80/20 rule and Cybersecurity
Maximize security with minimal effort
Let’s continue with the principles and simplification of Cybersecurity, as I believe this is an area that will benefit lot’s of people and will make Cybersecurity better for everyone 🙂
Long time ago I discovered the 80/20 rule when I got my hands on this book by Richard Koch:
Thanks for reading! Subscribe for free to receive new posts and support my work.
I remember being pretty shocked at the concept, but the more I delved into it, the more it became a key tool in my decision-making and analysis.
What I am surprised is that not everyone is familiar with it, and I was assuming that everyone knows and apply it, but it is normal to assume that something you know is easy and everybody knows it.
So what is it about? the 80/20 rule says that roughly 80% of the results are obtained with 20% percent of the effort. Think about that for a moment, most of what you accomplish comes from just a small fraction of what you do.
This rule is also called the Pareto Principle, named after Vilfredo Pareto (1848–1923) an Italian engineer, sociologist, economist, and philosopher. Originally, Pareto observed this phenomenon in wealth distribution, noting that 20% of Italy’s population owned 80% of its wealth.
I have seen it and applied in many aspect of my life, more heavily at work, and particularly in Cybersecurity.
The first example I have noticed, was when doing vulnerability assessments usually 80% of vulnerabilities where found in 20% of the assets. In Internal security assessment I remember that is was consistent, usually due to legacy system concentrating the majority of the vulnerabilities, or the assets belonging to particular teams that for different reasons they were struggling with patching or decommissioning services. I remember that at one point we started to add this observations in the audit/vulnerability assessment reports, to show how focusing in a few assets would reduce the amount of vulnerabilities. Usually the discussion on the customer side went “Do we need these systems? can we decommission them?” (I understand that this approach could be focusing just in volumen and not presicely on risk, today we have much more context to make better prioritization desicions with Vulnerability indicators like KEV, asset exposure, attack path and the likes).
If we look into security controls, we can find that 80% of the incidents could be prevented by implementing 20% of available security controls, you should implement the most effective controls first, for example multi-factor authentication, regular patching, and employee security awareness training could prevent the majority of potential security incidents.
Another example could be that 80% of policy violations may involve 20% of security policies, focus on enforcing and improving the most frequently violated policies.
When it comes to Threat intelligence 80% of relevant threat intelligence may come from 20% of sources. Focus on the most reliable and applicable threat intelligence feeds. You should understand which sources where most useful over the time, and which sources provided the most actionable intelligence.
The 80/20 principle is especially relevant in project management. When starting new projects, it’s important to recognize that 80% of the results will come from just 20% of the effort. However, completing the remaining 20% of the work will still require significant effort. By adopting agile practices and an iterative approach, you can deliver value early on with that initial 20% of effort, ensuring progress and impact from the start.
When looking at compliance we may see that 80% of compliance requirements might be satisfied by 20% of your security controls, thus Implementing multi-purpose controls that address multiple compliance needs will provide time and resources savings.
When it comes to Data protection, 80% of sensitive data may reside in 20% of your databases or systems, focus encryption and access control efforts on these critical data stores first.
So how can you start applying this principle in your way of working?
Step 1: Identify Your 20%
Begin by assessing your daily activities. Reflect on the following:
• Which tasks or actions yield the most significant results?
• Which clients, projects, or relationships offer the highest return on your time and energy?
In a cybersecurity context, this could involve identifying the systems, controls, or protocols that contribute most to your security posture.
Step 2: Focus on the most impactful Tasks
After pinpointing your 20%, shift your attention. Dedicate more time to these high-impact activities and less to those that don’t significantly advance your goals. This might involve delegating tasks, saying “no” more often, or reorganizing your priorities to concentrate on work that adds the most value—whether it’s in managing key clients, projects or securing critical assets.
Step 3: Cut the Low-Value 80%
This step can be challenging: reduce or eliminate time spent on low-value tasks. These are the activities that consume time but contribute little to your objectives. It could be excessive meetings, unnecessary emails, or even habits that drain your energy. By minimizing these, you’ll free up valuable time to invest in your 20%, such as focusing on essential security measures or client relationships.
Step 4: Continously reevaluate
The 80/20 Rule isn’t a one-time task. It requires regular reevaluation. Every few months, take a moment to reassess your 20%. As your goals and priorities evolve, so will the activities that deliver the highest returns. This consistent evaluation ensures that you stay focused on what matters most, whether in life or in maintaining a strong cybersecurity stance.
I hope this principle will help you improve your decision making and prioritization skills making your cybersecurity teams more efficient.
Take a moment to assess your cybersecurity strategy today. Identify the key areas where the 80/20 principle can make the most impact, and start focusing your efforts where they count the most.
Thanks for reading! Subscribe for free to receive new posts and support my work.