Craig Burland, the Chief Information Security Officer (CISO) at Inversion6, discusses the challenges that companies face when trying to implement the concept of “ruthless prioritization” and proposes an alternative approach for cyber security professionals.
Burland starts by acknowledging the common mantra of “ruthless prioritization” that many companies emphasize in a world driven by technology and rapid change. The idea is to cut away the unnecessary and focus on the truly important in light of limited resources and time. However, he argues that many companies are ill-equipped to genuinely practice this level of prioritization, especially in the cyber security domain where mid-level managers are tasked with juggling numerous operational demands and finite resources.
He points out the illusion of “ruthless prioritization,” explaining that while it evokes images of decisive leaders making hard choices and sharing those decisions clearly, the reality often falls short. The process of deciding which projects are the most “critical” lacks discipline, data, and collaboration, leading to a chaotic mess of competing interests and tasks. This is particularly true in the cyber security realm, where mid-level managers find themselves overwhelmed with an array of operational demands, from patching vulnerabilities to implementing new security solutions.
Given these challenges, Burland proposes an alternative approach called “risk-less prioritization.” This method emphasizes understanding and reducing the most significant risks in cyber security rather than trying to decide which tasks or projects are more “important” in abstract terms. By prioritizing based on risk, cyber teams can focus their energy and resources where they will have the most substantial impact, aligning with the essence of cyber security – protecting critical assets from the most significant threats.
He outlines the key steps of risk-less prioritization, including regular risk assessment, quantifying impact, allocating resources based on potential impact, communicating decisions, and iterating and reviewing priorities as the threat landscape changes.
In conclusion, Burland acknowledges the challenges of implementing “ruthless prioritization” and emphasizes the need to shift the focus from a vague notion of “importance” to concrete risk reduction. He believes that risk-less prioritization provides a practical, impactful, and grounded approach, ensuring that cyber teams protect their organizations against the most significant threats first.
About the Author
Craig Burland is the CISO of Inversion6, bringing decades of industry experience to the company. He has led information security operations for a Fortune 200 Company and has been involved in various cyber security organizations. Burland can be reached on LinkedIn and at the Inversion6 company website.
In essence, Burland’s insights shed light on the challenges of prioritization in the cyber security domain and provide a practical alternative in the form of risk-less prioritization, ultimately aiming to protect organizations against cyber threats more effectively.