Have you ever thought about stopping your cybersecurity program? Have you ever considered that your program is stuck in a deadend? Have you ever wished for a fresh start that would ensure a better foundation to the security measures?
Today, we often find ourselves in long-running and hugely complex security programs. Commonly, those programs are planned for 2, 3, or even 4 years and have large budgets associated. Due to the initial setup effort, only very few people regularly question the fit of the cyber program to the organization and the success of the implemented measures. Often, the initial setup was not fully fitting the requirements, or the organizational complexity was underestimated.
Yes, stopping a cybersecurity program is a failure. However, in many cases, it is possible the best option for the organization to learn, reflect and rebuild a better, more adapted, and fit-for-success program.
We have been in these programs, and we have seen the struggles program managers are facing.
And while we do not have the perfect solution or the golden bullet, we have gathered a few ideas to consider in these types of situation:
In our experience, most of the time, organizations do not need to go entirely back to the drawing board. Sometimes a retrospective can offer the possibility to adjust minor parts of your program. Though minor, these adjustments can be the key to success.