Managing your organization’s cybersecurity performance is an important aspect of any security team, ensuring that your teams are performing at their best and ensuring organizational success. Effectively tracking and managing cybersecurity performance is critical because it allows decision-makers to have the best possible understanding of the organization’s cybersecurity strengths and weaknesses, which, by allocating budget to improving the most impactful performance metrics, allows for more efficient cybersecurity spending and a more effective cybersecurity program overall. We’ve written about Performance Improvement and Management previously; you can find it here for a more extensive introduction.
Performance Management in a time of Remote Work
Performance management is difficult when business is going well, but even more challenging in times of great change and uncertainty. Because of COVID-19, businesses have had to rapidly transition their workforce into a predominately online productivity workflow, which comes with a suite of challenges for both employees and executives for managing performance expectations. According to Morphisec’s 2020 Work from Home Cybersecurity Threat Index—a survey of almost a thousand office workers—49% had never worked from home before the pandemic. The transition to working from home can be tough for many people, where the transition to working in a comfortable home environment that may be rife with distractions, proves to be harmful to productivity and subsequently organizational performance.
The real issue with the move to remote work is that it paints an even larger target on end users than before. With the number of remote workers who are working on unsecured personal devices, remote work may be severely detrimental to an organization’s threat model and overall cybersecurity performance. With this change to remote work, Tessian Data Loss Prevention has found that 48% of remote worker are less likely to practice safe data practices and 52% of workers believe they can get away with riskier internet behavior while telecommuting. When we talk about cybersecurity performance though we don’t necessarily mean employee performance; while employee productivity is important, a lot of an organization’s cybersecurity muscle comes from automated tools that only need proper configuration in logical security schemes. This makes sense when an organization and its employees are undergoing an immense change in circumstances, so that collective employee productivity variance is less detrimental to the strength of a cybersecurity program. Clearly, automating critical security tasks has been the name of the game for many years, especially as Software as a Service (SaaS) and Infrastructure as a Service (IaaS) have become more and more prominent. It is simply more cost-effective, requires less managerial oversight, and easier to deploy automated tools that take the human factor out of menial cybersecurity tasks. Not only does this cut down on costs during times when budgets are lean, but it also provides a more stable baseline for protection for the organization.
Doing Less with More
During times of hardship when budgets are restricted, it becomes more important than ever to invest in the most efficient security improvements. Targeting low-cost but high-impact security controls is the most effective way to get more security performance per dollar spent, but it’s easier said than done. This is where automated performance management tools come in. Being able to objectively measure your performance in attaining security goals is imperative, as it is what ultimately allows you to make the best decisions when it comes to how best to allocate resources. With access to historical, current, and future performance metrics it becomes significantly easier to identify which performance metrics will be the most cost-effective increases to target. When key decision-making individuals can see the tangible effects of their investment in the organization’s cybersecurity performance metrics, it allows for targeted and meaningful spending towards actual improvements. Instead of throwing money at the problem and hoping for success, it becomes possible to methodically target every security measure that has the highest impact on reducing risk while reducing overall spending on inefficient security improvements.
In the best of times, in the worst of times
Even when times are uncertain and budgets slim, it’s critical to maintain an effective cybersecurity program. The pressure from persistent threats will always be there, and to relax your organization’s cybersecurity performance standards is tempting fate. While it’s important that organizations always seek to be efficient in their cybersecurity spending, it’s absolutely critical that this principle be applied when working with a reduced budget. Targeting the most high-impact cybersecurity performance metrics with the most cost-effective automated solutions is the best way to do the most with the least amount of security spend.