Cyber Moneyball: Why Vulnerabilities Are A Waste Of Time

For decades, cybersecurity leaders have used metrics based on vulnerability management and associated patch management. Yet, only 1% of the vulnerabilities companies patch are exploited. At the same time, 50% of the vulnerabilities that attackers actually exploit are missed. You guessed it — the focus on vulnerabilities and patch management is a waste of time.Businesses need a new approach, one that uses metrics focused on establishing continuous cyber readiness.

In this video, I talk more about how you can make this happen, taking inspiration from the movie Moneyball, which tells the real-life story of Oakland A’s general manager Billy Beane. Watch below.

Cybersecurity Metrics that Are Revolutionizing the Game

While other teams zoomed in on classic baseball statistics like batting average and home runs, Beane focused on Sabermetric statistics, like on-base percentage plus slugging (OPS). No other team was using these metrics at the time.

At first the rest of baseball scoffed. Then, they learned. Billy Beane revolutionized his sport by identifying impactful metrics no one else was using.

That same approach applies to cybersecurity. What if, instead of the old metrics around vulnerabilities, you instead used metrics that show how your people, processes, and technology actually contribute to cyber readiness? It’s time to play Cyber Moneyball.

To learn more about how to improve your cybersecurity by focusing on cyber readiness instead of proxy statistics, contact SightGain today.


1:21 What is Cyber Moneyball?

1:39 Questions Your Organization Should Focus On

2:10 What New Customers Need

Video Transcript

Cybersecurity leaders are overwhelmed. It’s no secret, and we hear it all the time. They can’t keep pace with the patching. They can’t even patch the high severity and critical patches that are out there. But here’s something that might blow your mind. It did mine.

Even though cybersecurity organizations are spending more and more time patching vulnerabilities at an increasing rate, less than one percent of those vulnerabilities ever get exploited. Yet when organizations test against the exploits that do exist, they’re missing over 50% of them. We think the focus is off.

As a data science nerd, I love the movie Moneyball. It is a real-life story of how data, about actual performance, can change the game. It talks about the famous manager Billy Beane. He focused on different statistics that were shown to win the game, and not just the same ones that everyone else was using.

By implementing his method and sticking to his guns in a culture that did not appreciate his approach, he was able to change the game forever.

First for the Oakland Athletics, and then for every other team shortly thereafter. We think cyber is ready for its moneyball moment.

1:21 What is Cyber Moneyball?

So what is cyber moneyball? Simply put, instead of focusing on traditional measures like patches and blocking, we think cybersecurity leaders should focus on the metrics that win the game.

In other words, are they stopping the bad guys? Metrics should be about how well or poorly you are doing at stopping adversary tactics. And those should be the first thing that organizations focus on.

1:39 Questions Your Organization Should Focus On

Is my firewall working? Is data getting from the tech logs into the SIEM? Is my SIEM providing high-quality alerts to my analysts in the SOAR platforms? Finally, are my personnel and the SOAR platform responding appropriately and in a timely manner?

Those are the questions that we should focus on. That’s Cyber Moneyball.

2:10 What New Customers Need

What’s the biggest challenge holding organizations back from this approach? Just like the movie, it’s a culture thing. Our results have been nothing less than amazing for our customers. So new customers need a strong leader that can help place the focus in the right areas, to ask the right questions, to drive better performance.

So to review, cyber moneyball challenges the current convention by focusing on performance against threats instead of proxy statistics like patches and compliance. By focusing on the end goal, stopping the adversary, we think we can change the game of cyber forever.

Click the link below if you want to increase your cybersecurity performance on a routine basis. Subscribe to our YouTube channel to keep pace with all of the innovations that Sightgain is bringing into the market.