How the Pareto Principle Applies in Cybersecurity
Dudley advised organizations to cut through the noise by applying the Pareto Principle, better known as the 80/20 rule, which posits that for many outcomes, 80 percent of consequences flow from 20 percent of causes. “You might wear only 20 percent of the clothes in your closet 80 percent of the time, or 80 percent of the traffic might occur on only 20 percent of roads,” he said.
The same is true in cybersecurity: Organizations can thwart 80 percent or more of the most common attacks by focusing on the 20 percent or so of the most highly effective defense tactics.
LEARN MORE: In uncertain economic times, build a robust security program.
That’s why it’s best to emulate security frameworks that have proved effective, he said. When asked to describe the state of their security postures, too many organizations simply rattle off the tools they’ve deployed to address one threat or another. “They’ll say, ‘Well, we use a next-generation firewall to stop ransomware,’ for example,’” Dudley said.
The tools are important, but merely deploying technology isn’t really a security strategy. It’s better to align your goals against those recommended by respected research organizations that have published and tested security frameworks, then deploy solutions that help you achieve measurable outcomes.