The Minimum Viable Security Program — MV(S)P: Focus is Power

Your security program is probably failing. And it’s not your fault.

We’ve been sold a lie about cybersecurity: that more tools, more data, and more compliance equals better security. The results? Organizations are spending over $200 billion on security in 2025, yet only 3% report being truly prepared for cyber threats —down from 15% just a year ago.

The math doesn’t add up. More spending, worse outcomes.

What if the problem isn’t that we’re not doing enough security, but that we are approaching it the wrong way?

The “completeness” trap is killing security programs.

The security industry has long asserted that good security means comprehensive security. Cover every NIST subcategory. Implement every framework. Monitor everything. Detect all threats. Prevent every incident.

This is impossible. 

While security teams are busy trying to secure everything, attackers are focused on the few things that actually matter. They’re not randomly spraying attacks—they’re surgically targeting your crown jewels.

Stop trying to secure everything (because you can’t)

Rather than chasing full coverage across all tool subcategories, organizations should focus their security on their specific situation. Your security posture should reflect the people you have, the budget you’re working with, the industry you operate in, and the threats that specifically target your vertical. This situational approach provides meaningful prioritization, rather than stretching resources to meet generic framework requirements.

Not every tool category deserves implementation and that’s okay.  

Not every asset, system, or data type deserves the same level of protection.  The key is identifying what truly matters and concentrating your limited resources there, rather than spreading security efforts like peanut butter across every possible attack surface. 

A counter-culture idea: collect less security data, not more 

Every security vendor promises the same thing: ‘comprehensive visibility.’ More logs, more alerts, more dashboards, more data. The assumption is that if you just collect enough security telemetry, clarity will emerge.

The opposite typically happens. High volumes of security data create noise, not signal. The influx of logs from hundreds of devices and network, cloud and identity sources creates a backlog of raw alerts, drives up operational costs, fuels analysis paralysis, and delays actual response.

Security teams don’t need more data; they need more situational awareness. It’s far more effective to add context to fewer security inputs rather than being overwhelmed by decontextualized alerts. Context – understanding which alerts matter for your specific business, assets, and threat landscape – today comes primarily from skilled staff, not the tools.

Enter the Minimum Viable Security Program: MV(S)P

To build a security program that meets corporate needs without the complexity that slows down progress, consider following a concept borrowed from manufacturing and new product design – a Minimum Viable Security Program: MV(S)P. 

An MV(S)P approach is highly situational to the risks, capabilities, capacity, and budget of the organization. As a foundation, MV(S)Ps contain four critical pillars:

1. High-value Asset Identification: Pinpoint what actually matters: revenue-generating systems, customer data, and assets that would trigger regulatory penalties if compromised. Asset identification is notoriously tricky – so simplify the initial task with this focus. Even having the “value” discussion internally will put your program in a better spot. 
2. Relevant Threat Intelligence: Focus on threats specifically targeting your locations, your industry, and your tech stack. Generic threat feeds are noise; contextual intelligence is signal. 
3. Access Management: Control access like your business depends on it — precise control over who and what accesses your critical systems. If you can’t control access, you can’t control risk. 
4. Software Security: Prevention at the application layer beats detection and response after the fact. Focus AppSec efforts where attackers actually strike, not only where compliance frameworks suggest.

These pillars are the minimal foundation for building a viable security program. However, maturity requires continuous improvement, which is a core principle of an MV(S)P. This includes implementing regular penetration testing, conducting tabletop exercises, and performing phishing simulations to identify gaps or prove protection. While it might be tempting to jump into a framework, a better approach is to use it as navigational tools, selecting what you need to help set realistic goals. 

• Your situation drives MV(S)P: Practical security that actually works for the resource-constrained
• Context beats volume: Less data, more insight every time
• Start with what matters – Four pillars, not everything
• Test reality – Frameworks are guides, not gospels
• Win through focus – Clarity is your competitive advantage

The Minimum Viable Security Program isn’t about doing less security—it’s about doing security centered on a risk perspective and continuously improving over time. 

In a world drowning in security complexity, focus is power.