At a recent security convention, I had the opportunity to meet and learn from an experienced CISO. This CISO introduced me to a simple yet powerful method for managing an information security program using a bubble chart. I want to share the insights I gained from this valuable lesson and how it can help prioritize security tasks.

The bubble chart has two axes: the y-axis represents the difficulty of implementing a specific security component, and the x-axis indicates its maturity. The size of each bubble corresponds to the weight or importance of that component within the security program.

For instance, let’s look at two examples from the chart: policies and patching. The “policies” bubble is positioned towards the higher end of the maturity axis and somewhat in the middle of the difficulty axis. This placement suggests that although policies are essential, they are currently a low-priority concern.

Conversely, the “patching” bubble is considerably larger, indicating its significant weight within the program. It is located at the lower end of the maturity and difficulty axes. This placement implies that patching is a crucial yet easy-to-implement security measure that should be addressed promptly.

In this specific scenario, it makes logical sense to prioritize tackling the patching issue before focusing on policies. The visual representation provided by the bubble chart helps to effectively communicate the priorities and complexities of an information security program.

A bubble chart is an excellent tool for security professionals to visualize and manage their information security program priorities. Plotting components based on difficulty, maturity, and weight makes it easier to identify which areas require immediate attention and allocate resources accordingly.