Episode 24 — Set direction and priorities that focus teams on measurable outcomes
In this episode, we focus on a leadership skill that looks simple from the outside but decides whether security and technology teams actually make progress, which is setting direction and priorities so effort turns into measurable outcomes. Most teams are not short on work, they are short on clarity about what matters most and what success will look like when they get there. When direction is vague, people default to activity, and activity can feel productive while outcomes remain unchanged. When priorities are unstable, teams learn to wait, because today’s urgent ask may disappear tomorrow, and that waiting becomes rational self defense. The aim here is to build a decision discipline that makes priorities durable, measurable, and explainable. When you do that, you reduce wasted motion, you reduce conflict between teams, and you make it much easier to see whether the organization is getting safer, more reliable, and more resilient.
Before we continue, a quick note: this audio course is a companion to our course companion books. The first book is about the exam and provides detailed information on how to pass it best. The second book is a Kindle-only eBook that contains 1,000 flashcards that can be used on your mobile device or Kindle. Check them both out at Cyber Author dot me, in the Bare Metal Study Guides Series.
Measurable outcomes start with a definition that forces specificity, and the simplest way to force specificity is to include who, what, when, and measured how. Who clarifies the population or system you are improving, because outcomes that apply to everyone often apply to no one in practice. What names the change you want, not the activity you will perform, because activity is an input and outcome is the result. When creates urgency and a planning horizon, which prevents the outcome from becoming an eternal aspiration. Measured how defines the evidence that will prove the outcome is real, which prevents teams from declaring victory based on effort instead of impact. This structure also helps you spot outcomes that are actually goals in disguise, like improve security posture, because they lack measurement. When outcomes are defined this way, priorities become easier to argue about productively, because the argument shifts from preference to evidence and timeline.
Outcome definition is also where you decide whether you are describing a result that leadership can meaningfully sponsor. If the outcome is something only a single engineer can validate, it may be too narrow for organizational prioritization, even if it is technically correct. If it is something so broad that measurement becomes subjective, it will turn into politics, because people will interpret progress through the lens of their own incentives. A good outcome makes it possible for a reasonable outsider to evaluate whether you are on track, at risk, or off track without needing a long narrative. It also makes tradeoffs clearer, because you can compare two outcomes by looking at who benefits, what changes, when it must change, and how the change will be measured. This is one of the most underrated benefits of strong outcomes, because it turns prioritization into an engineering problem rather than a debate about whose work matters more.
Once outcomes are defined, you can list initiatives and connect each initiative directly to specific outcomes, which is where direction becomes operational. An initiative without an explicit link to an outcome is either a comfort project or a habit, and habits consume capacity quietly. The linking discipline also prevents the common mistake of treating initiatives as the goal, because initiatives are just a vehicle. When you connect each initiative to an outcome, you can ask a simple question, if we complete this initiative, what changes in measurement and by when. If the answer is unclear, the initiative may need to be reframed, reduced, or removed. This linking also helps you detect duplicate effort across teams, because two initiatives may be chasing the same outcome through different language. When you consolidate, you reduce contention and you make it easier to staff the work properly.
Connecting initiatives to outcomes also helps you avoid the trap of starting with solutions before you agree on the result. Teams love solutions, because solutions are concrete and they feel controllable, but an outcome first approach protects you from committing to a solution that does not move the needle. When you are outcome linked, you can adjust the initiative if evidence shows it is not producing the expected change. That adjustment becomes a responsible pivot, not a failure, because the commitment was to the outcome, not the method. It also makes stakeholder conversations easier, because you can speak about what the organization is buying with its limited attention. Leaders are often willing to fund a result, but they will push back on a pile of tasks that do not clearly add up to anything. Outcome linkage turns your plan into a story about measurable improvement rather than a list of things you plan to do.
With outcomes and linked initiatives in place, ranking becomes the central act of prioritization, and ranking is where you must be explicit about the criteria you will use. Value is the expected benefit if the outcome is achieved, and in security that benefit often shows up as reduced loss, reduced exposure time, improved reliability, or improved decision speed. Risk is both the risk of not doing the work and the risk of doing it poorly, including unintended consequences that increase fragility. Effort is not just engineering time, it includes coordination cost, change management, and operational overhead that persists after delivery. Dependency clarity is how well you understand what must be true for the work to succeed, because unclear dependencies are a common cause of schedule slips and surprise blockers. Ranking that includes dependency clarity tends to produce more reliable delivery, because it favors work that can actually be executed predictably.
Ranking is also where you show that prioritization is a choice, not a request for more capacity. If every initiative is ranked as critical, you have not ranked anything, you have only expressed anxiety. A useful way to maintain integrity is to force the ranking to reflect scarcity, because scarcity is real whether you acknowledge it or not. When you do this, you will often discover that some initiatives are valuable but not timely, because the organization cannot absorb the change right now. You will also find that some initiatives are urgent but not valuable, because they address symptoms rather than the outcome that matters. The ranking conversation should focus on which outcomes move the organization measurably, and which initiatives are the best vehicles given constraints. When ranking is consistent, teams stop gaming the system by labeling everything urgent, because urgency without criteria no longer wins.
Cutting low value work is the moment where leadership becomes visible, because it requires saying no to something that someone cares about. Low value does not mean pointless, it means that relative to other options, it does not move outcomes enough to justify its cost right now. The cost includes time, attention, coordination, and the opportunity cost of not doing something else. Cutting also protects teams from the accumulation of partial commitments, where everything is in progress and nothing finishes. Finishing is where outcomes become measurable, because incomplete work does not change the scoreboard. When you cut low value work, you are not only saving effort, you are increasing the probability that the remaining work will complete. This focus has a psychological benefit too, because teams are less stressed when they are allowed to succeed at a smaller number of meaningful goals rather than fail slowly across dozens of threads.
When you focus energy on high impact lanes, you should define what those lanes are in terms of outcomes, not in terms of departments or tools. A lane might be reducing exposure time for critical vulnerabilities, improving detection fidelity for specific attack paths, hardening identity workflows, or improving incident response time to containment. The lane exists to concentrate attention and to make tradeoffs clearer, because work that does not fit a lane needs a very strong justification. Lanes also help cross functional alignment, because different teams can contribute in different ways while still moving the same measurement. Without lanes, teams tend to optimize locally, which can lead to conflicting priorities and duplicated effort. High impact lanes are also a defense against calendar driven prioritization, where whoever shouts loudest or requests first wins. When lanes are clear, you can say yes to what matters and no to what distracts without personalizing the decision.
Timeboxing milestones turns priority into momentum, because a priority without time structure becomes a long slow drift. Milestones should be framed as checkpoints that reveal progress in measurable terms, not as ceremonial dates. A good milestone tells you whether the initiative is on track to produce the outcome, and it gives you an opportunity to adjust before the end date is missed. Timeboxing also encourages smaller slices of value, which reduces risk because you discover integration problems earlier. Visible checkpoints matter because teams and stakeholders need a shared rhythm, especially when work spans multiple groups. When people cannot see progress, they assume it is not happening, and that assumption drives interruptions and escalations that slow the work further. Timeboxed milestones create a feedback loop, because each checkpoint provides evidence that either supports continuing the plan or supports changing course.
Milestones also protect the team from the false comfort of long horizons. A six month initiative can feel safe because the deadline is far away, but long horizons are where misalignment hides and dependencies surprise you late. When you create checkpoints, you force alignment early on scope, ownership, and evidence. You also create moments to confirm that the outcome measurement is still the right one, because environments change and what mattered two months ago may be less relevant now. This does not mean you constantly rewrite goals, it means you validate that the chosen lane still serves the organization. Checkpoints also help leadership intervene productively, because they can remove blockers when the blockers are still small. A timebox is not only a planning tool, it is a communication tool that tells everyone when they will get the next reliable update and what it will contain.
Direction collapses quickly if resources are not aligned, because priorities without staffing are just wishes. Aligning resources means assigning accountable owners with clear decision rights, so work does not stall waiting for permission from someone who is not engaged. Ownership is not the same as doing all the work, it is the responsibility for outcomes, coordination, and delivery. Decision rights clarify what the owner can decide alone, what requires consultation, and what requires approval, because ambiguity here creates delays and frustration. When owners have decision rights, they can move the work forward without endless meetings, and they can resolve tradeoffs in real time. Resource alignment also includes ensuring that owners have the capacity to lead, because an owner who is overloaded becomes a bottleneck. If you want measurable outcomes, you must treat ownership and capacity as first class constraints, not as afterthoughts.
