Football and their managers, currently all the rage, rarely if ever is of interest among cybersecurity pros while immersed in their work. But it should be because this can be pertinent to organizational cybersecurity. Fact is, football teams at the college and professional level often oversee their strategies better than some cybersecurity management teams.

High level coaches set long-term goals, such as winning championships or consistently competing at a high level. They also build a strong foundation through recruiting, training, and mentoring. In-game coaches, on the other hand, make real-time adjustments to the game plan based on the opponent's strategies and the flow of the game. They also select the right plays.

There is a link to at least part of this in the world of cybersecurity strategy. It already does largely the same sort of thing as in-game coaching, tweaked, of course, to a different mission. Long-term vision, on the other hand, either doesn't exist or is at best mediocre, and this is where cyber posture management (CPM) enters the picture. It improves the overall strength of organizations' defense against cyberattacks, protocols for preventing attacks, and the increased ability to act and respond to new threats.

It's now more important than ever to have a clear vision of organizations' cybersecurity posture. In addition to strict compliance standards, the pressure put on companies by the public to protect their sensitive data is growing steadily stronger while the traditional methods of online security are no longer considered sufficient.

CPM is a holistic approach that encompasses security solutions already deployed, (such as malware and anti-virus), other security policies in place, employee training programs, and more, and strives to improve them. The goal: materially enhance cybersecurity by substantially mitigating existing risk -- largely by monitoring all that is already on the table and allowing cyber pros to refine the security status they see. According to Markets and Markets, revenues will grow from nearly $14 billion this year to $33 billion by 2029 -- a sizable compound annual growth rate of more than 19%.

Cyber posture management isn't particularly well known, however, and those who partake vary. So far, larger organizations with significant digital assets and bigger cybersecurity teams are more inclined to embrace this because they can spare the expense.

The level of sophistication can also differ. Some organizations focus on one issue at the expense of others. For instance, if a remote working policy is essential to an organization’s protective goals, it may focus mostly on a cybersecurity posture too intensely geared toward mobile devices and remote network access.

Without a more widespread commitment to CPM, many security experts say organizations are more vulnerable to data breaches and system disruptions. 

A case in point is so-called shadow data -- data that is created, stored or outside of an organization's formal environment and hence not monitored, posing security risks. The demand for data for AI or machine learning modeling also contributes to shadow data as organizations expand data risk to more users who possess less understanding of proper data security. A study by IBM found that 82% of data breaches involved data stored in cloud environments and 39% of breached data was stored across multiple computing environments, including home premises. The good news is that CPM has the ability to scan records to find shadow data and determine whether it is secure.

As a result of shadow data and other issues, a 2024 survey by Cisco Systems of more than 8,000 private sector cybersecurity leaders globally found that only a tiny three percent of leaders could be classified as having a mature readiness posture. "We cannot underestimate the threat posed by our overconfidence," Jeetu Patel, Cisco's Executive Vice President and Chief Product Officer, recently told the media.

Cyber posture management has been in existence for roughly a decade and major IT technology companies stand out. Besides Cisco, they include, among others, IBM, Microsoft, Palo Alto Networks and Check Point Software. A smaller number of healthcare companies, such as Kaiser Permanente have also joined the pack. This isn't many, and a big reason is that high cost is often an obstacle. Implementing and maintaining a robust cyber posture management program is expensive. Costs include the hiring of more cyber pros, the purchase of new security tools, and ongoing maintenance and updates.

In addition, there is a huge shortage of skilled cyber pros -- an issue for years and now growing even worse given that modern IT environments are increasingly complex, given the growing mix of on-premises, cloud, and hybrid systems. Managing all this requires highly specialized expertise. 

Probably the biggest issue of all is the lingering disconnect between members of the board of directors and their CISOs. According to Board Surveys, an Australian-based board of directors consulting firm that helps boards improve their effectiveness, just half of board members over 55 claim they have confidence in addressing board cyber risks. The vast majority have no experience in cybersecurity and may not adequately understand what good cybersecurity requires. Separately, a Harvard Business Survey found that fewer than half of board members regularly interact with their CISOs.

Ultimately, the heart of this issue may be that the overwhelming priority of most board members is in enhancing their company's financial strength. CISOs counter that the strongest cybersecurity mitigates costly breaches, indirectly strengthening the company's financial posture, many board members don't buy this. Still, there remains a positive picture: The aforementioned forecast about strong CPM growth suggests that CPM, at least, is finding its way around this issue.