80% of your security comes from 20% of your controls
Episode Description
In this episode Mads Nielsen where he unpacks the critical insights from his recent post on maximizing security with limited budgets. Dive into the heart of his approach, where 80% of your security can come from just 20% of your controls.
Guest appearance
Mads Nielsen is a specialist in risk analysis, dedicated to transforming cyber risk analysis from theoretical discussions into practical solutions that enhance the risk exposure and response of top-performing businesses. With expertise in Cyber Risk Management and Quantitative Risk Analysis, Mads excels at clearly explaining cyber risk exposure, tolerance, and security decisions.
Transcript
James: Welcome to our webinar. My name is James, and I'm the Head of Growth Marketing at Vendict. For those of you not familiar with us, Vendict is a pioneer in AI-powered solutions that master security language. Our solutions empower GRC and security teams to minimize risk, accelerate sales cycles, and enhance competitiveness. By merging deep security expertise with advanced AI, we offer a solution that understands and interprets text contextually, reducing assessment times from weeks to hours.
Recently, we launched our TPRM solution to help businesses intelligently manage their vendor ecosystems with the support of the same AI automation that's been effective in our security questionnaire solution.
Today, I'm honored to have Mads Neelson with us. You may have seen Mads' posts gaining traction on LinkedIn, especially his popular post on risk analysis and security, shared by hundreds. Mads is a specialist in risk analysis at Group One, transforming cyber risk analysis from theoretical discussions into practical solutions that enhance risk exposure and response for top-performing businesses. With expertise in cyber risk management and quantitative risk analysis, Mads specializes in explaining cyber risk exposure, tolerance, and security decisions at a practical level for security professionals looking to make real-world decisions.
Mads, great to have you with us. How have you been?
Mads: I'm good, thank you. I'm enjoying the Danish summer right now. We're lucky it's neither raining nor windy, so it's a good time to be in Denmark.
James: That sounds great. I'm really glad to have you with us. I want to start by sharing how we came across each other because I think it sets the scene. We came across one of your insightful posts on security and controls, which showed how 80% of your security comes from 20% of your controls. It was a fresh take for me, and the more I saw your research, the more interesting it became.
At the same time, I was researching the expectations of CISOs in the real world, which often seem unrealistic, adding stress and pressure to the role. We even looked into Steve Katz, the first CISO role pioneer, 30 years ago, and how the role has evolved in response to the digital revolution. Despite all the changes, CISOs and security teams are still expected to maintain perfect security amid aggressive growth, increased vendors, and external providers, all of which introduce enhanced risk.
Your approach stood out because you weren’t just theorizing about what security teams should control but were focused on practical implementation, challenging the status quo intelligently and clearly.
Before we dive in, a couple of quick points for the audience: Feel free to throw your questions into the chat, and we’ll get to them at the end. We also have some poll questions for you throughout the webinar, so feel free to take part. Finally, we will send a recording to everyone afterward.
Mads, let's start with your research. Why did you begin this security research journey?
Mads: Like many things in life, it began with frustration. I’ve been working with information security for seven years, and I often faced the question of what's best to do next. It felt like we were making security assessment decisions on the fly without any solid backing. I wanted to see if there was something tangible that could guide us on what’s actually better to do.
James: That makes a lot of sense. And your focus on security controls—did that come from your job or background?
Mads: Yes, I’ve had roles in data protection, compliance, and process efficiency, which naturally led me to information security. Eventually, I got frustrated with how we do risk assessments, so I started deep diving into risk analysis, honing skills in statistics, probability theory, and data analysis. There’s a great skills gap in security for using these probability methodologies.
James: Fascinating. And that 80/20 theory of security—can you walk us through that concept and where it came from?
Mads: Absolutely. The 80/20 rule, also known as the Pareto principle, essentially means that 80% of outcomes come from 20% of efforts. In security, this means 80% of your security comes from just 20% of your controls. It’s a practical rule that helps prioritize what really matters. I used it in my LinkedIn post because it’s an accessible way to illustrate the concept.
James: I think that’s a powerful concept. But how do you ensure you’re spending your security budget wisely, and how do you balance concept versus practicality?
Mads: Great question. It comes down to identifying the controls that have the most significant impact. If you try to achieve perfect security, it will become exponentially expensive. You must focus on those initial controls that provide the most value and be willing to accept that you can't cover everything.
James: And in your experience, are there controls that you feel get more credit than they deserve?
Mads: Yes, definitely. I’d say risk assessments, privacy impact assessments, and supplier security assessments are often overestimated. They become paper exercises that don’t change any real decisions. Security awareness programs are another—many are expensive and time-consuming but don’t deliver measurable improvements in behavior.
James: I can see how that would be the case. So what are the top three controls that you think make the most impact?
Mads: The top three would be:
Control that you’re aligned with the CEO on what’s most important for strategic objectives.
Control that you’re aligned with the CFO on which assets are most valuable.
Control that you have the power to influence the security posture of those assets.
If you don't have these, you're likely doing work that is disconnected from real business value.
James: That’s a very clear and practical approach. So how do you recommend that CISOs maximize their budgets in a world of rising cyber costs?
Mads: First, avoid spending on controls that have little impact. Second, consider divesting from any controls that don't improve your security posture. Finally, consider getting an independent review of your quantitative cyber risk exposure before engaging with insurers. This can lead to lower premiums and better coverage.
James: Great insights. And finally, Mads, with the increasing pressure on CISOs and security teams, what’s your advice for those feeling overwhelmed or struggling with limited budgets and resources?
Mads: Accept that you will never reach a perfect state of security. Focus on your business objectives and understand the value of what you’re not doing. It helps to have a clear understanding of what you’re choosing not to address and why.
James: That’s really valuable advice, Mads. Thank you so much for joining us and sharing your expertise. I know our audience has learned a lot. If anyone wants to follow Mads’ work, I’ve shared a link to his LinkedIn in the chat. And for those interested, we also have a report on the impact of pressure and expectations on CISOs and security teams, which you can download for free.
Mads, thank you once again. It’s been a pleasure.
Mads: Thank you, James. It’s been great talking with you all. Take care.
James: Take care, everyone.
Want to join the chat?
We are always happy to chat with GRC thought leaders and market innovators. If you are one - let's talk!