Many organizations follow a reactive approach to cyber security which is stifling their progress in demonstrating value and aligning with business outcomes, according to a new commissioned study conducted by Forrester Consulting on behalf of WithSecure.
83 percent of respondents surveyed in the study were interested in, planning to adopt, or expanding their adoption of outcome-based security solutions and services. However, the study also found that most organizations currently approach cyber security on a reactive basis. 60 percent of survey respondents said they react to individual cyber security problems as they arise.
There was some variance according to industry: 71 percent of manufacturers highlighted this reactivity, compared to just over half of the highly regulated financial services sector.
Regardless of industry, respondents overwhelmingly felt the reactive approach was problematic for their organizations. 90 percent of them said they struggle with challenges when they react to cyber security problems as they arise. This was in spite of the fact that cyber security budgets are growing, with 71 percent of respondents agreeing that they spend more on cyber security each year.
Visibility of cyber risks, finding the required skills and resources, and responding quickly and effectively, were the most common challenges highlighted by respondents.
“Today, most cyber security investments are aimed towards the reduction of cyber risks. However, the problem arises when the risks that are being mitigated are not the ones that are most important for the outcomes the business wants to achieve. This could either result in cyber security investments being completely disconnected from the business or cyber security not getting the appropriate funding at all,” explained WithSecure™ Chief Security Officer Christine Bejerasco.
What is outcome-based cyber security?
According to the Forrester study, outcome-based cyber security is an approach that enables business leaders to simplify cyber security by cultivating only those capabilities that measurably deliver their desired outcomes as opposed to traditional threat, activity-based, or ROI-based methods.
The most common outcomes that respondents wanted security to support included risk management, with 44 percent of survey respondents wanting to reduce risk to meet their top cyber security goals; customer experience, with 40 percent of respondents wanting security to improve customer experience; and revenue growth, which was highlighted by 34 percent of respondents.
While many respondents had clear outcomes they’d like security to help them achieve, only one in five organizations claimed to have complete alignment between cyber security priorities and business outcomes.
There are numerous obstacles in the way of efforts to align cyber security with business outcomes, including, but not limited to, managing a complex IT environment, handling conflicting cyber security and business goals, and maintaining desired results of detection technologies.
However, assessing how well security priorities helped support business outcomes was equally problematic. Significant challenges highlighted by respondents included:
- 42 percent had an insufficient understanding of current and target state maturity against which security value should be assessed.
- 37 percent expressed difficulties in measuring cyber security value.
- 36 percent were challenged by capturing consistent and meaningful data.
- 28 percent found challenges in overcoming the security paradox when communicating value (investment in effective security results in fewer opportunities to demonstrate value).
- 23 percent encountered challenges in translating cyber security metrics into something meaningful to the board.
The study, The Value Of Putting Security Outcomes First: Rethink Cybersecurity To Amplify Resilience, Productivity, And Competitiveness, is available here.