While the visualize phase establishes a common understanding of problems and potential solutions, the prioritize phase ensures that resources are channeled into the areas that most influence your bottom line.
With the understanding that you cannot fix everything (at least, not all at the same time), the goal of process prioritization is to "rack and stack" the problems that your office is experiencing and then prioritize solutions accordingly. One way to pinpoint which problems are most pressing is to investigate the root cause(s) at the source of multiple emergent challenges. There are various methods of performing root cause analysis, including Five Whys Analysis, Failure Mode and Effects Analysis, Pareto Analysis, Fault Tree Analysis, and many others. This guide highlights a straightforward framework for generating answers called a Fishbone Diagram (also called an Ishikawa Diagram).
Another way of prioritizing your process improvement efforts is to determine the areas of your process that allow the most unacceptable level of risk, and use those areas as a starting place. Making that determination can be complex, but it's possible to use data to support your decision. This section provides an overview of a risk ranking methodology that can be applied to prioritize efforts based on risk.
Finally, you have a complete understanding of the problems keeping your security processes from achieving their full potential -- your analysis has led you to the point where you know exactly what needs to be fixed. There is one more crucial step left in the prioritize phase: ranking possible solutions to those problems, ensuring the maximum return on the time and money you decide to invest in process improvement. Big Sky's go-to tool for this analysis is called a Benefit-Effort Matrix, covered at the end of this section.
One of the simplest and most effective tools for getting to the root cause of a problem is the Fishbone Diagram. Executed correctly, this exercise can push you and your team to think beyond what’s “commonly known” in your office and reveal underlying issues that must be addressed before any of the symptom issues can be resolved.
Risk Ranking Methodology
In practice, you cannot protect everything, so you need to have a clear idea of what is worth protecting using risk analysis tools. Risk ranking is a valuable exercise that allows your team to methodically think through the consequences of assets being compromised, and make forced trade-offs to focus limited resources on the most important areas. Here’s a high-level overview of how to do it:
1. Identify your key assets - your SIPOC chart is a helpful resource to review, as you may find that nearly all of the elements listed could be considered assets for your organization. If the list of assets is lengthy, narrowing it down to a "top ten" list will make it more manageable.
2. Quantify the damage your organization would incur if these key assets were lost or compromised. The most accurate approach is to estimate the cost (in dollars). This may seem like a challenge but is absolutely possible - just ask any insurance actuary. If that doesn’t work for you, ranking loss of assets on a scale of severity from 1-5 ranging from “insignificant” to “catastrophic impact” can be used to quantify potential damage.
3. Rank each potential loss according to the likelihood that it will occur on a scale of 1-5 from “rare” to “inevitable”.
4. Plot each risk on a matrix (see example), creating a visual illustration of how your program’s risks rank from low to extreme.
The next step towards optimizing your security processes is to take your list of solutions and prioritize it, using a Benefit-Effort Matrix. This tool provides meaningful context for prioritizing solutions based on the benefit you expect to get out of the fix and the level of effort required to implement. Just as you did in the risk ranking exercise, go through your list of solutions and assign a numerical value to each attribute:
Benefit: Rank the level of benefits you can reasonably expect to get out of implementing each solution on a scale of 1-10. Think in terms of the solution’s capacity to address the risks you've identified, ranging from “would address a minor/insignificant risk” to “would prevent multiple extreme risks.”
Effort: Rank the level of effort you anticipate in implementing each solution on a scale of 1-10, where 1 equates “would require no additional funds and less than one person to implement” and 10 equates “would require significant additional funding and the full attention of a team of people.”
You should walk away from the prioritize phase with three main outputs:
1. A list of problems that introduce risk into your security operations. Gather groups of stakeholders to identify the root causes of the problems you've identified to avoid solving the wrong issues, then rank your list based on risk.
2. A list of potential solutions that, once implemented, will help you do more with less. Assess the expected return on investment for each solution before you move forward with implementation, and prioritize the possible solutions to ensure that you'll get the biggest bang for your buck.
3. A list of quick wins. Plan to implement these first to see immediate results and gain momentum.
Read more in our free guide -- download your copy today: