Cybersecurity Outcomes: What Do We Really Want?

Helen Patton
5 min readJul 10, 2023
A carving of a naked man, sitting on a log, with his elbow on his knee and his hand under his chin.
Photo by Tingey Injury Law Firm on Unsplash

What is the purpose of a cybersecurity program, anyway? If we could all just agree on the answer to that question, life as a security leader would be so simple. If we could, as a profession, take the time to tell everyone else what the answer SHOULD be, that might bring some clarity to why we do what we do. But few people are asking this question, and the security profession is keeping quiet.

As is always the case in cybersecurity, the answer is:

It Depends

It depends on who you ask.

The Board would like to think that the cybersecurity program mitigates the worst of technology and information risk, minimizing the impact of a cyber event, preserving reputation, satisfying regulators, and generally allowing a business to continue as planned. Resilience.

The CEO and the C-Suite wants the cybersecurity program to protect against Bad Cyber Things. This could be a breach of the company’s technology, but it could also be protecting the supply chain. They want the cybersecurity program to be as cost-effective as possible, and unless the company is itself a “security company”, they would love to not have to talk about it too much. If the company IS a “security company”, the c-suite still doesn’t want to talk about their own security, they just want to talk about what…

--

--

Helen Patton

Cyber Security, Technology Ethics, and Humanity. What else? I can be found at CISOHelen.com or on Twitter @CisoHelen or on Mastodon @cisohelen@infosec.exchange