The end of the year creates a natural forcing function for reflection. Budgets are being finalized, priorities are being set, and leadership is thinking about what the next year looks like. Security teams should use this moment deliberately.
Here's a set of questions worth working through before December closes.
What Actually Happened This Year?
Start with facts, not feelings. Pull your incident log and review what happened: incidents, near-misses, phishing simulation results, vulnerability findings, audit findings. What does the data show about where your actual risks materialized?
If you don't have this data — if you don't have an incident log or a vulnerability tracking mechanism — that's your most important finding. You can't manage what you don't measure.
What Did You Plan to Do — and Did You Do It?
At the start of last year, what were your security priorities? Rank them and honestly assess completion. Full completion, partial progress, or stalled? For anything incomplete: what got in the way?
This exercise is uncomfortable when things slipped, but it's essential. It surfaces whether your planning is realistic, whether execution has structural barriers, and whether your highest priorities are actually getting resourced.
Where Is Your Crown Jewel Risk?
What is the worst realistic security outcome for your organization? A ransomware attack that takes you offline for two weeks? Exfiltration of customer PII? Compromise of your production systems? A healthcare breach?
Document this clearly. Then assess: what is your current ability to prevent, detect, and respond to that scenario? Where are the gaps? This is your most important risk management question, and it tends to get lost in the day-to-day.
Where Did Security Investment Go?
Review your security spend this year. What did you buy, and what did you get for it? Security spend that doesn't map to risk reduction is just overhead. Not every investment will have a clean ROI, but you should be able to articulate why each major investment made sense given your risk profile.
What Does Your Team Need?
Security teams are often under-resourced and over-extended. Honest assessment: what capabilities are missing? What skills gaps exist? What would your team say if you asked them what's most broken about how security operates here?
If you're a small organization without dedicated security staff, the question is slightly different: what security activities are going undone because nobody owns them?
Setting Next Year's Priorities
Based on your review, what are the three to five security priorities for next year? Prioritize ruthlessly. A list of twelve priorities is not a list of priorities — it's a wish list that'll get executed randomly.
Each priority should have: a clear owner, a success metric, and a rough resource requirement. Bring this to leadership with a clear ask — not just "we need more security" but "here are the specific things we need to do and what they'll cost."
The Goal: Improving, Not Perfect
Security programs don't reach a finish line. The goal is continuous improvement in the right direction. A year-end review done honestly gives you the foundation to set meaningful priorities and make the case for the resources to pursue them.
The organizations that consistently improve their security posture are the ones doing this work — assessing honestly, planning deliberately, and executing consistently.