Skip to main content

Many cybersecurity professionals dream of a world with a limited number of threats to address. They envision a “Cybersecurity March Madness” where 64 clear-cut projects compete head-to-head, eventually whittled down to a Final Four of essential security measures. Unfortunately, reality paints a different picture.

The truth is cybersecurity resembles a never-ending international season – an overwhelming expanse of potential threats, vulnerabilities, and security tools.  The Standish Group Chaos Report underscores this reality, revealing that only 29% of IT projects succeed, with a staggering 19% considered outright failures. These statistics translate directly to cybersecurity programs, where haphazard project selection can lead to wasted resources and lingering vulnerabilities.

This article isn’t about a “Cinderella story” solution, but rather a practical framework for prioritizing cybersecurity efforts. Here’s how to leverage “bracketology” concepts to focus your team, reduce risk, and achieve “shots on goal” in the battle against cyber threats.

Beyond the Field of 64: Embracing the Information Security “Regular Season”

Imagine inheriting a security program with a million potential projects. Overwhelmed? You’re not alone. Unlike the dream of a limited number of threats, the reality is a vast “regular season” of potential security concerns. Here’s the key takeaway: absolute security doesn’t exist. Focusing on prioritizing risk reduction becomes paramount.

The Well-Rounded Team: People, Process, and Technology

A balanced cybersecurity program is a three-legged stool:

  1. People: Humans are often the weakest link. Over 90% of cyber incidents begin with phishing attacks, exploiting human vulnerabilities. Equipping your team with a defensive mindset and awareness training is crucial.
  2. Process: Technology is only as effective as the processes that govern its use. Clear and defined procedures for scaling technology across divisions and managing key controls are essential.
  3. Technology: The security landscape offers a vast array of tools. While some are invaluable, others may be overhyped. Focus on solutions that address your specific needs and avoid falling prey to aggressive sales tactics.

Prioritization Through Risk Management

With a plethora of potential investments in people, process, and technology, how do you prioritize?  Risk management provides the answer.

  • Identify your Crown Jewels: Understanding the most critical assets and data in your organization allows you to prioritize efforts that safeguard them first.
  • Threat Landscape Analysis: Understanding the threats most likely to target your organization helps you allocate resources effectively.
  • Maturity and Controls Landscape: Evaluate your current security posture to identify gaps and areas requiring immediate attention.
  • Business Risk Assessment: Analyze the potential business impact of a security breach to prioritize controls that mitigate the most significant risks.

Information classification is a crucial step in understanding your “Crown Jewels.” By classifying data based on sensitivity, you can tailor security measures accordingly.

From Tournament to Playoffs: Focusing Your Efforts

Even after prioritizing projects, you may face resource constraints. Here are some strategies to narrow down your focus:

  • Benefit/Effort Analysis: Plot projects based on complexity and risk reduction potential, prioritizing those with high benefit and low effort.
  • Stack Ranking: Rank projects based on urgency and available team capacity to ensure you address the most critical issues first.
  • Resource Allocation: Realistically assess your team’s capabilities, budget, and workload to determine a manageable number of projects.

Avoid the “64 Pickup” Approach: Throwing all security concerns into the mix without prioritization is a recipe for failure.

Building a Winning Team: Reveal Risk Can Help

At Reveal Risk, we understand the challenges of navigating the cybersecurity landscape. Our team of experienced professionals offers a unique perspective:

  • Tenured Security Leaders: We’ve been in your shoes, facing the same challenges you encounter daily.
  • Diverse Expertise: Our team combines cybersecurity expertise with legal, Six Sigma, and military backgrounds.
  • Focus on Business Risk: We help you understand your business risks and prioritize security investments accordingly.

By partnering with Reveal Risk, you can:

  • Maximize your “shots on goal” to reduce cyber risk.
  • Achieve success regardless of team size, budget, or program maturity.
  • Prioritize and focus your efforts for optimal results.

Don’t let cybersecurity overwhelm your team. Reveal Risk can help you navigate the “regular season” and achieve success in the ever-evolving world of cyber threats. Contact us today at to learn more.


At Reveal Risk, we evaluate, design, and deliver strong processes and results in cyber, privacy, and risk that work efficiently, are fit-for-purpose, and are sustained. If you want assistance building your company’s cyber security strategy, governance, and plan towards desired state maturity, please don’t hesitate to contact us at  


About the Author

Aaron is a former Eli Lilly IT and security senior IT/Security/Audit/Privacy/Risk leader with over 20 years of experience in the pharmaceutical and life sciences sector.  He founded the risk management working group for the H-ISAC (Healthcare Information Security and Analysis Center) which enabled information sharing and benchmarking across pharma, payers, and health care providers. Aaron is a certified Six Sigma blackbelt with career emphasis on building and improving internal processes and controls.​

Leave a Reply