A global survey of 409 cybersecurity and IT decision-makers from companies with at least 250 employees suggested that while there is a lot more attention being paid to aligning cybersecurity strategy with business goals, most organizations are still spending most of their time reacting to events rather than achieving specific outcomes.
Conducted by Forrester Consulting on behalf of WithSecure, a provider of cybersecurity software and services, the survey found 83% of respondents are interested in, planning to adopt or expanding their adoption of outcome-based security solutions and services. However, 60% conceded their current approach is to react to individual cybersecurity problems as they arise, with 90% of respondents noting they struggle with challenges when using that approach.
Only 20% of respondents claimed their organization has complete alignment between cybersecurity priorities and business outcomes, the survey found.
Paul Brucciani, cybersecurity advisor and head of product marketing for WithSecure, said the inability to align cybersecurity strategies and investments is a function of maturity. The challenge organizations are encountering is that many of those investments have been made in a piecemeal fashion that results in a lot of dissatisfaction.
The survey, for example, found 71% of respondents said their organization spends more on cybersecurity each year. The latest example of that trend is investments in zero-trust IT initiatives that promise to enable organizations to align their cybersecurity strategy with business outcomes. But with more than 3,500 vendors today providing some type of cybersecurity platform or tool, it’s challenging for organizations to determine the best path forward in a market full of competing claims, noted Brucciani.
A full 74% of respondents noted that the issue is receiving more attention from the board of directors, with 75% identifying it as a top board priority. As a result, survey respondents are more focused on risk management (44%), better customer experiences (40%) and revenue growth (34%). The issue that arises is 42% admitted they have an insufficient understanding of current and target maturity against which security value should be assessed. Another 37% expressed difficulties in measuring cybersecurity value.
Other challenges included capturing consistent and meaningful data (36%), communicating values (28%) and translating cybersecurity metrics into performance indicators that mean something to a board of directors , the survey found
The survey also found that the planning process is often inconsistent. For example, 36% said cybersecurity goals are determined by what is important at the planning stage of the business cycle, while 31% said goals are determined by individual business units. Another 30% said goals are determined based on compliance needs.
It is, of course, difficult to focus on fire prevention when everyone on the cybersecurity team is busy trying to put out the latest fire. However, a more strategic approach is clearly required because not every asset can be defended equally well given the resources at hand. More than a third (35%) of survey respondents noted that finding and retaining qualified cybersecurity professionals is one of the top challenges they face when reacting to cybersecurity incidents.
The one thing that is clear is the current reactive approach to cybersecurity used by most organizations is not delivering the outcomes the business needs. As such, it’s incumbent on IT and cybersecurity leaders to find another way forward.