Accountable ownership also improves measurement, because owners are the ones who can verify whether the outcome metric is moving and explain why. Without an owner, metrics often become passive reporting that no one feels responsible for changing. With an owner, measurement becomes a management tool, because it drives decisions about where to invest effort and where to adjust scope. Owners also provide continuity across inevitable personnel changes, because the initiative does not belong to a single heroic contributor. Clear decision rights reduce conflict because they prevent a crowd from trying to co own decisions while no one actually decides. This is especially important in security, where cross team work is the norm and where unclear decision paths can cause delays that increase exposure. When ownership and decision rights are explicit, the work becomes calmer and faster, which is often the best indicator that direction has become real.
Priorities also fail when teams run on incompatible cadences, because scheduling collisions create delays and missed dependencies. Syncing cadences across teams does not require everyone to adopt the same process, but it does require shared points where plans and constraints are reconciled. If one team plans quarterly and another plans weekly, the mismatch can create constant rework, because commitments are made on different time horizons. Shared checkpoints help, because they provide moments to confirm that upcoming milestones still fit the broader schedule, including maintenance windows, release cycles, and staffing constraints. Cadence alignment also reduces interruption costs, because teams can batch coordination rather than respond to ad hoc requests. When coordination is predictable, teams can protect deep work time, which increases quality and reduces the likelihood of mistakes. This is one of the subtle ways that prioritization improves outcomes, because it changes the rhythm of work from reactive to deliberate.
Scheduling collisions are not just inconvenient, they can create security risk because they push critical changes into narrow windows or force teams to accept compromises. If a remediation depends on a platform upgrade, and the platform upgrade is scheduled after the remediation deadline, you have a mismatch that must be resolved through reprioritization. Cadence syncing makes those mismatches visible early, when you can still adjust sequencing. It also helps with shared services teams, who are often overloaded and forced to triage requests. When cadences are aligned, those teams can anticipate demand and make capacity decisions that support the highest impact outcomes. This reduces the likelihood of last minute escalations, which are often where trust breaks down. In mature environments, cadence alignment becomes part of the institutional operating system, because it is one of the few levers that consistently reduces friction without requiring more headcount.
One of the most damaging pitfalls is changing priorities without communicating the rationale clearly. Priority changes are sometimes necessary, because threats evolve and incidents happen, but unexplained changes create cynicism and learned helplessness. When teams do not understand why priorities changed, they assume the change is political, random, or based on who complained loudest. That assumption reduces engagement, because people stop investing their best thinking in work that may be discarded. Clear rationale does not require a long essay, it requires a truthful explanation of what changed in value, risk, effort, or dependency clarity, and how that change affects outcomes. It also requires acknowledging the cost of the change, because switching priorities midstream has real waste and real morale impact. When you communicate rationale consistently, teams may still be disappointed, but they remain aligned because they can see the logic.
Rationale communication also protects the integrity of your direction setting, because it creates a record that can be revisited. If you pause something, you should be able to explain under what conditions it will resume, or what alternative outcome will take its place. This turns prioritization into an evolving strategy rather than a series of abrupt stops. It also helps stakeholders outside the team, because they can adjust their own plans rather than discovering later that a dependency vanished. Clear rationale reduces the urge for side deals, where teams try to bypass prioritization by finding informal approvals. When rationale is absent, informal paths multiply, and the organization ends up doing unplanned work anyway. When rationale is present, you can enforce focus without being adversarial, because the decision is grounded in shared criteria. Over time, this creates a culture where priority changes are treated as managed shifts rather than as chaos.
