Delinea has announced findings from a global survey of over 2,000 IT security decision makers (ITSDMs) which reveals the impacts of misalignment between the cyber security function and wider business leadership.
Asked about the board and c-suite's understanding of cyber security across the organization, only 39 percent of respondents think their company’s leadership has a sound understanding of cyber security’s role as a business enabler. Over a third (36 percent) believe that it is considered important only in terms of compliance and regulatory demands, while 17 percent said it is not seen as a business priority.
The disconnect between business and security goals appears to have caused at least one negative consequence to 89 percent of respondents’ organizations, with more than a quarter (26 percent) also reporting it resulted in an increased number of successful cyber attacks at their company.
The impact of misaligned goals on cyber security was wide-ranging as it contributed to delays in investments (35 percent), delays in strategic decision making (34 percent), and unnecessary increases in spending (27 percent).
There were also consequences for the individuals themselves, with 31 percent of respondents reporting it impacted the whole security team in terms of stress. Furthermore, global economic uncertainty has worsened the situation with half of those surveyed (48 percent) stating that aligning cyber security and broader business goals is becoming more difficult to achieve as a result.
Metrics and processes don’t focus on business outcomes
Structural processes are key to aligning goals and, encouragingly, the survey revealed that most security teams (62 percent) meet regularly with their business counterparts at the highest level. Additionally, 54 percent of companies have also embedded security team members within business functions. However, the research showed there is still room to improve, as less than half of organizations (48 percent) are documenting policies and procedures to facilitate alignment, and a further third of all respondents (33 percent) reported that alignment is ad hoc and only ‘happens when needed.’
The report also brought to light that metrics used to measure and demonstrate the value that cyber security delivers are still strictly linked to technical or activity-based figures. For example, the number of prevented attacks (31 percent) was cited as the most important measure of success, followed by meeting compliance objectives (29 percent) and reducing costs of security incidents (29 percent).
“Cyber security can be a huge business enabler, but this research reflects that there is still some work to do at the board level in shifting mindsets. Executive leaders need to think of cyber security not only in terms of ticking the compliance box or protecting the company, but also in terms of the value it can deliver at a more strategic level,” said Joseph Carson, Chief Security Scientist and Advisory CISO at Delinea.
Making the business case to the board
Building out business skillsets may provide the path to better alignment, however respondents listed technical skills as the most valuable for cyber security leaders to possess. These are rated above skills such as communication, collaboration, business acumen, and managing people.
Nearly a third (31 percent) believed that making the business case to their board and c-suite was a gap in their own skillset while communication skills were recognized as an area for improvement by 30 percent of respondents.
Aligning goals also involves reviewing the reporting lines and CEO-level visibility. However, the Delinea survey suggests that there is little appetite for change in reporting structures, as only 27 percent of ITSDMs believe the CISOs or the most senior cyber security leaders should report to the CEO to best align cyber security with the overall goals of the business.