Rethinking Cyber Security Prioritisation

As an independent consultant, I gain a unique insight working with many different organisations. I have seen my fair share of management trends come and go, some seek to revolutionise and transform the way teams work in cybersecurity, while others fail to plan far enough ahead, because you know cybersecurity changes so quickly and todays priority may not be tomorrows. This was recently raised during one of my catchup sessions with a mentee, a number of challenges have arisen as their organisation goes through some leadership changes.

One persistent challenge I see with new “managers” as they start on the journey to discover what being a leader is, is what I call the “Everything is Priority One” syndrome. This is when a new manager, in their zeal to address all security threats simultaneously, declares everything to be the number one priority. While this may initially seem like a proactive and comprehensive approach, it’s actually counterproductive. It tends to happen more in scaling startups where they don’t have teams or invididuals in security tasked with addressing each area as their focus. In some ways it is a proces which by failing in this approach, ultiamtely ends up leading to putting in place a proper security strategy with a structued security team, hopefully this will help those managers to get there faster.

Understanding the Pitfalls of “Everything is Priority One”

There is a basic flaw in the notion of declaring everything a top priority: it fundamentally misconstrues the concept of priority itself. By definition, a priority is something that is more important than other things and needs to be dealt with first. If everything is the top priority, nothing is.

This approach can lead to decision paralysis, employee burnout, and resource allocation issues. Instead of focusing on the most critical tasks, team members may scatter their energies, trying to manage all “priorities” at once. This dilution of focus often leads to decreased efficiency and effectiveness in dealing with the genuine threats. Teams may find themselves pulled in too many directions, resulting in decreased efficiency and effectiveness in tackling true threats. A study by the Boston Consulting Group, “Making Time Management the Organisation’s Priority,” reinforces this, highlighting the productivity losses incurred due to poor time management and prioritisation.

In particular where the team work on both project and operational activies simultaneously it leads to confusion. What if that security alert is just a false positive and I spend time investigating it, how does that look to the manager when I could have worked on the other top priority. But what if that security alert is a true positive and we miss the urgency of the response it requires. Teams need guidance and clear understanding of what the priority is.

A More Balanced Approach to Prioritisation

A balanced approach to prioritisation focuses on identifying and categorising tasks based on their potential impact and immediacy. This doesn’t mean ignoring lower-priority tasks but rather organizing them so they can be addressed in a logical and manageable order. I believe it is unfair to set project deadlines on cyber teams when part of their role is also investigating random and as yet unknown alerts during a sprint.

For instance, immediate threats to your IT infrastructure should take precedence over long-term improvement projects. A breach in the system requires immediate attention, while upgrading the firewall system, although important, can be scheduled into the wider team’s workflow.

Strategies for Creating Engaged and Empowered Teams

First of all, listen to your team, the most important lesson for any new manager is not think they were given the role because they have all the answers, but because of how they can listen and lead the team in the right direction. It is a collaboration between the new manger and the team, gaining the balance of the desires from senior leadership and keeping your team motivated. Your team need to understand the priorities, not everything I bring your way is top priority, along with everything else. Once priorities are defined, the focus should shift toward team engagement and empowerment. Dr. David Rock’s SCARF model—acronym for Status, Certainty, Autonomy, Relatedness, and Fairness—provides a comprehensive approach to managing and motivating teams.

  1. Status and Recognition: Recognize individual and team efforts to boost motivation.

  2. Certainty: Establish clear expectations and communicate priorities transparently.

  3. Autonomy: Grant team members the autonomy to make informed decisions.

  4. Relatedness: Encourage open dialogue, peer learning, and collective problem-solving.

  5. Fairness: Ensure equitable access to opportunities and resources.

By applying these principles, managers can nurture a dynamic, engaged cybersecurity team ready to navigate an ever-evolving threat landscape.

Bridging the Communication Gap

Open, two-way communication is crucial in any team but becomes even more significant in the face of cybersecurity challenges. If you feel overwhelmed by the “Everything is Priority One” syndrome, here are some strategies you can employ to communicate those concerns effectively to a new manager:

  1. Open Dialogue: Initiate an open, honest discussion about the impact of current prioritisation practices on your work and the team’s productivity.

  2. Propose Alternatives: Present the Eisenhower Decision Matrix or similar frameworks as a solution to the current issue. Demonstrate how these models can help the team manage tasks more effectively.

  3. Highlight the Benefits: Emphasize the benefits of effective prioritisation—not just for individual productivity, but also for overall team performance, morale, and the organisation’s security posture.

  4. Seek Feedback Regularly: Regularly ask for feedback on priorities. This not only ensures you’re focusing on the right tasks but also shows your manager that you’re committed to your role.

  5. Use Data: Use data and examples from your work to show how the current system affects productivity and outcomes. Concrete evidence can be more persuasive than abstract discussions.

Effective communication can go a long way in creating an environment that values prioritisation and understands its impact on team productivity and morale.

Remember, in cybersecurity, your team is your strongest line of defense.

While navigating prioritisation in cybersecurity can be challenging, especially in dynamic environments, it is far from impossible. Armed with effective frameworks like the Eisenhower Decision Matrix and the SCARF model, and a commitment to open communication, managers and team members alike can foster an environment that not only effectively manages tasks but also engages and empowers its team members.