How do you prioritize security work when there are competing deadlines and limited engineering bandwidth?