How Do Organizations Ensure Their Security Tools Are Actually Working?

In our last Super Cyber Friday, "Hacking Security Effectiveness: An hour of critical thinking about how to holistically make sure your tools are working for you," we talked about why traditional security effectiveness evaluations fall short, how to measure whether security tools are working in coordination, and how organizations can demonstrate that cybersecurity is improving resilience. Joining us for this discussion were Emanuel Salmona , co-founder and CEO of Nagomi Security , and Bethany De Lude , CISO emeritus.

HUGE thanks to our sponsor, Nagomi Security

Watch the full video here

Join us on 02-21-25 for “Hacking Metrics that Matter”

Super Cyber Friday will be back next Friday, February 21st, 2025 for our discussion “Hacking Metrics That Matter: An hour of critical thinking about finding what you need to measure to improve your security program.”

It all starts at 1 PM ET/10 AM PT.

>>> REGISTER for 02-21-2025 Super Cyber Friday <<<

Did you know that we have an events calendar? Visit our events page to subscribe so you can stay up to date on Super Cyber Friday and other CISO Series content.

Best quotes from our guests

"You have to have a feedback loop with the tooling you’ve deployed to ensure it’s still delivering value. If you start seeing an uptick in phishing reports despite investing in expensive tooling, something’s wrong." - Bethany DeLude, CISO emeritus

"Before adding a new tool, make sure the ones you have are being fully leveraged. Adding more software increases complexity, and sometimes the human resources needed to get value from it aren't factored in." - Bethany DeLude, Emeritus

"When talking to the board, I focus on risk—reputational, financial, operational, regulatory. When talking to business leaders, I focus on how security enables the business. Tailoring the message is key." - Bethany DeLude, CISO emeritus

"Many organizations have tools they think are running effectively, but they’re either misconfigured or lacking coverage. You could have the best tool, but if it’s not deployed correctly, it won’t protect you." - Emanuel Salmona, Nagomi Security

"Security budgets keep going up, but breaches aren’t going down. Adding another tool doesn’t always make you more secure. Sometimes it makes things worse by increasing complexity and overloading your team." - Emanuel Salmona, Nagomi Security

"CISOs are under pressure to consolidate tools, but removing the wrong one can increase risk. The key is understanding what’s actually reducing risk versus what’s just adding complexity." - Emanuel Salmona, Nagomi Security

Quotes from the chat room

"Put a time block on your team's calendar dedicated to learning something new about your existing tooling. Permit them to work on the 'people' angle of security effectiveness." - Duane Gran , director of information security, Converge Technology Solutions Corp.

"When getting ready to propose a new tool or project .. Hold a tabletop exercise to display how much you do/don't have a particular vulnerability." - James S.

"People often forget to budget headcount when implementing new tools… so you could have the tech, but not the manpower to operate. Certainly becomes more true as you accumulate tech." - Joshua Brown , founder, Digital Defense Consulting

"Boards, subcommittees, and other executives all understand risk concepts grounded in financial terminology. Using MTTR or anything ATT&CK'ish is for practitioners - NOT for executives. It makes you sound like a smart nerd and you can now go sit at the kids' table." - Dutch Schwartz , vp of cloud services, SideChannel

"As an executive you can start with quantitative measurements with your own team, but horizontally and 'above' you, use qualitative judgment based on your experience, your program maturity, your company salted with the quantitative measurements where supported." Dutch Schwartz, vp of cloud services, SideChannel

"OKRs (objectives and key results) shouldn't be security-focused. They should be focused on the business. Then tie into the OKR with your cybersecurity program." - Greg Bellasis , head of cybersecurity and IT infrastructure, CareConnectMD