Connect with us

Hi, what are you looking for?


Management & Strategy

From Efficient to Effective – Why This Matters for Security

As the enterprise security function matures, two things act as the main driving forces on strategic priority. As security leaders shuffle resources, organize budgets and plan their roadmap they must think about efficiency and effectiveness. These two things shape strategy and drive the timely allocation of precious resources.

As the enterprise security function matures, two things act as the main driving forces on strategic priority. As security leaders shuffle resources, organize budgets and plan their roadmap they must think about efficiency and effectiveness. These two things shape strategy and drive the timely allocation of precious resources.

Repetition drives excellence. Usually. That’s what experience teaches us. With limited resources at your disposal, you as the security leader should work hard to make your team as efficient as possible. Minimize distractions by keeping your team shielded from one-off type of work when possible and streamline your toolset. Optimizing processes is a surprisingly effective way to improve security overall, and a nice side effect is that it increases job satisfaction. Imagine actually being able to get good at something, rather than just running around putting out fires.

From Efficient to Effective – Why This Matters for Cyber SecurityFor example, your security operations team should minimize re-work (failed changes that have to be rolled back) by creating templates and operations manuals that spell out steps to be executed in the most efficient manner possible. Identify key measurements that demonstrate a positive or negative shift in efficiency, and work on improving those.

Squeezing every bit of efficiency out of everyday tasks allows for your senior team members to focus on higher-order tasks – those things that are more complex and require more time and brain power. Ultimately, this makes everything better and allows more time to pursue truly complex problems while shifting focus off non-critical activities. Automation can act as a catalyzing agent here and supports the effort to improve efficiency.

Role specialization is worth calling out as it empowers team members with specific skillsets to utilize those skills and passions in the roles where they flourish. This coupled with a keen eye on duties performed to ensure tasks align to role can make monumental positive shifts in efficiency.

Clearly, efficiency is extremely important, but what good is efficiency when it does not serve the company’s actual needs? I’m confident we all know at least one organization out there that’s extremely efficient at security activities but is fairly ineffective at minimizing the impact of key technology risks. Just because you’re good at something, does it matter if no one cares that you’re doing it well?

Effectiveness is measured differently than efficiency. While we measure efficiency in spent cycles and average time for closed tickets, we mostly measure effectiveness through improved uptime and productivity.

Again, being good at something is no longer enough. That something at which you excel must be good for the company as well. For example, having a highly efficient process for patch deployment is fantastic and should bring increased levels of resilience against attackers. Except when the company doesn’t implement that practice across all of its business units or IT infrastructure. Then you just have a very efficient, non-effective practice which is nice, but its not very useful until universally implemented.

Advertisement. Scroll to continue reading.

Another glaring example of the importance of effectiveness is the way many enterprises see threat intelligence today. Being able to ingest IOCs into your SIEM and deliver PDF reports to your security team can be made very efficient – but is this effective at improving the security stance of a company? That answer hinges on the company’s ability to do something with that intelligence in the manner it is presented. As a matter of point, cyber threat intelligence is something that many companies rush into without fully understanding the power and resource alignment that must be made prior to making any purchases.

So let’s take this back to maturity. If there are five levels of maturity in our model—Aware > Reactive > Adaptive > Purposeful > Strategic—where does effectiveness really come into play? I believe that initially organizations must understand effectiveness of their strategy at the very first level of maturity–Aware—and re-align that with the company’s priorities at the last level—Strategic. In between we make technical strides at efficiency. I believe it is in understanding the role of efficiency AND effectiveness that security truly does improve.

Otherwise you’re just getting really good at weaving baskets to stop cannonballs. And you can guess how that turns out.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.