Cybersecurity has always been a game of constant improvement, and that’s never been more true than it is today. If there’s ever been a time for change, it’s now, because businesses really need to reevaluate how they protect their assets. In just the past year we’ve had a LinkedIn breach that exposed the data of 700 million users, the T-Mobile data breach which affected 100 million T-Mobile customers, the Colonial Pipeline ransomware attack which disrupted the gas supply chain in most of the east coast, and perhaps the worst of all, the Solarwinds hack that left over 100 of the biggest companies in the world and at least a dozen federal agencies under the watchful eye of Russian hackers. It’s clear that something has got to change.
The common denominator in a lot of these cases is that these companies suffered a lapse in cybersecurity performance that left them vulnerable; yet they are also (perhaps except for Colonial Pipeline) some of the biggest spenders on security programs. When companies attempt to quantify how strong their cybersecurity performance is, they often describe how much they spend on security rather than what they do to secure their systems. This is a dangerous line of thinking, because it conflates spending with action. At the end of the day, it doesn’t matter how big the security budget is or how tall the security tool stack is if employees are misconfiguring servers. This is perhaps the biggest thing that needs to change, and it is the idea that spending is equitable to performance.
The classic example of this phenomenon is the 2017 Equifax data breach. Even though Equifax had an $85 million security budget, a large security team, and a significant vulnerability management operation, it took them over 70 days to identify the breach, 145 days to patch the vulnerability, and over two weeks to notify their CEO of the breach. Equifax was hitting all the right traditional benchmarks of excessive cybersecurity spending, tool stack, and team size; but without a way of measuring their cybersecurity performance effectiveness, they allowed their basic cybersecurity standards to slip.
The reality, though, is that day-to-day performance can be hard to measure without a cohesive strategy. The key to effective performance management is continuous monitoring of organizational security priorities. Being able to objectively measure your performance in attaining security goals is imperative, as it is what ultimately allows you to make the best decisions when it comes to how best to allocate resources. Part of this is maintaining continuous visibility over assets and processes, but you also need to be able to track organizational progress towards meeting the security goals set by the organization. With this in place, it becomes possible to both keep track of the actual baseline cybersecurity performance of an organization and to chart a course for future success by allocating resources to cybersecurity initiatives that improve baseline performance.
When measuring how strong the security posture of an organization is, we’ve been asking the wrong questions all along. By focusing on budgets spend, resource allocation, the number of tools in the toolbox, and team size we have shifted the conversation from “what are you doing with your budget” to “how big is your budget.” This is almost certainly the wrong way to go about it, and if we want to have a chance at securing our data, it needs to change. CnSight is the first step in that direction, helping you build a performance management program that emphasizes continuous improvement, promotes organizational efficiencies, and provides executive insight into the organization’s day-to-day cybersecurity performance. Schedule a demo to learn more.