Most Security Programs Have the Tools. The Gap Is Operationalization.
By Christopher Lariscy, CISSP. Principal Solutions Architect, MGT
Operationalization is where most security programs stall. In the environments I walk into, the tools are usually already there. The discipline of tuning them, testing them, and turning their output into decisions is what is missing. That is the focus of MGT’s recent webinar, Security Simplified: A Clear Path to Stronger Security, which I presented with Nikhil Pattak and Andy Cuberly.
The argument starts with a quote. During a recent engagement, an IT director put the problem better than any framework document I have read: “Our cybersecurity plan can always be strengthened. However, the real challenge lies in execution and operationalization.”
I hear a version of that quote across SLED, healthcare, commercial, and OT clients. Most organizations have the tools and the frameworks. The shortage is in time, staff, and the operational discipline that turns what is installed into security value.
Why the Urgency
The threat environment is escalating across every sector the webinar covered. CISA and FBI K-12 advisories report 9,300 incidents in the last 18 months with a $6.6 million median ransom. Federal funding is now tied to cyber attestation through the E-rate cybersecurity pilot. Ransomware attacks on US hospitals nearly quadrupled between 2022 and 2024. Commercial breach costs hit a record $4.8 million. Aviation cyberattacks jumped more than 600% year over year. Across sectors, the median time to identify and contain a breach sits at 258 days.
The pattern under those numbers is what I described in the webinar. Organizations are compliant on paper, but in practice their policies, procedures, and controls are not adequately protecting them. The problem is systemic. It is tied to how overcomplicated we have made cybersecurity, which leaves most clients stuck trying to identify the highest-impact starting point inside the budget they already have.
Security Simplified: The Quadrant
To help answer the highest-impact-for-budget question, we built a Gartner-style quadrant that plots controls on two axes: security impact and budget impact. Four cells: low-impact low-cost, low-impact high-cost, high-impact high-cost, and the upper right, the golden quadrant of high impact and low cost.
The lower-right cell is table stakes. Firewalls, backups, antivirus, help desk. If a client does not have these, we are having a different conversation. The lower-left cell includes web application firewalls and similar items that are costly relative to value for most organizations today, and badly degraded if untuned. The upper-left cell includes high-impact controls that cost real money, such as network access control, which delivers granular value when actively maintained and very little when it is not.
The golden quadrant is where most clients should start. Nine controls live there. Three deserve direct attention.
Three Controls That Move the Needle
Multi-factor authentication. MFA is foundational. Every account that touches anything important should have it, including service accounts where you can manage it. The first MFA question is whether it is deployed. The harder question is whether you have created exceptions or exemptions that should be reevaluated. MFA with carve-outs functions as a weaker control than MFA without them.
Managed SOC. I have had clients buy SIEM and SOAR platforms and then never look at them. The logs flow in. Nobody tunes. Nobody triages. The tool produces noise. A managed SOC means someone is actually reading those events, tuning out false positives, and returning actionable information to the operators who can act on it. Without that layer, the SIEM is a logging system. With it, the SIEM becomes a control.
Immutable backups. Ransomware does not care about your backup. If the attacker can encrypt or delete it, you do not really have one. Immutable backups, the write-once read-many version, give you a recovery path that survives the attack. They depend on a parallel discipline: actually restoring from them on a schedule. A backup you have never restored from is the rumor of a backup. The first restore test is what makes it a control.
The fourth control I want extra time on is the tabletop exercise.
What a First Tabletop Finds
The most valuable tabletop is the first one, run before an incident. I ran one recently with a K-12 district. We simulated a cascading failure that ended in an internet outage. The district’s incident response procedures held up well through most of the simulation, until someone on the transportation team mentioned that without the internet, they could not fuel the buses to pick up students. The fuel pumps required network connectivity. Nobody had planned a mitigation for that.
The tabletop exposed an operational dependency the district had never identified, and they had time to address it before a real outage caught them. That is the work a tabletop does. It pressure-tests the decisions, the escalations, the roles and responsibilities, and the dependencies that nobody documented because nobody had a reason to. If your last tabletop was before the AI era, your last tabletop was run in a completely different threat environment than today.
Deployment and Operationalization
Deployment means the control is installed and running. Operationalization means it is tuned, tested, reviewed, and producing decisions that reduce risk. That distinction is the most important takeaway from the webinar.
The questions I use to test for operationalization are simple. When was the last time alerts were tuned? When was the last time a backup was restored to an isolated environment and validated? When was the playbook for this control last reviewed? When was the run book last updated to match the way the organization actually works?
The answers I usually get are some version of “it has been a while” or “we have not done that.” That is the gap. The cause is staff time, competing priorities, and the volume of tasks pulling internal teams away from work that directly improves security posture. The intent is fine in almost every case. The hours and the discipline are what is missing.
When clients make the leap from deployed to operationalized, the improvements are measurable. Time to isolate a compromised endpoint drops sharply once a managed SOC is producing tuned, prioritized alerts. False positives fall. Run books match real workflows. SOAR automations fire on the playbooks they were built for. The control starts producing the value the organization paid for.
Prepare, Detect, Recover
The webinar framed the operationalization work in three NIST-adjacent phases.
Prepare is everything done before an incident. Maturity assessments and governance reviews so you can articulate where you are today. A living risk register, updated as workloads migrate between private cloud and SaaS and back. MFA and access control discipline. Role-based security awareness training with simulations. An AI acceptable use policy. Shadow AI is the new shadow IT, and the data exposure I am seeing in the wild is real.
Detect is the work of turning a flood of alerts into a small number of actionable incidents. A 24/7/365 SOC. Continuous vulnerability management instead of an annual scan. Network and endpoint visibility centralized so nobody has to call three teams during an incident. Alert tuning that continues past the first 90 days. SOAR automations applied to playbooks the SOC actually uses. Threat intelligence integrated into the SIEM so alerts come out with context attached.
Recover is where most organizations under-invest, in time and in dollars. A disaster recovery plan that has never been tested is the rumor of a DR plan. Tabletops belong here too, because the value comes from running them before an incident and learning from them afterward. Crisis communications need to be planned in advance: who calls the press, who briefs parents in K-12, who talks to the city manager or the superintendent or the CEO. Cyber insurance coordination needs to be worked out before you need to file a claim. Backup validation needs to confirm the data restores cleanly to an isolated environment. I have watched recovery efforts stall for weeks because nobody had asked the insurance firm what process they required, or because legal agreements with the forensics firm were never put in place.
The Roadmap Forward
The roadmap I recommend is straightforward. Find the controls you do not have that you actually need. Operationalize the controls you do have. Build the lifecycle, the testing cadence, the tuning discipline, and the measurement that converts existing investment into security value you can point to.
The most useful conversation to open with your account team starts with a single question. Which of our existing controls are deployed but not yet operationalized? Pick one tile on the quadrant. Point at it. We will build the path from there. Most of the work that follows does not require a new tool.
