Outcome-based cybersecurity paves way for organizational goals

Organizations follow a reactive approach to cybersecurity which is stifling their progress in demonstrating value and aligning with business outcomes, according to WithSecure.

83% of respondents surveyed in the study were interested in, planning to adopt, or expanding their adoption of outcome-based security solutions and services.

Reactive cybersecurity approach prevails in most organizations

However, the study also found that most organizations currently approach cybersecurity on a reactive basis. 60% of survey respondents said they react to individual cybersecurity problems as they arise.

There was some variance according to industry: 71% of manufacturers highlighted this reactivity, compared to just over half of the highly regulated financial services sector.

Regardless of industry, respondents overwhelmingly felt the reactive approach was problematic for their organizations. 90% of them said they struggle with challenges when they react to cybersecurity problems as they arise. This was in spite of the fact that cybersecurity budgets are growing, with 71% of respondents agreeing that they spend more on cybersecurity each year.

Visibility of cyber risks, finding the required skills and resources, and responding quickly and effectively, were the most common challenges highlighted by respondents.

The importance of outcome-based cybersecurity for businesses

“Today, most cybersecurity investments are aimed towards the reduction of cyber risks. However, the problem arises when the risks that are being mitigated are not the ones that are most important for the outcomes the business wants to achieve. This could either result to cybersecurity investments being completely disconnected from the business or cyber security not getting the appropriate funding at all,” explained WithSecure CSO Christine Bejerasco.

According to the Forrester study, outcome-based cybersecurity is an approach that enables business leaders to simplify cybersecurity by cultivating only those capabilities that measurably deliver their desired outcomes as opposed to traditional threat, activity-based, or ROI-based methods.

The most common outcomes that respondents wanted security to support included risk management, with 44% of survey respondents wanting to reduce risk to meet their top cybersecurity goals; customer experience, with 40% of respondents wanting security to improve customer experience; and revenue growth, which was highlighted by 34% of respondents.

While many respondents had clear outcomes they’d like security to help them achieve, only one in five organizations claimed to have complete alignment between cybersecurity priorities and business outcomes.

Aligning cybersecurity with business outcomes

There are numerous obstacles problematizing efforts to align cybersecurity with business outcomes, including but not limited to managing a complex IT environment, handling conflicting cybersecurity and business goals, and maintaining desired results of detection technologies.

However, assessing how well security priorities helped support business outcomes was equally problematic. Significant challenges highlighted by respondents included:

• 42% have insufficient understanding of current and target state maturity for assessing security value.
• 37% struggle to measure cybersecurity value.
• 36% face challenges in capturing consistent and meaningful data.
• 28% find it challenging to communicate the security paradox when demonstrating value.
• 23% have difficulty translating cybersecurity metrics into meaningful board-level insights.