Super Cyber Fridays!
Join us TOMORROW, Friday [02-07-25], for​”Hacking Security Effectiveness"

Join us Friday, February 07, 2025, for “Hacking Security Effectiveness: An hour of critical thinking about how to holistically make sure your tools are working for you.”

It all begins at 1 PM ET/10 AM PT on Friday, February 07, 2025 with guests Emanuel Salmona, co-founder and CEO, Nagomi Security and Bethany De Lude, CISO Emeritus. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register

Thanks to our Super Cyber Friday sponsor, Nagomi Security

Defense in Depth
Can a Security Program Ever Reach Maintenance Mode?

CISOs like to think of their job as managing risk. But once you get risk to an acceptable level, when do you start prioritizing efficiency?

Check out this post from Brent Deterding of Afni for the discussion that is the basis of our conversation on this week’s episode, co-hosted by David Spark, the producer of CISO Series, and Geoff Belknap. Joining them is Andrew Wilder, CISO, Vetcor.

It comes down to growth

How you think about a cybersecurity maintenance mode is primarily driven by how you see the company growing. For Evan Morgan of Cyber Defense Army, the need for constant growth makes it largely impractical, saying, "We're rarely in ‘Maintenance Mode.’ As many of the companies we're securing are doing quite the opposite in pushing for continual growth, there is always a need to add or expand security capabilities for those new business ventures/operations.” While constant growth may be the goal, every organization will hit an ROI point where they must shift their mindset. "Maintenance mode is absolutely a thing because the law of diminishing returns is a thing. At a certain point, 50 percent more investment in security doesn't make you ‘50 percent more secure.’ It's why CISOs and other leaders should be paid the big bucks: finding that optimal point of investment in security and performance," said Asa Hunt of Bighorn Painting.

Maintenance mode is anything but simple

Cybersecurity “maintenance mode” never stands still. It’s a deliberate choice that still requires constant commitment. "Maintenance simply means that we are not making tectonic changes, but fighting entropy requires a sustained active effort. The problem is that business will inevitably think of it exactly as a flat line and flat spending isn't the best way to deal with increasing entropy," said Dmitriy Sokolovskiy of Semrush. For Humberto Gauna of HGxCyber, the fact that some security professionals think maintenance mode isn’t feasible is part of an industry problem, saying, "You don't keep building walls around your castle for the sake of building. This contributes to why cybersecurity programs are seen as money pits. Consider the value of what you are protecting. And always be ready to demonstrate some level of ROI and effectiveness of what you already have."

An asymmetric arrangement

There’s another element that needs to be considered when discussing maintenance mode. For all the internal considerations, you’re still dealing with constantly evolving threats. "I wouldn’t say there is such thing as ‘maintenance mode’ in cybersecurity just because there isn’t one with cybercriminals. There are always new things to be remediated, automated, made compliant, and new threats. Businesses grow, and with that, there are complications and expansion around cybersecurity," said Sashko Lazov of NOA Solutions. Part of might be a problem of language. No one is arguing that maintenance mode means you have to be passive. Shawn Riley of Wolfberry LLC suggested,  "Maintenance mode might be more commonly called 'continuous improvement.’ Continuous improvement in cybersecurity highlights a proactive and iterative approach to maintain and enhance an organization's security posture."

Integrating with the business

Any decision on maintenance mode should be made with the same objective criteria as any other business decision. "If you can maintain total expenditures as a percentage of total budget year over year, I would consider that maintenance mode. Now, if spending extra nets me an ROI that outpaces the ROI generated by the extra going to another aspect of the business, I'd increase the budget," said Ramon Gutierrez of TEKsystems. It helps if the rest of the business doesn’t keep cybersecurity at arm's length, as Robert Geis of World Wide Technology noted, "Security should be so baked into the execution of business that it should grow at the run rate of the business."

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Listen to the full episode.

Thanks to our podcast sponsor, ThreatLocker

Subscribe
Subscribe to Defense in Depth podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Caitlin Sarian, owner and CEO, Cybersecurity Girl LLC.

Thanks to our Cyber Security Headlines sponsor, ThreatLocker

Cyber chatter from around the web...
Jump in on these conversations

"Breaches = jobs?" (More here)

"Why did you get into this field?" (More here)

"Where do malware analysts get their malware from?" (More here)

Coming Up On Super Cyber Friday...
Coming up in the weeks ahead on Super Cyber Friday we have:

• [02-07-25] Hacking Security Effectiveness

• [02-21-25] Hacking Metrics that Matter

• [02-28-25] Hacking the Modern Audit

• [03-07-25] Hacking the Commodification of Cyber Crime

 Save your spot and register for them all now!

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.