Reactive approach to cybersecurity is a problem for organizations
A new survey shows respondents feel a reactive approach to security is problematic for their organizations. 90 percent of them say they struggle with challenges when they react to cyber security problems as they arise.
The study, conducted by Forrester Consulting for WithSecure, shows most organizations currently approach cyber security on a reactive basis, with 60 percent of respondents saying they react to individual cyber security problems as they arise.
There is some variation between industries, 71 percent of manufacturers highlight this reactivity, compared to just over half of the highly regulated financial services sector. Overall though 83 percent of respondents surveyed in the study are interested in, planning to adopt, or expanding their adoption of outcome-based security solutions and services.
"Today, most cyber security investments are aimed towards the reduction of cyber risks. However, the problem arises when the risks that are being mitigated are not the ones that are most important for the outcomes the business wants to achieve. This could either result to cyber security investments being completely disconnected from the business or cyber security not getting the appropriate funding at all," says WithSecure's chief security officer Christine Bejerasco.
The most common outcomes that respondents want security to support include risk management, with 44 percent wanting to reduce risk to meet their top cyber security goals; customer experience, with 40 percent wanting security to improve customer experience; and revenue growth, which was highlighted by 34 percent of respondents.
While many respondents had clear outcomes they'd like security to help them achieve, only one in five organizations claim to have complete alignment between cyber security priorities and business outcomes.
Challenges cited by respondents include 42 percent having an insufficient understanding of current and target state maturity against which security value should be assessed. 37 percent say they difficulties in measuring cyber security value, and 36 percent were struggle with capturing consistent and meaningful data.
There are also concerns over 'selling' cybersecurity to the rest of the business, 28 percent find challenges in overcoming the security paradox when communicating value (investment in effective security results in fewer opportunities to demonstrate value). Also 23 percent have encountered challenges in translating cyber security metrics into something meaningful to present to the board.
The full study is available from the WithSecure site.