The hallmark of a successful business is its ability to set and achieve their goals. All organizations are driven by their missions, goals, and objectives, but what truly separates a phenomenal business from the rest is how they efficiently allocate resources to achieve these ends. It is for this reason that improving process efficiency and making informed decisions about the optimal allocation of resources is crucial. Much the same applies to fielding an effective and efficient cybersecurity program. There will always extremely expensive technical solutions out there to prevent unlikely theoretical attacks, but if your organizations’ threat model does not have any assets that could be impacted by such an attack at high risk, then the actual increase to the security posture of your organization is marginal, and the money invested may have been better utilized elsewhere.
Being able to objectively measure your performance in attaining security goals is imperative, as it is what ultimately allows you to make the best decisions when it comes to how best to allocate resources. Part of this is maintaining continuous visibility over assets and processes, but you also need to be able to track organizational progress towards meeting the security goals set by the organization. When key decision-making executives are able to see the tangible effects of their investment in the organization’s cybersecurity structure, it allows for much more targeted and meaningful spending towards actual improvements. Instead of throwing money at the problem and hoping it sticks, it becomes possible to methodically target every security measure that has the highest impact on reducing risk while reducing overall spending on inefficient security improvements. Establishing and tracking specific Cybersecurity Performance Indicators (CPIs) allows for organizational introspection on what is and is not working from a security standpoint. For IT departments, being able to document and show improvement allows for executives to have a better understanding of the performance their investment creates; meaning that there can be better communication between all parties involved, and a more effective cybersecurity program.
For too long, businesses have been asking the wrong questions about cybersecurity. Instead of throwing money at the problem and setting benchmarks based on the spending of industry peers, the industry needs to move towards smarter spending. That can only be achieved in part by having continuous visibility over the organizational digital ecosystem, but also over the tangible performance improvements directly attributable to investments in security improvements.