When Less is More in Cybersecurity

Don’t have time to read? Start listening to this blog post now:

I am convinced any business leader who strives to optimize an operation has heard the cliché, “Less is more!” While cybersecurity professionals have certainly heard the expression, their reality is quite the opposite. Consider the fact that even successful security leaders are walking a thin line between their current state and complete failure. Because even when they are doing their job well, there is nothing to show for it. Adverse to the rest of the organization, security leaders are critiqued on shortcomings and failures because those are the events that are evident and tangible. It is as though, in this field, performance is rated on a scale of 0 to -10. As a result, you’ll find many security leaders respond with a shopping spree to cover all their bases.

Faced with the inevitable nature of cyberattacks and an uninspiring rating scale, they purchase any and every product designed to mitigate the risk. This quickly becomes a classic game of Throw Spaghetti at the Wall and See What Sticks. Lacking a better approach, the general consensus that more is better, prevails. Unfortunately, security leaders are learning that this approach only muddies up the water. Functionalities between solutions overlap, while one solution prohibits the performance of another. To top it all off, more logs and alerts are generated that need review. Auditing a growing log of data is costly and can quickly become more trouble than it is worth—prompting security leaders to reconsider their approach.

Rather than evaluating the solution provided by each product, security leaders should assess the value of a product in relation to their security stack as a whole. To perform this comparison, the analysis must leverage a common metric to normalize comparisons. For example, comparing the number of logs processed to the strength of an encryption algorithm is irrelevant and unreasonable. Doing so is like comparing how thick the front door is to how many times the kitchen window opens and closes. Instead, compare the overall business impact to system exposure using dollars as the common denominator. Of course any currency can be used, but the importance is that financial terms normalize data between security and the place it operates, the business.

Clearly this is not an easy task—otherwise it would have already been done. There are complex enterprise-wide relationships, developing risks to information and systems, unique missions, and a handful of stakeholders. Normalizing data requires a significant amount of resources and time to sufficiently establish between the business impacts and security assets / tools. But, when achieved, cybersecurity leaders can make better investments by measuring the value of each security solution in relation to business costs. They can do more with less.

Additionally, this offers the opportunity to elevate the security conversation to the Board level where risk, in financial terms, is a common conversation. Establishing this role as a business enabler levels the playing field, transforming cybersecurity into a competitor for investment when addressing strategic risks.

For cyber leaders, “Less is more” should evolve from a cliché to a standard. It’s time to cut through the noise, simplify security operations, and weigh security’s performance in the context of the business. Use financial metrics to justify investments that strengthen risk posture and “do more” within the security stack as a whole.

Learn more about how RQ quantifies cyber risks in dollars and cents to underpin your security investments.