How to prioritise cybersecurity initiatives

With a plethora of cybersecurity programmes to be executed immediately once it has been identified in an organisation, how does the management go about choosing one over the other in this fast-changing environment.

There are 3 distinct parameters you could use to arrive at an empirical calculation.

  1. Risk Rating (R) – What is the level of risk associated due to absence of this initiative?
  2. Cost Levels (C) – What are the level of funds required to implement this?
  3. LOE Levels (E) – What is the human cost of labour i.e. time and resources required?

Once these are correctly defined and assigned to each of the cyber initiatives you have in the offing, the following are the list of steps that might be taken to prioritize initiatives and develop roadmaps:

  • Use the RCE to prioritize each initiative as a High, Medium, or Low priority (definition below)
  1. High – The recommendation will remediate a present risk to the organization’s information or is a prerequisite to other initiatives.
  2. Medium – The recommendation will move the organization closer to industry best practices in information risk management.
  3. Low – The recommendation will move the organization towards the leading edge of information risk management.
  • Based on the priority, determine the start dates of the initiatives
  • Determine any dependencies that exist between initiatives
  • Review the list of in-flight initiatives and determine any dependencies on these initiatives
  • Use the timeline, dependencies, and start date information to develop execution roadmaps and sequencing of initiatives