61% of security leaders reported suffering a breach due to failed or misconfigured controls over the past 12 months. This is despite having an average of 43 cybersecurity tools in place.
This massive rate of security failure is clearly not a security investment problem. It is a configuration problem. Organizations are beginning to understand that a security control installed or deployed is not necessarily a security control configured to defend against real-world threats.
The recent Gartner® Report, Reduce Threat Exposure With Security Controls Optimization, addresses the gap between intention and outcome. We feel it discusses a hard truth: without continuous validation and tuning, security tools deliver a false sense of, well, security.
In this article, we’ll take a deep dive into why control effectiveness should be the new benchmark for cybersecurity success, and how organizations can make this shift.
The Myth of Tool Coverage
Buying more tools has long been considered the key to cybersecurity performance. Yet the facts tell a different story. According to the Gartner report, “misconfiguration of technical security controls is a leading cause for the continued success of attacks.”
Many organizations have impressive inventories of firewalls, endpoint solutions, identity tools, SIEMs, and other controls. Yet breaches continue because these tools are often misconfigured, poorly integrated, or disconnected from actual business risks.
For example, in the 2024 breach at Blue Shield of California, a website misconfiguration led to personal data from 4.7 million members leaking via Google Ads. This failure revealed how even everyday tools, if incorrectly deployed or configured, can undermine organizational security and compliance.
Yet closing the gap between the presence of security tools and their efficacy requires a fundamental shift in thinking, and an even more fundamental shift in practice.
Making the Organizational Shift to Control Effectiveness
Moving toward true control effectiveness takes more than just a few technical tweaks. It requires a real shift – in mindset, in day-to-day practice, and in how teams across the organization work together. Success depends on stronger partnerships between security teams, asset owners, IT operations, and business leaders. Asset owners, in particular, bring critical knowledge to the table – how their systems are built, where the sensitive data lives, and which processes are too important to fail.
Supporting this collaboration also means rethinking how we train teams. Security professionals need more than technical skills – they need a deeper understanding of the assets they’re protecting, the business goals those assets support, and the real-world threats that could impact them.
And it’s not just about better teamwork or better training. Organizations also need better ways to measure whether their controls are actually doing the job. That’s where outcome-driven metrics (ODMs) and protection-level agreements (PLAs) come in. ODMs show how quickly misconfigurations are fixed and how reliably true threats are detected. PLAs set clear expectations for how defenses should perform against specific risks.
Together, these measurements move security from a matter of trust to a matter of proof. They help organizations build resilience that they can measure, manage, and improve over time.
Continuous Optimization Is the New Normal
Measuring security effectiveness is a critical first step — but maintaining it is where the real challenge begins. Security controls aren’t static. They need regular tuning to stay effective as threats evolve and businesses change. As Gartner states, “optimal configuration of technical security controls is a moving target, not a set-and-forget or a default setting.”
Teams that treat configuration as a one-off project are setting themselves up to fall behind. New vulnerabilities emerge, attackers shift their tactics, and cloud environments evolve faster than any annual audit can keep up with. In this environment, patching systems once a quarter or reviewing settings once a year simply isn’t enough. Continuous optimization has to become part of the day-to-day.
That means making it a habit to step back and ask the tough questions: Are our controls still protecting what matters most? Are our detection rules tuned to the threats we’re facing today? Are our compensating measures still closing the right gaps — or have they drifted out of sync?
Keeping defenses sharp isn’t just about applying technical updates. It’s about integrating real-world threat intelligence, reassessing risk priorities, and making sure operational processes are strengthening security – not introducing new weaknesses. Security effectiveness isn’t a box you check once. It’s something you build, test, and refine – over and over again.
Building for Effectiveness: What Needs to Change
Making security controls truly effective demands a broader shift in how organizations think and work. Security optimization must be embedded into how systems are designed, operated, and maintained – not treated as a separate function.
Gartner notes that “no security team can be fully effective in isolation.” In XM Cyber’s view, this means security needs to become a team sport. Organizations need to build cross-functional teams that bring together security engineers, IT operations, asset owners, and business stakeholders. Effective optimization depends on understanding not just how controls work, but what they are protecting, how those systems behave, and where the real business risks lie.
Aligning security control efforts with a broader Continuous Exposure Management program also helps build a repeatable, structured way to improve over time. Instead of reacting to gaps after a breach, organizations can proactively identify weaknesses, fine-tune controls, and measure progress against real risk reduction – not just theoretical coverage. (Want to learn more about how to build a Continuous Exposure Management platform? Read our guide here!)
The Bottom Line
Security has never been about simply having the right tools. It is about understanding whether those tools are ready for the threats that matter most. Closing the gap between control presence and control effectiveness demands more than technical fixes. It requires a change in how organizations think, work, and measure success.
In our opinion, this new research from Gartner makes the message clear: static defenses will not keep pace with dynamic risks. Organizations that embrace continuous optimization – tuning controls, validating performance, and aligning security with real business priorities – will be the ones that stay resilient.
Standing still is falling behind, at least where cybersecurity is concerned. The future belongs to organizations that treat security as a living system – measured, tuned, and proven every day.
Note: This article was expertly written and contributed by Dale Fairbrother, Director of Product Marketing at XM Cyber.
