Organisations follow a reactive approach to cybersecurity which is stifling their progress in demonstrating value and aligning with business outcomes, according to a new study by Forrester Consulting on behalf of WithSecure.
Eighty-three percent of firms are interested in, planning to adopt, or expanding their adoption of outcome-based security solutions and services. However, the study also found that most organisations currently approach cybersecurity on a reactive basis. Sixty percent said they react to individual cybersecurity problems as they arise.
There was some variance according to industry: 71 percent of manufacturers highlighted this reactivity, compared to just over half of the highly regulated financial services sector.
Regardless of industry, respondents overwhelmingly felt the reactive approach was problematic for their organisations. 90 percent of them said they struggle with challenges when they react to cybersecurity problems as they arise. This was in spite of the fact that cybersecurity budgets are growing, with 71 percent of respondents agreeing that they spend more on cybersecurity each year.
Outcome-based cybersecurity
Visibility of cyber risks, finding the required skills and resources, and responding quickly and effectively, were the most common challenges highlighted by respondents.
“Today, most cybersecurity investments are aimed towards the reduction of cyber risks. However, the problem arises when the risks that are being mitigated are not the ones that are most important for the outcomes the business wants to achieve. This could either result in cybersecurity investments being completely disconnected from the business or cybersecurity not getting the appropriate funding at all,” said WithSecure chief security officer, Christine Bejerasco.
If you liked this content…
UK Cyber Resilience Advice ‘Too Bland’, Says Northdoor
Police Scotland Hit by Multiple Data Breaches Involving Sensitive Personal Information
Third-Party Threats: The Supply Chain Risk You Can’t Afford to Ignore
The Ticking Clock on Windows 10: Public Sector at Risk
Protecting critical networks: Supply chain security in the utilities sector
Outcome-based cybersecurity is an approach that enables business leaders to simplify cybersecurity by cultivating only those capabilities that measurably deliver their desired outcomes as opposed to traditional threat, activity-based, or ROI-based methods.
The most common outcomes that respondents wanted security to support included risk management, with 44 percent of survey respondents wanting to reduce risk to meet their top cybersecurity goals; customer experience, with 40 percent of respondents wanting security to improve customer experience; and revenue growth, which was highlighted by 34 percent of respondents.
While many firms had clear outcomes that they’d like security to help them achieve, only one in five organisations claimed to have complete alignment between cybersecurity priorities and business outcomes.
Challenges include managing a complex IT environment, handling conflicting cybersecurity and business goals, and maintaining desired results of detection technologies.
Check out the upcoming THINK Cybersecurity for Government 2023 event
