61% of the security executives reported that in the last 12 months, they were violated due to unsuccessful or improper control. This is despite an average of 43 cybersecurity instruments.
This mass safety failure rate is clearly not a security investment problem. This is a configuration problem. Organizations begin to realize that established or deployed security control is not necessarily controlled security to protect against the threats of the real world.
Recent Gartner® report. Reduce the impact of the threat by optimizing security control, affects the gap between the intention and the result. We believe that it discusses a firm truth: without constant check and setting up safety tools provide a false feeling, well, security.
In this article, we will deeply plunge into why control effectiveness should become a new benchmark for cybersecurity success and how organizations can make this change.
Myth about the tool cover
Buying more tools has long been considered a key to cybersecurity performance. However, the facts tell another story. According to the Gartner report, “the wrong technical security configuration is the main reason for further success of the attacks.”
Many organizations have impressive firewall stocks, final points, identity tools, Siem and other controls. However, the violations are ongoing because these tools are often improperly adjusted, poorly integrated or disabled by real business rickets.
For example in 2024 g. Violation in the blue shield of CaliforniaIncorrect web -shaped configuration has led to a personal data of 4.7 million members leaked through Google ADS. This failure showed how even daily tools, if incorrectly deployed or customized, can undermine organizational safety and maintaining.
And yet the closure of the gap between the presence of safety tools and their efficiency requires the main shift in thinking and even more fundamental shift in practice.
Drawing up organizational shift to control efficiency
The transition to valid management efficiency takes not only a few technical settings. It requires a real shift-in thinking, in everyday practice and how teams work throughout the organization. Success depends on stronger partnerships between security groups, asset owners, IT operations and business executives. In particular, asset owners bring critical knowledge to the table – how their systems are built, where sensitive data live and what processes are too important to fail.
Supporting this cooperation also means rethinking how we train teams. Safety specialists need more than technical skills – they need a deeper understanding of the assets that they protect, business goals support these assets, and threats in the real world that can affect them.
And it’s not just about the best team or better training. Organizations also need the best ways to measure whether their control is doing their job. This is where the metrics governing the results (ODMS) and protection agreements (PLAS) come. Plas set obvious expectations of how the defender should work against specific risks.
Together, these dimensions move safety from confidence to evidence. They help organizations create the stability they can measure, manage and improve over time.
Permanent optimization – this is a new normal
Measuring safety efficiency is the most important first step – but keeping this begins the true problem. Security control is not static. They need regular customization to remain effective because threats are developing and changing businesses. According to Gartner, “the optimal technical security configuration is moving the target rather than set and setting the default.”
Teams that view the configuration as a one -time project create themselves. There are new vulnerabilities, attackers move their tactics, and cloud environments develop faster than any annual audit can keep up. In this environment, the fix system is just a quarter or viewing settings once a year. Permanent optimization should become part of the daily.
This means that it is a habit of receding and asking tough questions: is our control still protecting what is most important? Are our rules for detecting the threats we face today? Our compensatory measures are still closing the right gaps – did they get out of synchronization?
Maintaining sharp protection not only in the application of technical updates. It is about the integration of the intelligence of the real world threats, the reassessment of the priorities and the belief that the operational processes strengthen the security – they do not introduce new weaknesses. Safety efficiency is not a box you check once. This is what you create, check and clarify – again and again.
Construction for efficiency: What needs to change
Make security control really effectively requires a wider shift in how organizations think and work. Safety optimization must be built into how the systems are developed, managed and maintained – not considered as a separate function.
Gartner notes that “no security team can be completely effective in isolation.” According to XM Cyber, this means that security should become a team sport. Organizations need to create interfunctional teams that bring together security engineers, IT operations, asset owners and interested business participants. Effective optimization depends on the understanding not only on how they work, but also what they protect, how these systems behave, and where the risk of real business risks.
Leading security efforts with a wider program management program also helps create a repetitive, structured way to improve over time. Instead of responding to gaps after violation, organizations can actively identify weaknesses, adjust control and measure progress from real risk reduction – not only theoretical lighting. (Want to know more about how to create a platform for continuous exposure management? Read our guide there!))
Essence
Safe has never been just the right tools. It is about understanding whether these instruments are ready for the most important threats. The closure of the gap between the control presence and the control efficiency requires more than technical corrections. This requires changes in how organizations think, work and measure success.
In our view, this new Gartner study makes the message clear: static protection will not keep up with dynamic risks. Organizations that cover constant optimization – setting control, performance check and safety alignment with real business priorities will be those who remain sustainable.
Standing still lagging behind, at least in cybersecurity. The future belongs to organizations that view security as a living system – measured, adjusted and proven every day.
Note: This article was written and made by Dale Ferbret, Director of Marketing Products in XM Cyber.
