The 20/80 Rule in Tool Utilization

In my decade-long tenure as a CISO within the Defense Industrial Base (DIB), I've witnessed firsthand the complexity of today's cybersecurity landscape, new technologies, and services focused on mitigating the ever-evolving threats we face. But amidst this sophisticated tools and technologies landscape, I've also noticed an uncomfortable truth: despite substantial investments in security tools and services, organizations often underutilize them. This is particularly evident in what I call the "20/80 Rule"—where teams tend to leverage about 20% of the features in 80% of their security tools. It's a phenomenon that introduces risk, limits return on investment, and underscores the importance of continuous tool evaluation, ensuring tool alignment and use with strategic cybersecurity goals.

The Underutilization Dilemma and Its Impact on Security

It's not uncommon for organizations to purchase cutting-edge tools, each with a robust suite of features designed to provide unique defensive capabilities to counter specific threats. However, many of these tools remain underutilized for various reasons, such as lack of training, tool complexity, innovation, or even sheer feature overload. In practice, critical capabilities—capabilities that could fill gaps and mitigate threats—are often ignored or insufficiently used/implemented.

This underutilization has significant repercussions. Financially, organizations invest in high-grade solutions but fail to harness their full potential, effectively wasting resources and money. Operationally, the incomplete use of tools can create gaps in the security framework or the perception that additional tools/services are required to defend the organization. Additionally, security teams often flip from tool vendor to tool vendor they don't fully understand, leading to even more inefficiencies in capital and labor due to onboarding, migrations, and more.

The Human Element: A Barrier to Comprehensive Tool Usage

A more subtle challenge in cybersecurity is the human element. People naturally gravitate toward tasks within their comfort zone or that align with their interests. This behavioral tendency can result in significant blind spots, as security practitioners focus on tools and features they find engaging, while other equally critical components are neglected.

At SCYTHE, we recognize that this human element plays a significant role in cybersecurity effectiveness. Our platform is designed to combat these human biases by providing adversarial emulation and validation capabilities. SCYTHE empowers security teams to test (or perform head-to-head comparisons) their tools in real-world attack scenarios, making it easier to identify which features are working and which aren't, fostering a comprehensive understanding across the toolset. This approach also creates an objective way to measure the effectiveness of tools under evaluation, enabling teams to pick the tools that perform the best.

Getting Started: Kickstarting Your Tool Utilization Program

Addressing the 20/80 tool utilization challenge requires a structured approach. Here are several recommended steps to maximize your toolset's potential and some insights into an organization's everyday challenges:

1. Baseline Your Current Tool & Services Utilization: Begin by understanding your current state. Conduct a comprehensive audit to assess which tools, features, and services are being utilized and what are not. SCYTHE can support this by providing emulation exercises that reveal performance gaps, helping you see which tools are pulling their weight and which might need more attention.
2. Align Tools with Strategy and Threat Landscape: It's critical to ensure that your tools align with your overall cybersecurity strategy and, more importantly, are prioritized and selected based on your organization's threat landscape. Through SCYTHE's threat validation capabilities, security teams can map their tool's performance against real-world adversarial tactics, techniques, and procedures (TTPs), highlighting where current tools succeed and where additional focus is needed.
3. Develop a Training and Enablement Program: Training should go beyond tool basics and focus on real-world applications. SCYTHE's platform can facilitate hands-on learning by injecting threat scenarios, giving teams practical experience with different tools in emulated attack conditions. This educational experience bridges the gap between theoretical knowledge and actual security practice.
4. Gamify and Rotate Responsibilities: Create a culture of curiosity and ownership by introducing gamification elements and rotational assignments, ultimately fostering a comprehensive understanding of our tools and services among all team members.
5. Establish Feedback Loops and Continuous Improvement Cycles: Implement a robust feedback mechanism where team members can report on tool effectiveness and areas for improvement. Team members can voice their concerns and suggest tools, services, and process improvements.

Reflecting on the Journey and Lessons Learned

Reflecting on the journey, it has been both challenging and profoundly rewarding, filled with valuable lessons that go far beyond simply deploying cybersecurity tools. The dual focus on maximizing the potential of our tools and addressing the human elements of cybersecurity has had a transformative impact on our defensive capabilities. This process has taught us that effective cybersecurity is not merely about having the latest technology but about utilizing it to its fullest potential.

Our experience has taught us that even the most advanced tools can fall short if not aligned with a strategy that accounts for human behavior, skill gaps, and operational workflows. Building a resilient defense required us to equip our team with powerful technology and foster a mindset of continuous learning, curiosity, and adaptability. It was about creating an environment where every team member understands how to leverage our tools to their fullest and recognizes their role in the broader security posture of the organization.

By prioritizing both capability (technology/service) and people, we cultivated a team that is technically skilled, deeply engaged, and prepared to respond to emerging threats. This comprehensive approach has proven essential, reminding us that a truly effective cybersecurity strategy is a balanced mix of the right tools, the right mindset, and a culture of proactive security.

Embracing Adversarial Emulation to Drive True Utilization

Cybersecurity teams today should prioritize adversarial threat emulation and validation for many reasons: better insight and understanding of today's threats, their defensive efficacy, and, yes, tool utilization, moving beyond basic tool deployment and services adoption. By actively testing tools against simulated adversarial tactics, organizations gain a clear understanding of their security stack's true capabilities, from endpoint defenses to network monitoring. 

Ultimately, SCYTHE helps bridge the gap between what tools can do and what they are doing, transforming underutilized features into active defenses. For organizations facing today's complex threat landscape, that difference is invaluable.