A realistic scenario is pausing an ongoing project to fund urgent risk reduction, which is a moment where direction must be both decisive and fair. The urgent risk may be a newly credible threat, an active exploitation pattern, or a control gap that was just revealed through an incident. In that moment, you must connect the priority change to outcomes, not to fear, because fear driven prioritization produces thrash. You would explain what outcome the urgent work will improve, such as reducing exposure in a high value system by a certain date, and why that outcome now outranks the paused project. You would also acknowledge what the pause costs, including schedule delay and lost momentum, because pretending there is no cost is disrespectful and invites distrust. Then you would set conditions for resuming the paused work, such as completing a defined milestone in the urgent lane or reaching a specific risk reduction checkpoint. This makes the pause a strategic choice rather than a permanent derailment.
In that scenario, the mechanics of follow through matter as much as the decision itself. You should re align owners and decision rights so the urgent work has clear leadership, and you should ensure the paused project has a stable state, so you do not create hidden operational risk by leaving work half integrated. You should also update milestones and checkpoints so progress on the urgent work is visible, because visibility is what keeps stakeholders from second guessing the change. If resources are moved, you should be explicit about where they moved and what work is no longer being done as a result, because every tradeoff has a shadow. This is also where cadence syncing becomes critical, because urgent work often requires coordination across teams that were not planning to work together this week. When you handle the pause with clarity and accountability, you preserve trust while still responding to reality, which is the hallmark of mature prioritization.
A useful practice is to write three outcomes and related priorities today, because the act of writing forces you to make choices concrete. The outcomes should be described in terms that include who, what, when, and measured how, because that structure prevents vague intention from masquerading as strategy. Related priorities should be the smallest set of initiatives that you believe will move those outcomes measurably within the given horizon. As you write, you will likely notice that some initiatives feel important but do not clearly link to any of the three outcomes, which is a signal that you either need a different outcome or you need to cut the initiative for now. You will also notice that some outcomes conflict, such as increasing delivery speed while also increasing control rigor, and that conflict is where tradeoffs must be made explicit. Practicing this writing does not lock you into a rigid plan, it gives you a baseline that can be refined, measured, and communicated. Direction becomes much easier when the first draft exists.
Keep a simple memory anchor in mind: priorities equal choices, and choices require tradeoffs. This anchor matters because many organizations pretend they can have everything, and that pretense is where exhaustion and disappointment come from. When you say yes to one outcome, you are often saying not yet to another, and pretending otherwise creates hidden conflict. Tradeoffs are not a sign of failure, they are evidence that you are managing scarcity honestly. The anchor also reminds you that prioritization is not about ranking tasks, it is about selecting which outcomes the organization will buy with its limited attention. When you communicate priorities, you should communicate the tradeoffs openly, because that is how you preserve credibility. If someone disagrees, they can disagree on the tradeoff, which is a productive disagreement, rather than arguing about whether their work matters. Clarity about tradeoffs is what keeps priorities stable under pressure.
As a mini review, effective direction and prioritization starts with outcomes that are defined precisely enough to measure, using who, what, when, and measured how. Initiatives are then connected directly to outcomes so effort is traceable to results and comfort projects are easier to detect. Ranking uses consistent criteria such as value, risk, effort, and dependency clarity, and the ranking forces real choices rather than declaring everything critical. Low value work is cut so high impact lanes can receive focus and actually finish, because completion is where measurement moves. Milestones are timeboxed into visible checkpoints that create momentum and enable early adjustment. Owners with decision rights are assigned so work does not stall, and cadences are synced across teams to reduce collisions and dependency surprises. Priority changes are communicated with clear rationale so teams remain aligned even when the plan must shift.
To conclude, publish priorities in a way that makes outcomes and tradeoffs visible, then schedule a review that validates whether focus is producing measurable movement. Publishing is not about broadcasting authority, it is about creating shared reality so teams can coordinate without constant clarification. The review should not be a ritual where everyone reports activity, it should be a checkpoint where you look at outcome measurements, milestone progress, and whether the ranking still reflects current risk and value. If you need to change course, you do it with rationale, updated ownership, and updated checkpoints, because stability comes from managed change, not from refusing to adapt. When priorities are clear and durable, teams gain confidence that their work will matter and will not be discarded casually. That confidence improves speed, quality, and collaboration, which are exactly the things security and resilience require. Direction is not a speech, it is a system of choices that teams can execute and measure, and your job is to keep that system honest.
