Cyber Sessions: Adopt a ‘Moneyball’ strategy for security investments

To read this article and get more critically important news and information, check out our other security-focused posts  and subscribe to Providence Business News on their website, www.pbn.com

On Business Security Weekly, the weekly podcast that I co-host, we recently covered an article on a topic that business leaders should pay attention to. In this article, Rich Seiersen, chief risk technology officer at the cyber vulnerability management company Qualys, talked with a group of senior executives about a parallel between modern cybersecurity and the data-driven revolution in baseball known as “Moneyball.”

Before the Moneyball strategy existed, teams drafted players based on more conventional metrics such as batting average, stolen bases and tactical metrics. While these metrics are noticeable, they didn’t associate directly with winning games. The Oakland A’s, under general manager Billy Beane, changed the analytics of the game by using deep, non-obvious statistical analysis to find undervalued players whose skills added up to victories.

For decades, cybersecurity culture has been using “pre-Moneyball” strategies. We’ve chased after the flashy technical metrics such as the number of vulnerabilities, the number of firewalls you have, and the dreaded compliance checkbox forms. Businesses pour millions of dollars into the most visible buzzworthy security products, assuming that more money equates to stronger protection. But the breaches keep coming, and the costs keep growing.

Seiersen argued that this is the moment for “cyber-Moneyball” and I cannot agree more. It’s time for the realization that simply counting vulnerabilities or spending budgets isn’t a measure of cyber resilience. The true metric is risk.

Business leaders need to stop asking the question, “Are we secure?” and start asking, “Are we managing our risk in a way that enables our business to be resilient to cyber threats?” It’s about focusing resources on the controls that mitigate the most damaging, most likely scenarios, not thousands of low-impact items. We must pick our battles based on data.

This shift to cyber-Moneyball is critical for boards and executive teams because the stakes have fundamentally changed. Cybersecurity is no longer solely an information technology cost; it’s a business resilience and continuity investment. The executive suite must insist on receiving risk intelligence that speaks directly to the organization’s strategic objectives and financial health. This requires moving beyond heatmaps and technical severity scores to adopt a risk framework.

Data-driven decisions allow boards to treat cyber risks with the same rigor and strategic priority as financial or legal risks. Effective risk management forces prioritization, ensuring capital is strategically invested to shore up the systems that, if compromised, would have the largest impact on revenue, regulatory standing or market capitalization.

Strategic cyber investment isn’t just about reducing risk; it’s about enabling competitive advantage. Organizations with evident cyber resilience attract more partners, instill greater customer trust and can move faster in adopting cutting-edge technologies because they have a handle on the inherent risks. Leaders who embrace risk quantification transform their security teams from an overhead cost into a strategic business enabler.

Long-term security strategy isn’t about building an impenetrable wall; it’s about making your organization incredibly resilient against attacks. It’s about being able to detect, withstand and rapidly recover from a breach.

Executive teams must integrate cyber risk into their strategy. Cybersecurity is a board-level discussion tied to the organization’s overall risk portfolio, alongside financial, legal and operational risks. Leaders must understand and govern the cyber risk budget, not just a security expense budget.

Use data-driven metrics to communicate risk in terms of dollars and business outcomes. This language, the language of business risk, is the only one that truly resonates in the boardroom and allows for rational, value-driven investment.

The biggest danger isn’t the threat actors overseas; it’s the threat of unmanaged, unmeasured and unprioritized risk in your own organization. Business leaders who embrace the cyber-Moneyball strategy will be the ones who are not only resilient through the digital future but will dominate it.