'Secure everything just in case' is unsustainable.
Companies must respond urgently, but also seek to reduce risk smartly, in a world of limited resources. And quite rightly the question of “what is to be done?” is being asked by the executive and Board.
The biggest problem is not spending more money and deploying more controls but rather deciding how to spend the limited time and resources.
The true task of the cybersecurity leader is to pick what to do based on an informed sense of which tasks lead to a better future. There will always be too much to do. There will always be a top-down demand for perfection.
The alternative is to try and ‘secure everything just in case.’ The result is rampant spending on additional controls and oversight that then demands even more resourcing and with no clear end in sight.
This unsustainable growth of cybersecurity creates a paralysing implementation gridlock. the few teams, often technical and already highly utilised are further put upon with implementing the new controls and become overloaded with too many competing demands. This is simply unsustainable.