In 1990, Professor Harry M. Markowitz won the Nobel Prize in Economics for his work on portfolio theory. Among many other things, in his work, Markowitz defined the concept of the “efficient frontier:” the set of all portfolios that will give the highest expected return for each given level of risk.
Someday, I hope that we understand cybersecurity well enough to create an efficient frontier for a balanced portfolio of security products. Over the past two weeks, I’ve been chronicling the rise of cybersecurity portfolios and how important they are to keeping companies as safe as possible from the deluge of threats out there (“How CISOs Can Create A Balanced Portfolio Of Cybersecurity Products”, “How To Design Your Cybersecurity Portfolio”, “How To Select The Right Products For Your Cybersecurity Portfolio”). I’ve been using the National Institute of Standards and Technology’s framework to help guide the series of articles on the cybersecurity portfolio, which emphasizes five key categories over which companies need to spread their security spend: 1) Identify, 2) Protect, 3) Detect, 4) Respond, and 5) Recover.
So far in the series, I’ve looked at four key steps in the cybersecurity portfolio creation process, (Determine Needs, Allocate Spending According to Risk, Design Your Portfolio, Choose the Right Products) that explain how to construct a balanced portfolio and why such balance is necessary. I’ve also looked at the best places to invest and the best type of products to purchase.
In this final story, I want to look at the constant rebalancing of the portfolio that companies need to engage in to ensure security. This is the fifth and final step in the portfolio process. While we may not have an efficient frontier to rely on, I do think it is possible to improve our approach to managing our portfolios of security products to achieve better results.
Step Five: Rebalance as Needed
I continue to believe the comparison of your cybersecurity portfolio to a financial portfolio to be apt. With a financial portfolio, how and where you invest must change over time. Conventional financial theory has it that you invest more boldly when you’re younger, with your investments moving from riskier stocks to safer bonds as you near retirement. But you must also be dynamic in what type of businesses you invest in: regulatory changes (such as we’ve recently seen in healthcare and might see again soon) greatly impact industry valuations, so you must stay up to date.