Across conversations with security and industry leaders across the GCC & the EU, what one finds impacting most Security leaders is that they are not resource-poor, they are choice-rich and time-starved. This has led us to such an environment where budgets and technical capabilities fluctuate, whilst the threat surface has expanded exponentially, and become compounded with the emerging AI tools and exacerbated by global and regional conflicts.

One typical concern that creeps back up in every conversation is trying to understand what is valuable, and how we are measuring achievements and identifying if we are moving in the right direction.
This takes us to a place where we move beyond our funding problems and capability gaps and become confronted with the prioritization imperatives; doing more is no longer the answer, deciding better and justifying the ‘why’ is.

From NASA’s Gene Kranz during Apollo 13 in 1970 stating “Failure is not an option”, to Chesley Sullenberger landing on the Hudson in 2009 what we see, is decades of accumulated expertise compressed into split second judgment calls.

This leads us to a tooling ceiling; where human judgment becomes a multiplier, and a clear vision and direction takes us further than pricing comparisons and integration checklists. As such, we must rethink how we make the most of the resources at our disposal and make better decisions, whether the resources be time or people; the mantra to do better with what you have rings true, which is where judgement becomes our prioritization mechanism.

A blend of data-backed decisions driven through technical & practical expertise has repeatedly seen businesses and people through adversity in the past, it will only continue to do so. We see this throughout security functions, as we start seeing more Security teams align their SIEM tool’s detective capability against regional threat actors, and conduct tabletop exercises to identify gaps in IR plans.

Starting with the data, and identifying where best to spend our time, has frequently proved the most effective results across security teams, and saves CISOs from becoming board-level firefighters, from here the importance of assessing one’s environment, attack surface, and crown jewels becomes paramount.
The real impact here is the cascading impact outside of security teams and even the wider technical function, when a business demonstrates clear vision across one team, others soon follow, and begin aligning to a more focused approach for more assured outcomes.

The most defensible security posture a business can have isn’t tooling or frameworks, and in some ways it never was, it’s a leader who has identified their position & priorities, owning the risks to develop the way forward; and the authority to act on it.