have tried many different methods, flash cards on mydesk, moleskin paper notebooks, but as you take on senior leadership roles it becomes more and more difficult to continually update each teams priorities and changing projects in paper form, especially a bound book. I can remember back 10+ years to an engagement when a senior Director when questioned by the board on why a service which was customer facing had an outage, it led to a whole host of questions that they couldn’t answer. From then they tasked the team to produce weekly 50+ page packs on everything that was going on, metrics, kpi’s, incidents, that they carried around with them all the time, just in case the same questions were asked in future.

Having access to your notes in an organised and being able to find the information you need quickly is essential. I use my iPad with the app StandardNotes and a template I created which helps structure how I take notes. I find having the ipad useful when you need to quickly research or on the commute to the office to catch-up on the hot topic of the day in security news, it has become a laptop replacement for me. I self host a lot of my own services, email, file sync, notes, it is all encrypted and backed-up offline continously, perhaphs something I will dive into in a future post.

So what makes good notesm and a good note taking template?

  • Develop a Note-Taking System: I use the Cornell method to take notes during meetings. I keep a header page for each project/team with key points I need for each, what the current priorities are, what are the business risks we have talked about and decisions. This helps me remain informed and current when entering each discussion with the teams.

I would stress that a key part of this is to make it a habit to review your notes after meetings. This practice can help you reflect on the discussion, identify follow-up actions, and ensure nothing gets overlooked. Depending on your scheduled it is not always possible directly after the meeting, I would recommend a review the sameday.

The Cornell Method, encourages active engagement with your notes rather than passive recording. The cues and summary sections force you to interact with the information, reinforcing understanding and improving recall.

Also, it facilitates easy review. The cues act as prompts to test your memory, and the summary provides a quick overview of the material.

I keep notes in date order for each project so that I can easily scroll back to see when decisions were made and when risks were identified and the actions that were recommended.

Cornell Method for Notes

Notes During the meeting, I use this section to record notes as the meeting progresses. It forms the largest part of the page. I write down facts, ideas, or any relevant information heard during the meeting.

Cues Immediately after the meeting or soon after, I review the notes. In the left-hand margin, i jot down ‘cues’—keywords or questions that correspond to your notes. These cues serve as triggers to help recall the main ideas.

Summary At the bottom of the page, I write a summary of all of the notes on the page. This exercise forces you to condense and review the material, reinforcing your understanding and recall.

I find this practice invaluable in being able to find key information, look back at what has been achieved throughout each month and helps with communicating this to wider stakeholders. Having notes and summaries in this format also helps in bringing together communications that are accurate for your teams and peers, which in turn also re-enforces trust in you that you have your eye very much on the ball.

My Notetaking tools:

  • Ipad Pro

  • Ipad Magic Keyboard, this turns my ipad very quickly into a laptop like device

  • Apple Pencil for sketching hand written note taking when the keyboard clicks can be distracting for others

  • Paperlike screen protector (

  • StandardNotes App, connected to my own encrypted hosting. (