This blog is a smaller part of an article in Bugcrowd’s newest report, Inside the Mind of a CISO. Check out the report for the full article, along with other thought pieces, infographics, and data analyses for CISOs and security leaders.
In Greek mythology, Sisyphus is punished to roll an immense boulder up a hill for the rest of eternity. As the boulder approaches the top, it immediately rolls back down.
From the ELT and board’s perspective, CISOs can sometimes sound like Sisyphus when presenting our never-ending list of projects and asks. Every security program has a story full of milestones and gaps (from assessments, audits, best practices, customer requests, or some other source)—and there is always more to do and spend money on. Budgetary constraints help us think critically and give us the opportunity to prioritize and innovate, though the roadmap and tradeoffs along the way are not always clear. When the board struggles to understand our vision, contextualize our risk investment strategy, or see how we measure success or failure, our boulder rolls back down the hill, requiring CISOs to start the process over again.
In reality, a security program can be a lot like our health and wellness journeys. Everyone is on their own path, and we are constantly having to navigate tradeoffs. In my private life, I measure success in these areas by my ability to say yes to the things I care about—energy to say yes to family, capacity to be present and engage with friends, and ability to make time for sports and hobbies. Failure is when I don’t have the energy to balance my work, travel, and the things that matter to me outside of work.
The difference between my personal goals and those of security programs is that the latter require that adversarial element to determine if we’re executing at a level we’re comfortable and confident in. Furthermore, CISOs need to stretch a limited budget to balance people, process, and technology. The success of a program is measured in a handful of ways, but “an auditor approved” is the answer for so many.
However, can the lack of breach be considered a silent metric of success? (Reminder, we cannot prove a negative….) When we define success as a lack of incidents, justifying a constant increase in security spending to our boards is nearly impossible. In practicality, security without true adversarial testing is almost an illusion, leaning heavily on the “maturity” of best practices without pragmatic validation. This means that diversified research and testing clearly validates success, or identifies points of failure (opportunities for improvement),directly justifying our asks.
The culture we’re building isn’t about running from failure—it is aimed at continuous improvement and honest and objective feedback on what needs focus or prioritization. Creating a safe environment for this level of objectivity is what changes our frame of reference from “failure” to a “growth mindset.” This carries directly into program management and budgetary planning.
If the CISO community has learned anything through the zero-basis budget cycles over the last couple of years, it might be that the assumed nonnegotiable or brinksman position of “We need to be doing all of these things” doesn’t easily stand up to scrutiny.
NIST defines “resilience” as “the ability to maintain required capability in the face of adversity.” So how do we measure this?
Adversarial testing evaluates our defenses by applying the tactics, techniques, and procedures of real-world attackers, highlighting deficiencies in our programs that rise above our agreed-upon risk profiles. Adversarial testers, like red teamers or ethical hackers, test resilience and provide actionable insights, highlighting high-priority gaps to address with a sense of purpose.
One way adversarial testing helps with objective measurement is it aids us in evaluating our technology investment stack. This area is notoriously difficult to be objective about—where are our people, process, and technology investments paying off or coming up short? We have a fear of asking how our technology investments are working, or even if they’re working at all. Vendor evaluations are time-consuming, changes come with cost, and can be emotionally charged, so it’s natural that there is an unwillingness to fire or rotate vendors/technologies. When leadership is confident in our objectivity in evaluating existing investments, we gain credibility.
When we engage in adversarial testing, we have the objective data to shine a light on our program to inform our decisions about what is and isn’t working.
Adversarial testing forces us to ask the hard questions and gives us an unparalleled view into the outcomes of our security spend. For most companies, this is almost like a Christmas card you send your customers and auditors—a once-a-year snapshot of your program. There’s value, but moving beyond point-in-time assessments enables CISOs to confidently report program effectiveness.
By investing in adversarial testing, we quantify our security outcomes, identify gaps, and move beyond subjective assessments and maturity scores. With the findings from adversarial testing, we can articulate and defend our asks to the risk committee and board, helping them make informed decisions about where we need to fund, where we need to defund, and what we need to adjust in the tech stack.
From my perspective, the most successful, capable, and upwardly mobile CISOs operate in partnership with a risk committee. They regularly gather representatives from key leadership positions across an organization to sit down and evaluate the top risks to their business. These committees are an opportunity for businesses to look at their investments, assessments, audits, known technical deficiencies, and key concerns. In other words, CISOs use risk committees as an opportunity to align on difficult investment decisions associated with competing business risks.
In a time where zero-basis budgeting is becoming the norm, CISOs are constantly asked to defend every dollar and make difficult choices about what to cut. Budget cuts affect every aspect of security planning, strategy, and operations—all of which are part of a complex tapestry woven across a business in alignment with the risk committee. Every time CISOs are asked to defund projects, they need fresh acceptance from the risk committee so that leadership can calibrate on the tradeoffs. CISOs can use the results of adversarial testing to justify these tradeoffs to the risk committee and make educated decisions to address risks and gaps.
When everything we ask for is “mission critical,” we sound like Sisyphus, pushing our boulders up the hill over and over again. We must shift from incident prevention to measuring resilience. With the power of adversarial testing as a core component of our security programs, our asks are backed by evidence and we can tangibly demonstrate the value of our security investments.
Why does this resilience matter so much? Again, resilience is the ability to maintain required capability in the face of adversity. A strong security program means fewer disruptions to business, more effectively managed risk, and better processes to deal with incidents. We’re building programs strong enough to protect what matters while letting teams focus on what they love outside of work.
Resilience isn’t a destination but a series of daily choices and practices that become your way of operating. When your security foundation is solid and continuously validated via adversarial testing, you’re creating space for innovation, growth, and the kind of work–life balance that lets you say yes to what matters most.