You got a lot going on as a CISO. Managing whole-of-company security spreads you so thin that there are not hours in the day to drill too far down into any particular task.

This makes the most important part of the job to prioritize scarce resources. Especially time—your time, and that of your team. But also money. How should you organize your employees, vendors, and contractors for maximum benefit to your employer?

A bewildering set of options confront you. How do you make good decisions?

What is your north star?

Go back to basics. Keep it simple. Do the obvious right thing. Then do the next obvious right thing. Then… you get the idea.

There is a temptation to get caught up in elaborate projects or to go down rabbit holes when that does not serve your employer.

It’s the blocking and tackling that matters. Getting the basics right. Getting the basics right consistently. Doing the obvious right thing, and doing it over and over again, and doing it in a repeatable, reliable manner.

All the fancy and expensive gizmos that vendors want to sell you don’t matter anything if you aren’t getting the basics right.

So if you’re confused or overwhelmed, resist the temptation to go down rabbit holes. I too love spending weeks or months obsessing over a particular tech stack that fascinates me, but I keep it out my day job. The CISO role is so broad that there is no room for that—you're not an IC anymore, you're a risk manager and a people manager.

Not sure what to do? Trust your instincts. Once you have a decade or more of experience under your belt, you internalize those lessons learned.

Do the obvious right thing. Then do the obvious next right thing.

This is my north star. What's yours?