“To get the maximum impact, cybersecurity needs to take on a minimum effective mindset across business engagement, technology, and talent. Minimum effective is a deliberate, ROI-driven approach to leading cybersecurity into the future.”

“A minimum effective mindset refers to the input, not the outcome.”

“We in cybersecurity put maximum effort into everything we do, and that is sometimes killing us. Seventy-three percent of CISOs experienced burnout in the past 12 months, and if the boss is experiencing it, you know the department is feeling it.”

Myth #1: More data equals better protection. “Instead of just more data, savvy cybersecurity shops pursue the least amount of information needed to help draw a straight line between the enterprise’s funding of cybersecurity and the amount of vulnerability that funding addresses.”

Myth #2: More technology equals better protection. “This is based on another pervasive myth: the idea that just around the corner, some technology is coming to save us. This mindset causes us to buy and acquire solutions before we are quite sure how or whether there will truly be additive value.”  

Myth #3: More cybersecurity pros equals better protection. “There is simply no way to scale our services to match the pace of the enterprise just by hiring more cybersecurity pros.”

Myth #4: More controls equals better protection. “Employees report a huge amount of friction involved with secure behavior. Controls that are circumvented are worse than no controls at all.”

More information is available in the Gartner press release, “Gartner Identifies Four Myths Obscuring Cybersecurity’s Full Value.” 

“Boards are willing to increase risks but want results. CEOs want ‘digital dividends’ and tangible growth from digital investments, while CIOs need to deliver outcomes by prioritizing the right digital initiatives.”

“Digitization has accelerated enterprise demand for information security expertise, requiring CISOs to adopt a more rigorous approach to prioritizing security resources for their enterprise’s most urgent needs.”

“With a seemingly unending list of projects, CISOs must ensure their teams are working on those that offer the greatest business impact.”

“Technology deployments will continue to outpace your ability to secure them.”

“Risk reduction efforts are perceived as providing value, but senior leaders are doubling down on digital investments and want measurable results.”

“Security decisions cannot be made in isolation by the security team.”

“Security and risk management leaders must decentralize accountability and expand their focus to improving cyber judgment across the enterprise to help decision makers make informed risk decisions without their direct involvement.”

“The security operations industry has exhibited patterns of change to reduce risk and enhance operational delivery, and these changes are spread across every vertical and maturity type.”

Many organizations have security operation centers (SOC) in place, however, many do not perform the way organizations would like them to. 

“The complexity of making a modern SOC perform with an internal team of less than twelve members has become unobtainable.”

There are challenges that come with an all-internal SOC:

• Hiring/retention/training 

• Allocation to growth

• Overly reactive/tactical 

• Specialized talent is hard to justify

• Overall poor performance 

“The velocity of new attacks, the complexity of detection and the rate at which this all must happen to avoid an incident is overwhelming. This has driven organizations to seek more service providers to help make their SOC perform.” 

“Operations-wide automation is too far out of reach for most. Everyday automation solves the problems that matter, where they happen.”