One of the most common concerns I hear about from the enterprises I speak with all the time is that of having too much to do. There’s never enough [time, money, people] to go around. So, what are they doing that’s working?
Today, I’ll share one method that seems to be adding value for some of the people I work with in “real life:” Prioritize and Focus on What’s Most Important. This may seem obvious, but you’d be surprised at how difficult this can be for many enterprises. I think it’s because there are so many opinions about what’s important.
More companies are pursuing risk frameworks, these days but even that seems like too much to take on. I don’t think you have to go the formal route with risk frameworks to get some quick value out of risk-based prioritization. A simple method I’ve seen is to figure out what your key, revenue-bearing business services are and focusing first on the IT infrastructure and processes that support them.
One of the companies I’ve worked with thinks of things in terms of how close they are to “touching the revenue.” If a person, piece of infrastructure, application, or other element of the business is directly involved in creating, capturing, or supporting revenue, they are an “A” priority. This means you focus on keeping the A’s available, secure, resilient, etc. first – these are the elements that can make or break your business. This approach seems like not only a good idea, but it makes it easier to tie information security activity back to something that the business is willing to invest to protect.
I also advise enterprises to look at the components that were responsible for, or at least involved in, service-impacting events over the past year. These should be added to the “A” list and given extra scrutiny. After all, if they were susceptible to problems or shenanigans in the past, chances are they will be again.
This is a light treatment of this topic, I realize. If you’d like me to share others or go deeper on this one, let me know so I can factor it into my posting here in the future.
Also, if you have found some magic that works for you in dealing with the deluge of information security work, please drop me a line or leave a comment.