What is success in cybersecurity? Failing less. | Dump Trucks Charlotte NC

First published on

Listen to the article 6 min

This audio is auto-generated. Please let us know if you have feedback.

Success is a fickle and often intangible goal in cybersecurity. After all, there aren’t many jobs that operate from an assumed position of weakness.

Defenders readily acknowledge it’s not a matter of if an organization will get attacked, but rather when. This makes success nuanced in cybersecurity — bad things can and will happen, but it could always be worse.

Avoiding worst-case scenarios is the ultimate goal for defenders — the less impactful an incident becomes, the better.

“The reality [is] that most organizations will, unfortunately, suffer some type of incident. It’s what that type of incident becomes that’s really important,” Arctic Wolf CEO Nick Schneider said.

This premise may not be the most aspirational on the surface but it’s something every cybersecurity professional is keen to accept.

Any time a defender can reduce risk or stop the bleeding before an incident becomes a festering wound is a good day in cybersecurity.

Highly sophisticated cybercriminals or nation-state attackers with effectively limitless resources, who only have to get things right once, will get through some layer of security or controls, said CrowdStrike CTO Elia Zaitsev.

“Speed is ultimately the secret sauce, if you will. That’s how you prevent an incident from becoming a breach. You’ve got to move faster than the adversary,” Zaitsev said.

Investments can fortify defense

How a business allocates resources and prioritizes security throughout the organization plays a significant role in achieving incremental success as it relates to the bottom line, experts told Cybersecurity Dive.

Successful security leaders can inextricably link their department’s efforts and investments to business outcomes, said Jess Burn, principal analyst at Forrester.

Demonstrating how security investments contribute to revenue in a way that resonates with fellow executives is critical, Burn said.

The pressure to prove cybersecurity is a profit center rather than a cost center is mounting as CISOs move up the organization chart and security budgets continue to rise as others are cut, Forrester analysts said in an annual security program recommendations report released last month.

Global spending on security and risk management is projected to reach $210 billion in 2024, a 13% increase from 2023, according to Gartner’s latest forecast on the sector.

Gartner expects global security spending to increase almost 13% in 2025, too, nearing $237 billion.

The crux for security leaders and defenders at large is to validate how and where those costs translate to valuable benefits for the business.

The share of technology funds allocated to cybersecurity is also growing. Organizations said they devoted 8% of their technology budgets to cybersecurity in 2023, up from 5% in 2019, according to Moody’s 2023 cyber survey.

Maintaining a comprehensive and appropriate security posture meets customer demands and cyber insurance requirements, constituencies that form the backbone of enterprise security business models, according to Forrester.

Security leaders can also use regulatory compliance to their advantage by calculating how much it costs to meet cross-regulatory requirements and how much revenue is generated from each vertical, region or market segment those rules satisfy, according to Forrester.

Administering a proportional security program is essential. The trick for business leaders is to get the timing right.

“One of the tenets of business is you don’t spend anything that you don’t absolutely have to until you need it,” said Wendy Nather, director of strategic engagements at Cisco.

When security practitioners push leadership to spend more money and time on defense, Nather said executives typically ask if the need is urgent, worth the investment, or if a halfway measure might be sufficient in that moment.

“That’s why success is so hard to define,” Nather said. “Implementation is the really tricky part.”

Measuring success with nuance

There are no simple answers to define or measure success in cybersecurity, and it largely depends on each particular domain, according to Phil Venables, Google Cloud’s VP and CISO.

“The way I personally look at this is it's the absence of surprise,” Venables said.

“What upsets me as a leader is when something bad happens and it just totally came out of left field, and it feels like we should have known about that,” he said. “I always get upset by surprise.”