It’s a tale as old as time: the cyberthreat landscape is always evolving. In 2024, as malicious actors harness tools like machine learning and generative AI to increase the speed and scale of their attacks, it’s more important than ever for organizations of all sizes to take a proactive approach to cyber risk mitigation. Even as the threats grow in sophistication, it remains true that the vast majority of successful attacks could have been prevented with fundamental cyber hygiene practices.
Taking this sort of proactive approach means building a cybersecurity program that’s truly effective at reducing the greatest real-world risks to the business—and one that’s demonstrably so. Rather than guessing at or estimating the effectiveness of the program, stakeholders should adopt an objective focus, paying attention to measurable results and evidence of efficacy. This is key for achieving the kind of success that stakeholders will want to build upon.
It’s what we refer to as an “outcome-driven cybersecurity program.”
An outcome-driven cybersecurity program is one that was built to achieve specific results. This approach is taken far less often than it should be. Outside of highly regulated industries, many organizations have security programs that have grown organically over time, coming together out of a haphazard patchwork of stakeholders’ whims and desires.
Instead, an outcome-driven cybersecurity program is intentional in its focus and approach. Stakeholders begin by asking themselves which outcomes they want to work towards, rather than by implementing controls that may or may not best achieve the desired objectives. It requires defining the problem, understanding the solution, and then taking steps that are achievable within the organization’s budget and culture.
Being intentional means creating something that is:
This kind of intentionality goes far beyond buying and implementing new tools. In fact, it may require process changes and mindset shifts instead of technology adoption.
It might sound obvious, but in order to ensure that a cybersecurity program is delivering value, your organization needs to find a way of measuring that value.
There’s no universally agreed-upon scale for measuring the value that a cybersecurity program delivers. After all, its worth to the business lies in its ability to mitigate risk.
Understanding this requires stakeholders to think logically and in terms of metrics. As humans, we tend to be poor assessors of risk—just think about how many people are more afraid of flying than driving, when car accidents kill far more Americans than plane crashes do. Humans tend to prefer simple, clear-cut, black-and-white answers, but risk mitigation exists within a spectrum of shades of grey. It’s all about ambiguities, uncertainties, and trade-offs.
Still, it’s important to figure out which metrics are most important to your organization and its business objectives. Things like vulnerability count are relative: for one company, ten vulnerabilities (say, in business-critical applications with a high likelihood of being targeted in a real-world attack) might be too many, whereas in another, 10,000 might be acceptable (for instance, they might not be exposed on the internet, or might not reside on systems with access to sensitive data). Incident count depends on your ability to detect incidents at all, while mean time-to-resolve (MTTR) invites you to ask how you know when an event is truly resolved, or, indeed, exactly when it becomes an event (rather than an alert).
Instead, your security program’s objectives should be higher level. We often recommend that our clients use the functions outlined in the National Institute of Standards and Technologies (NIST) Cybersecurity Framework (CSF).
These are:
The upcoming version of the NIST CSF, scheduled for release at the end of February 2024, will also include a Govern function, which will reinforce all of the others.
Every one of these functions is important to the effectiveness of a cybersecurity program. NIST doesn’t outline exactly how you should build them, but there are established processes and best practices that many organizations have used successfully in the past. What will be best for your individual organization depends upon your industry, risk tolerance, regulatory requirements, and a host of other factors.
Only after you’ve defined your objectives can you begin to think about metrics that can measure your progress towards them.
If you don’t know where you are to begin with, how can you ensure that you’re moving in the right direction?
As with any business process improvement, you’ll want to understand the risks and benefits of making the change before you begin.
A high-quality assessment (regardless of whether it’s conducted in-house or by a third-party consultant) can give you a nuanced view of your current cybersecurity program’s strengths and weaknesses. It can also help you see where your biggest business risks lie.
Choose a framework such as the NIST CSF or ISO 27001 upon which to base your assessment.
Every high-quality assessment will reveal risks; the next step is to figure out which of those risks are most important to your individual organization.
There are many different ways to go about this. An external consultant will leverage rubrics and pre-established risk scoring, while internal stakeholders (like the CEO) might simply rely on gut feeling to determine what’s most important to the life and health of the business.
Regardless of how you do it, prioritization requires making an educated business decision. Think of all your key stakeholders—internal and external—such as customers, insurers, regulators, board members, and executive leaders, and ask what’s most important for meeting their requirements. How much does uptime matter? Brand reputation? Protecting customer information? Add as many relevant factors as possible into the mix when deciding on your priorities.
There’s no one-size-fits-all way to determine which cyber risks should be addressed first.
Most often, stakeholders choose the area of greatest risk, but sometimes it makes sense to instead build momentum. Let’s say the biggest risk would be expensive and time-consuming to address, whereas the second- and third-biggest would be cheap and fast. In this case, it might make the most sense to start there. With an easy win under your belt, you’ll be better positioned to shift the organization’s culture. And once stakeholders have seen what’s possible, they may be ready to fund higher-priority items.
This can be harder than you’d think. Here, too, it can be wise to begin with small wins.
Pick an area where you can achieve tangible progress within a month or two, and start there. You can make your organization more agile by choosing more readily-achievable objectives, and knowing that small changes can eventually get you exactly where you need to go, as long as you keep making progress.
At this stage, it’s important to remember your metrics. By continuing to measure the results you’re getting—and socializing those measurements—you can demonstrate the value that your security program is achieving for the organization as a whole. If you don’t tell people what you’re doing, they may not see it. But once you share your results, you can continue building on established momentum.
Having an objective-driven cybersecurity program can be emotionally satisfying for business leaders and risk managers alike. It can give you confidence that what you’re doing is worthwhile (and beneficial to the business). And it can prepare you to keep pace with the twenty-first century’s ever-changing threats.
Want to learn more about how an experienced industry expert can help you achieve this? Don’t wait—get in touch with us today.
