A new study conducted by Forrester Consulting on behalf of WithSecure™ (formerly known as F-Secure Business) shows that organizations’ reactive approach to cybersecurity is stifling their progress in demonstrating value and aligning to business outcomes.
Although 83% of respondents were interested in, planning to adopt or expand their use of performance-based security solutions and services, most found their current reactive approach problematic. 60% of respondents react to individual cyber security issues only when they arise.
Even as cybersecurity budgets grow, 90% of respondents struggle to address the challenges of the reactive approach. Regardless of the industry, the respondents believed that it was difficult to make cyber risks visible, to find competence and resources and to react quickly and effectively.
However, there was some variation between industries, with 71% of those operating in manufacturing experiencing reactivity as problematic, compared to just over half in the highly regulated financial services sector.
– Today, most investments in cyber security are aimed at reducing cyber risks. The problem arises, however, when the risks that are reduced are not the primary ones for the results that the business wants to achieve. This can either result in cyber security investments being completely disconnected from the business, or cyber security not being properly funded at all, explained WithSecure™ Chief Security Officer Christine Bejerasco.
According to the Forrester study, results-based cybersecurity is an approach that enables business leaders to simplify cybersecurity by focusing only on the capabilities that measurably deliver the desired results, instead of traditional threat-, activity-, or ROI-based approaches.
The most common outcomes respondents wanted security to support were risk management, with 44% of respondents wanting to reduce risk to achieve their top cybersecurity goals; customer experience.
40% of respondents wanted to improve customer experience through security efforts, while 34% highlighted revenue growth as a desired outcome.
Although many respondents had clear outcomes they wanted security to help them achieve, only one in five organizations felt that cybersecurity priorities and business outcomes went hand in hand.
There are many obstacles that problematize efforts to align cybersecurity with business outcomes, including—but not limited to—managing a complex IT environment, managing conflicting cybersecurity and business goals, and maintaining desired outcomes of detection technologies.
It was also difficult to assess how well security priorities helped support business results. Significant challenges highlighted by respondents were insufficient understanding of current and desired security value maturity (42%), difficulty measuring cybersecurity value (37%), difficulty capturing consistent and meaningful data (36%), difficulty overcoming the security paradox in communicating value (28%), and challenges in translating cybersecurity metrics into something meaningful to the board (23%).