Why Data Beats Gut Feeling

Ever noticed how some security teams seem to nail their strategy while others struggle despite huge tech investments? The secret weapon might surprise you—it's not the latest AI-powered tool, but something most of us learned in university: the scientific method.

The most valuable skill I gained from university wasn't a specific security framework or coding language. It was something far more fundamental: a systematic way to test ideas and learn from results.

Like many in our field, I've heard endless debates about whether university education is "worth it" for cybersecurity careers. While specialised technical skills are certainly important, my experience taught me that the scientific approach to problem-solving has been my true competitive advantage.

This approach—asking good questions, forming testable theories, and making decisions based on evidence—turns out to be exactly what effective cybersecurity needs in today's complex threat landscape. Putting this way sounds obvious right?

When we strip away the academic language, the scientific method becomes a powerful, everyday framework for security decisions:

The Scientific Method in Action

Consider a common scenario: Your organisation needs to develop a comprehensive security strategy following a risk assessment that identified several significant gaps. The traditional approach might be to immediately adopt an industry-standard framework like NIST or ISO, purchase recommended tools, and implement controls across all business units simultaneously. But a scientific approach looks different:

First, you'd ask precise questions: "Which security gaps present the highest actual risk to our specific business operations? What factors in our environment might affect the effectiveness of standard controls? Which business processes would be most impacted by proposed security measures?"

Based on this analysis, you might hypothesise: "Our cloud environment faces 40% more security incidents than our on-premises systems because our current identity management approach creates excessive standing privileges that persist across environments."

Instead of a blanket solution, you might test targeted interventions: implementing a just-in-time access model in one cloud environment, applying attribute-based access controls in another, and maintaining current controls in a third as a control group. You'd establish baseline metrics before implementation and measure changes after deployment across multiple dimensions: security incidents, operational impact, and user experience.

In my consulting days one client discovered through this approach that their expensive identity governance solution was actually less effective than a simplified role-based access model with regular attestation they tested as a "streamlined alternative." The simplified approach not only reduced identity-related incidents by around 25% but also decreased the administrative burden on both IT teams and business users. Without methodical testing, they would never have known their significant investment wasn't delivering the expected value in their specific environment and a simple cost effective tool was all they needed at the time.

What Netflix Can Teach us

Netflix offers a compelling example of how experimental thinking drives success. Their evolution from DVD rental to streaming giant wasn't the result of one brilliant strategy but thousands of small, data-driven decisions.

• They run thousands of small tests instead of a few big bets
• They make decisions based on results, not hierarchy
• They empower teams to experiment independently
• They create fast feedback loops to accelerate learning

Security teams can follow this playbook by breaking down major initiatives into testable parts and running multiple experiments in parallel.

For example, instead of implementing a complete privileged access solution across your company based on industry "best practices" try:

1. Testing just-in-time access in one department
2. Measuring actual usage patterns and security incidents
3. Analysing impact on both security and operations
4. Refining your approach before expanding

Your ‘Scientific’ Security Journey

The path to better security doesn't start with more technology—it begins with a more thoughtful approach to how we solve problems. By applying the scientific method to security challenges, you can transform your program from assumption-driven to evidence-based.

You don't need academic credentials or sophisticated data science capabilities to begin. You simply need curiosity, discipline, and a commitment to learning from both success and failure.

Ask yourself: What security assumption am I making that deserves testing? What hypothesis could I form about improving our security posture? What small experiment could I run to validate or challenge our current approach?

The answers to these questions might reveal not only immediate security improvements but a fundamentally more effective way to approach security challenges in our increasingly complex digital environment.

The scientific method has powered centuries of human advancement. It's time we harnessed its full potential to protect our digital future. Don’t reinvent the wheel just adapt the framework that has been working for centuries to your organisation context.