As the enterprise security function matures, two things act as the main driving forces on strategic priority. As security leaders shuffle resources, organize budgets and plan their roadmap they must think about efficiency and effectiveness. These two things shape strategy and drive the timely allocation of precious resources.
Repetition drives excellence. Usually. That’s what experience teaches us. With limited resources at your disposal, you as the security leader should work hard to make your team as efficient as possible. Minimize distractions by keeping your team shielded from one-off type of work when possible and streamline your toolset. Optimizing processes is a surprisingly effective way to improve security overall, and a nice side effect is that it increases job satisfaction. Imagine actually being able to get good at something, rather than just running around putting out fires.
For example, your security operations team should minimize re-work (failed changes that have to be rolled back) by creating templates and operations manuals that spell out steps to be executed in the most efficient manner possible. Identify key measurements that demonstrate a positive or negative shift in efficiency, and work on improving those.
Squeezing every bit of efficiency out of everyday tasks allows for your senior team members to focus on higher-order tasks – those things that are more complex and require more time and brain power. Ultimately, this makes everything better and allows more time to pursue truly complex problems while shifting focus off non-critical activities. Automation can act as a catalyzing agent here and supports the effort to improve efficiency.
Role specialization is worth calling out as it empowers team members with specific skillsets to utilize those skills and passions in the roles where they flourish. This coupled with a keen eye on duties performed to ensure tasks align to role can make monumental positive shifts in efficiency.
Clearly, efficiency is extremely important, but what good is efficiency when it does not serve the company’s actual needs? I’m confident we all know at least one organization out there that’s extremely efficient at security activities but is fairly ineffective at minimizing the impact of key technology risks. Just because you’re good at something, does it matter if no one cares that you’re doing it well?
Effectiveness is measured differently than efficiency. While we measure efficiency in spent cycles and average time for closed tickets, we mostly measure effectiveness through improved uptime and productivity.
Again, being good at something is no longer enough. That something at which you excel must be good for the company as well. For example, having a highly efficient process for patch deployment is fantastic and should bring increased levels of resilience against attackers. Except when the company doesn’t implement that practice across all of its business units or IT infrastructure. Then you just have a very efficient, non-effective practice which is nice, but its not very useful until universally implemented.
Another glaring example of the importance of effectiveness is the way many enterprises see threat intelligence today. Being able to ingest IOCs into your SIEM and deliver PDF reports to your security team can be made very efficient – but is this effective at improving the security stance of a company? That answer hinges on the company’s ability to do something with that intelligence in the manner it is presented. As a matter of point, cyber threat intelligence is something that many companies rush into without fully understanding the power and resource alignment that must be made prior to making any purchases.
So let’s take this back to maturity. If there are five levels of maturity in our model—Aware > Reactive > Adaptive > Purposeful > Strategic—where does effectiveness really come into play? I believe that initially organizations must understand effectiveness of their strategy at the very first level of maturity--Aware—and re-align that with the company’s priorities at the last level—Strategic. In between we make technical strides at efficiency. I believe it is in understanding the role of efficiency AND effectiveness that security truly does improve.
Otherwise you’re just getting really good at weaving baskets to stop cannonballs. And you can guess how that turns out.