by Joseph Socolof
Contributing Editor

I have been supporting organizations through transformations for 20 years. If there is one common thread it is that they are all looking for a silver bullet – buy something, install technology, hire or fire someone, re-organize. The fact is, there is not an easy answer. Read the research about the success rates of transformation, including digital transformation, and you will see that they all say the same thing: ‘75% of transformations fail’. The truth is, if people actually bothered to measure their cyber programs, they would realize that 75% of those programs are failing as well.

In our experience, cyber programs fail for the same reasons that transformations fail – a reliance on silver bullets. They don’t take the time up front to understand value – in the case of cyber, the intersection of Threats, Vulnerabilities, and Impacts. A cyber security program should start with a very simple process of understanding value at risk, aligning around a goal, and building a thoughtful roadmap. That is it.

  • Understanding Value-at-risk – this is not hard. It takes days or weeks, not weeks or months. Anything from a few simple workshops to a more comprehensive analysis can be utilized to assess an organization’s value-at-risk.  Of course there is no perfect answer, but leveraging available data in a structured way, allows an organization to quickly align on a number.
  • Aligning around a goal – again, not a difficult process. Too often this is left to happen in a dark room by the IT group. This is not their job. The C-Suite needs to agree on the amount of risk they are willing to absorb and the amount of resources they are prepared to allocate.
  • Building a thoughtful roadmap – this is about prioritization. There are an infinite number of steps that can be taken and tools that can be deployed. The fact is, once a clear goal is set, this step is straight-forward – lay out the list of initiatives / changes which will get the organization to its goal, value:ease them so that the highest value, easiest to implement are executed first (note: sometimes enabling, or longer lead-time activities need to start earlier), and lay them out with clear timelines and ownership on each.

This three step process, if done correctly, will greatly increase the chance of a successful program, and will certainly prevent wasted resources on a suite of shiny toys.

For most organizations, if you want to know which journey you are on, simply take stock of the various software and hardware tools deployed to manage risk and how they got there. This will highlight whether your program is in the 75% which are failing to achieve their cyber goals.

Leave a Reply

Your email address will not be published. Required fields are marked *