Jordan Schroeder of Barrier Networks discusses a new approach to managing cyber risk: The Eisenhower Matrix
The 34th President of the United States, Dwight D. Eisenhower, is one of the most famous leaders in history. During his busy eight-year term in office, he funded $25 billion towards 40,000 miles of four-lane interstate highways, he secured a truce in Korea, worked hard to ease the tensions of the Cold War and he also spurred significant economic growth in America.
His term was hailed as a triumphant period for the United States, which earned him a reputation as one of the world’s most capable leaders.
But to achieve this level of success is no easy feat, and one of the things that supported Eisenhower throughout his career was the way he managed and prioritised the high-stake issues he faced.
Eisenhower followed a strategy that is now famed across the world – known as the ‘urgency versus importance’ matrix.
The matrix is widely adopted across the business world today and is used to help them prioritise projects and budgets.
But, with the matrix offering such value to many industries, how can it support organisations when it comes to understanding and prioritising cyber risks?
The Eisenhower Matrix
When it comes to managing risks today, many organisations adopt the traditional quantitative or qualitative ‘likelihood versus impact’ matrix. However, the Eisenhower Matrix can complement this assessment and provide a more streamlined measurement to risk to help organisations understand and communicate more effectively.
It focuses on urgency and importance and ranks different issues according to these scales.
For instance, an organisation could identify a security project which is important but not urgent, which means it might be prioritised lower than other issues which are both important and urgent.
Every organisation can adopt the Eisenhower Matrix to align with their specific needs and it often provides more actionable insights that can be communicated to business leaders in a language familiar to them.
Eisenhower meets digital risk
Cyber crime is a major threat to all businesses today, but many are still in the process of implementing security programs to bolster their resilience.
These programs cannot be adopted overnight – they take planning, the re-architecting of systems, the implementation of new tools and processes, training employees and the need to meet regulatory compliance requirements.
This also means adopting security programs is very costly, so they are not something organisations can do in one go.
Instead, organisations will often roadmap their security projects, setting out metrics and goals towards improvement.
Identifying these goals and road mapping them is something the Eisenhower Matrix can support.
All organisations have different levels of risk appetite, so each will be individual, however, an example of this could be a lack of multi-factor authentication (MFA) within a business. Cyber criminals routinely exploit employee passwords to gain access to enterprise networks and execute ransomware attacks. This is a major threat that businesses encounter every day, which can cost them hundreds of thousands to recover from.
This means adopting MFA would likely be very important and very urgent, which means an organisation would prioritise it.
Another example could be the announcement of an actively exploited zero-day vulnerability, similar to Log4J, in a piece of software or hardware an organisation depends on. Given attackers are already using the vulnerability to launch attacks, this would mean patching it is critical, so again it would receive an urgent and important measurement.
However, there could be some security initiatives which are less important and don’t need to be prioritised, such as patching a low severity vulnerability in a piece of technology that has limited network access and doesn’t host any sensitive data.
The scale will vary across different organisations and will be unique to their risk appetite, but using the Eisenhower Matrix provides a clear way to assess their security status and prioritise defences.
However, for it to be successful, organisations must get under the hood of their digital estate to understand their network so they can make informed and accurate decisions. This often means working with security teams so they can have a technical overview, but also keeping up to date with security news and government regulations so they have a full picture of the cyber landscape.
Overall, the Eisenhower Matrix provides clear and actionable intelligence to help organisations manage their risk and communicate with boards more effectively to support budget prioritisation.
It can work to complement traditional quantitative or qualitative measurements, while ensuring the correct security objectives are being met to help organisations improve their overall cyber resilience.
Author: Jordan Schroeder is the managing CISO at Barrier Networks
