Why stopping cybersecurity programs should not be taboo

A plea for regularly questioning cybersecurity improvement programs

It is a controversial topic, but this question is worth asking in time: does it make sense to stop a cybersecurity program to take a step back a build a more fitting approach?

It is a controversial topic, but this question is worth asking in time: does it make sense to stop a cybersecurity program to take a step back a build a more fitting approach?

Have you ever thought about stopping your cybersecurity program? Have you ever considered that your program is stuck in a deadend? Have you ever wished for a fresh start that would ensure a better foundation to the security measures?

Today, we often find ourselves in long-running and hugely complex security programs. Commonly, those programs are planned for 2, 3, or even 4 years and have large budgets associated. Due to the initial setup effort, only very few people regularly question the fit of the cyber program to the organization and the success of the implemented measures. Often, the initial setup was not fully fitting the requirements, or the organizational complexity was underestimated.

Yes, stopping a cybersecurity program is a failure. However, in many cases, it is possible the best option for the organization to learn, reflect and rebuild a better, more adapted, and fit-for-success program.

Our BxC Recommendation

We have been in these programs, and we have seen the struggles program managers are facing.

And while we do not have the perfect solution or the golden bullet, we have gathered a few ideas to consider in these types of situation:

  • Take a break and regularly question if your program, or any security measure improvement, is going in the right direction: stop for a moment, do a retrospective, and assess failure situations when you face them.
  • What learning comes from the program’s failure? Assess what went well and what did go wrong. Identify the root causes together with the team to increase the learning out of the experience.
  • Don’t make a big deal about it but talk openly about it. You made a bet on your program, but it failed. It is essential to talk openly about it, both with your team and with your management. Stress the learning curve and the conclusion to make a better step for your organization.
  • Draw new measures designed for success: Based on the past learnings, rationally design a new program or new measures built for success.

In our experience, most of the time, organizations do not need to go entirely back to the drawing board. Sometimes a retrospective can offer the possibility to adjust minor parts of your program. Though minor, these adjustments can be the key to success.