Success is a fickle and often intangible goal in cybersecurity. After all, there aren’t many jobs that operate from an assumed position of weakness.
Defenders readily acknowledge it’s not a matter of if an organization will get attacked, but rather when. This makes success nuanced in cybersecurity — bad things can and will happen, but it could always be worse.
Avoiding worst-case scenarios is the ultimate goal for defenders — the less impactful an incident becomes, the better.
“The reality [is] that most organizations will, unfortunately, suffer some type of incident. It’s what that type of incident becomes that’s really important,” Arctic Wolf CEO Nick Schneider said.
This premise may not be the most aspirational on the surface but it’s something every cybersecurity professional is keen to accept.
Any time a defender can reduce risk or stop the bleeding before an incident becomes a festering wound is a good day in cybersecurity.
Highly sophisticated cybercriminals or nation-state attackers with effectively limitless resources, who only have to get things right once, will get through some layer of security or controls, said CrowdStrike CTO Elia Zaitsev.
“Speed is ultimately the secret sauce, if you will. That’s how you prevent an incident from becoming a breach. You’ve got to move faster than the adversary,” Zaitsev said.
Investments can fortify defense
How a business allocates resources and prioritizes security throughout the organization plays a significant role in achieving incremental success as it relates to the bottom line, experts told Cybersecurity Dive.
Successful security leaders can inextricably link their department’s efforts and investments to business outcomes, said Jess Burn, principal analyst at Forrester.
Demonstrating how security investments contribute to revenue in a way that resonates with fellow executives is critical, Burn said.
The pressure to prove cybersecurity is a profit center rather than a cost center is mounting as CISOs move up the organization chart and security budgets continue to rise as others are cut, Forrester analysts said in an annual security program recommendations report released last month.
Global spending on security and risk management is projected to reach $210 billion in 2024, a 13% increase from 2023, according to Gartner’s latest forecast on the sector.
Gartner expects global security spending to increase almost 13% in 2025, too, nearing $237 billion.
The crux for security leaders and defenders at large is to validate how and where those costs translate to valuable benefits for the business.
The share of technology funds allocated to cybersecurity is also growing. Organizations said they devoted 8% of their technology budgets to cybersecurity in 2023, up from 5% in 2019, according to Moody’s 2023 cyber survey.
Maintaining a comprehensive and appropriate security posture meets customer demands and cyber insurance requirements, constituencies that form the backbone of enterprise security business models, according to Forrester.
Security leaders can also use regulatory compliance to their advantage by calculating how much it costs to meet cross-regulatory requirements and how much revenue is generated from each vertical, region or market segment those rules satisfy, according to Forrester.
Administering a proportional security program is essential. The trick for business leaders is to get the timing right.
“One of the tenets of business is you don’t spend anything that you don’t absolutely have to until you need it,” said Wendy Nather, director of strategic engagements at Cisco.
When security practitioners push leadership to spend more money and time on defense, Nather said executives typically ask if the need is urgent, worth the investment, or if a halfway measure might be sufficient in that moment.
“That’s why success is so hard to define,” Nather said. “Implementation is the really tricky part.”
Measuring success with nuance
There are no simple answers to define or measure success in cybersecurity, and it largely depends on each particular domain, according to Phil Venables, Google Cloud’s VP and CISO.
“The way I personally look at this is it's the absence of surprise,” Venables said.
“What upsets me as a leader is when something bad happens and it just totally came out of left field, and it feels like we should have known about that,” he said. “I always get upset by surprise.”
Another key metric is an organization’s mean time to respond — how long it takes the enterprise to identify the full extent of an intrusion, boot the attacker from the environment and do root-cause analysis to determine how the attacker broke into their system.
Dwell times for intrusion detections declined last year to their lowest level in more than a decade, sliding to a median of 10 days compared to 16 days in 2022, according to Google Cloud Security’s annual M-Trends report released this week by Mandiant.
“If I can identify, scope, triage and eject the adversary before they’ve been able to kind of escape and break out, I still won as a defender,” Zaitsev said. “The adversary hasn’t achieved what they call their actions on objective.”
The clean-up work after an attack is of equivalent importance. Once the point of intrusion is identified, organizations have to address it quickly to keep attackers from coming back in to initiate follow-on attacks.
“Cybersecurity is really, frankly, like most things in life, about risk,” Schneider said. “Our view is if you can minimize the probability and minimize the impact, you’re doing a pretty good job.”