Get Started

Your Cybersecurity Program Needs Goals

  • 4 min read

Share this post

“It’s not the years, it’s the mileage.”
– Indiana Jones

Regular readers may remember the February 2023 edition of this newsletter in which I shared the news of my hip surgery the previous year. I set a goal for myself then: Before the year ended, I would be back skiing with my kids.

Well, I am happy (thrilled) to share that a few weeks ago that milestone was achieved on the snowy slopes of Stowe, Vermont. I skied 1 ½  days (the kids skied 3 ½). And while I am definitely not going to win any skiing awards, hearing your kids say, “Dad, you are a pretty good skier,” was all I needed.

It was a long road. 

Over the past year, I worked out most days – probably 330 out of a possible 365. Some days it was a short bike ride or ten minutes of stretching; others, it was a couple of hours lifting weights. One day I was even at the gym lifting with a buddy for four hours and was super-sore for days after. (Thanks, Tom!)

And the thing that kept me showing up and working hard day after day? It was having that clear, measurable goal in my head: Skiing with my kids by the end of the year.

vciso ebook

Clear and Measurable

Clear goals aren’t just for middle-aged dad-skiers; any organization that hopes to maintain a secure environment needs them too. After all, the security landscape is constantly changing, your organization is continually evolving, and the bad guys never sleep for long. You need a program that takes all of this into account.

But if your goal is something like, “improve our cybersecurity,” well, how are you going to know – and let your boss know – that your goal has been reached? 

That’s why you need to set goals with a measurable outcome and timeframe, such as…

  • Implement these 10 controls
  • Reduce risk by 30%
  • Qualify for cyber insurance
  • Achieve a certification (such as ISO 27001)
  • Successfully complete an audit (such as SOC 2)
  • Shorten the sales cycle by 10 days by reducing cybersecurity pushback

Now you’re talking. These kinds of specifics allow you to plan for where your program will be: next month .. next quarter … next year. 

Track and Share Progress

Of course, setting goals is the easy part. Now you need to show up at the “gym” every day and keep a close eye on progress to make sure you are moving on pace and in the right direction. If not, you’ll need to either put more effort into your goals or make adjustments to their scope and timeframe.

You’ll also want to periodically share where you are with your management team, both to keep yourself on track and to ensure that management is in the loop on these important initiatives. Also, if some departments are resistant to your efforts, management’s involvement can be key.

How do We Measure Success?

Some goals are inherently more amorphous than others. 

Implementing Multi-Factor Authentication (MFA) on all critical and noncritical systems or establishing Endpoint Detection and Response (EDR) on all laptops … that’s easy to track. Something like “reduce cyber-risk by 30%,” which is also a worthwhile goal, is less so.

But don’t let a goal’s measurability keep you from setting and doing your best to track it. In the cyber-risk example above, if your organizational risk last year was a 10% chance of a $5 million loss, and assuming you perform quantitative cyber-risk assessments annually, you can establish targets for reducing both of those numbers this year.* 

(*Yes, risk is a continuous measurement and not measured for a single probability / loss level, but let’s keep it simple for purposes of this article.)

vciso ebook

Beware of Chasing Diminishing Returns

In some cases, as you get closer to reaching a cyber goal, you may find that the “last mile” is most difficult to accomplish. 

Consider the MFA example earlier. Maybe you have succeeded in implementing MFA in all your critical systems and in 85 out of 100 noncritical systems. For these last 15, if there is no easy integration with another system that could give you MFA, or if these are marginal systems used by just a few people, it may not be worth spending more time (i.e., dollars). 

As you achieve more in a particular area, the urgency there (typically) declines and other goals become more important. At that point, declare victory and move on to other parts of the business.

It’s All About Forward Progress

There is no one outside of your business keeping score. As long as you and your leadership agree on what your priorities and associated timeframes are and are making progress in some way, you are helping to better protect your organization. 

The act of setting goals and continually moving towards them is where success lives.

Because as that famous cybersecurity guru Yogi Berra once said, “If you don’t know where you are going, you’ll end up someplace else.”

Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.

Rob Black
Rob founded Fractional CISO in 2017 and has helped dozens of mid-size SaaS and technology companies improve their security posture as a vCISO. He consults, speaks, and writes on IoT and security. Rob has held product security and corporate security leadership positions at PTC ThingWorx, Axeda and RSA Security. He received his MBA from the Kellogg School of Management and holds two Bachelor of Science degrees from Washington University in St. Louis in Computer Science and System Science and Engineering. He is also a Certified Information Systems Security Professional (CISSP).

Tales From The Click

Sign up for our monthly newsletter for business leaders on minimizing cybersecurity risk.

Suceed at SOC 2

Free eBook:
5 Things to Know for your First SOC 2

  • How to scope your SOC 2
  • Estimate the cost and length of your SOC 2
  • Prepare for your SOC 2
  • Manage the SOC 2 audit period
  • Leverage your SOC 2 for growth

Related Posts

Just Show Up

Rob Black

Cybersecurity Efforts Evolve Over Time

Rob Black

A Guide to Virtual CISO Costs

Rob Black

The NIST Cybersecurity Framework is Secretly a Communication Framework!

Elazje Carillo
Is your Cyber Insurance really going to cover you?

Only 1/3 of cyber insurance policies actually pay out in incidents. Most companies have cyber insurance policies that insure too little, or too much, and have absurdly low caps and silly exclusions.

To learn more about cyber insurance and determine if you have the right coverage for you, join us for a free vCISO Office Hours session on Tuesday, April 18 at 1 p.m. eastern time. Bring your questions!

New Release: Free SOC 2 eBook!

Getting ready for your first SOC 2? This eBook is full of actionable advice to help you prepare for and succeed in your first SOC 2 audit.

Learn:

  • How to scope your SOC 2 project
  • How to estimate the cost and length of your SOC 2 project
  • How to prepare for your SOC 2
  • How to succeed in your SOC 2 audit period
  • How to leverage your SOC 2 report to enable your business and sales
Is your Cyber Insurance really going to cover you?

Only 1/3 of cyber insurance policies actually pay out in incidents. Most companies have cyber insurance policies that insure too little, or too much, and have absurdly low caps and silly exclusions.

To learn more about cyber insurance and determine if you have the right coverage for you, join us for a free vCISO Office Hours session on Tuesday, April 18 at 1 p.m. eastern time. Bring your questions!

New Release: Free SOC 2 eBook!

Getting ready for your first SOC 2? This eBook is full of actionable advice to help you prepare for and succeed in your first SOC 2 audit.

Learn:

  • How to scope your SOC 2 project
  • How to estimate the cost and length of your SOC 2 project
  • How to prepare for your SOC 2
  • How to succeed in your SOC 2 audit period
  • How to leverage your SOC 2 report to enable your business and sales