Unlocking business potential through outcome-based security [Q&A]
Traditionally, organizations have focused on measuring the results of their cyber security strategies in terms of threat events or security incidents to determine how effective their security controls are.
However, in today's fast-paced world, the real game-changer is aligning security outcomes with business objectives and this is where 'outcome-based security' plays a huge role. It's a shift in focus for organizations, but one which can empower security teams to add even greater value to the strategic goals of the business.
We spoke to Christine Bejerasco, CISO at WithSecure about this new approach to security.
BN: What is outcome-based security and why is it needed?
CB: Outcome-based security is a strategy that aligns cyber security efforts with business goals, thereby serving as a strategic enabler rather than just a protective measure.
Cyber security has transitioned from a technical concern to an enterprise imperative. It's no longer just about combatting attacks; it's about enabling organizations to achieve their strategic goals effectively. Yet, the threat landscape remains volatile. Malicious actors constantly adapt their tactics, making them increasingly difficult to predict and counter. Our recent report shows that despite escalating budgets, 90 percent of global security and IT decision-makers are ill-equipped to manage these ever-changing threats.
This struggle is often rooted in a reactive approach to cyber security, leading to misalignment across personnel, processes, and technology. The result is an inconsistent response to cyber incidents, undermining the organization's ability to meet its objectives. Outcome-based security has enormous transformative potential for organizations struggling with to keep up with these threats.
BN: What steps should an organisation take to transition from a traditional ROI-based security approach to an outcome-based model?
CB: Moving from traditional threat or ROI-based security methods to an outcome-based model requires a paradigm shift in both strategy and execution. The first step is agreeing on the business outcomes the organization desires to attain. These outcomes are high-level and typically unrelated to security. Cyber security's role is then to identify security risks to those business outcomes, and define security outcomes that would help reduce those risks. These security outcomes can then clearly align with business outcomes, be it risk mitigation, customer experience enhancement, or operational resilience. Then these business outcomes serve as the compass and map, guiding all cyber security decisions.
Forrester defines outcome-based security as focusing on capabilities that measurably deliver these desired outcomes. Therefore, the next step involves aligning your risk management strategies with these organisational priorities. This is not merely a defensive posture but a proactive approach that keeps the business one step ahead of evolving threats.
The transition also requires a change in perspective, attained by viewing cyber security not as a cost centre but as a strategic enabler. This shift is crucial for facilitating business growth and enhancing reputation.
BN: What are some of the challenges in aligning security with the wider goals of the business?
CB: Positioning security with broader business goals is a complex endeavour, heightened by a lack of comprehensive understanding of the technology landscape among security leaders. Our survey underscores this disconnect, revealing that only 20 percent of respondents experience full alignment between cyber security priorities and business objectives. The multifaceted challenges include managing an intricate IT environment, reconciling conflicting cyber security and business aims, and ensuring effective threat detection technology is in place.
The situation is further complicated by the rapid pace of digital transformation, escalating data volumes, and evolving threat landscapes. Many professionals admitted to struggling with the complexity of their IT environments. This complexity often leads to investment in a patchwork of solutions, each addressing individual cyber incidents but collectively contributing to a fragmented technology landscape.
This fragmentation complicates basic tactical activities and creates vulnerabilities that cyber attackers are all too eager to exploit. The result is a compromised defense mechanism that raises serious questions about the efficacy of threat detection.
BN: Can you explain more about how organizations can surmount these obstacles?
CB: Aligning cyber security with business outcomes often boils down to issues of measurement and communication. Our data reveals that 37 percent of respondents need help quantifying how their cyber security initiatives bolster business objectives. Additionally, half of the surveyed firms struggle to articulate the business value of their cyber security efforts. This disconnect is not merely a metric issue; it's a communication barrier that hampers the ability to bridge the gap between technical and non-technical stakeholders.
To gain boardroom attention, cyber security leaders must demonstrate how their strategies support business outcomes. This requires capturing consistent, meaningful data, such as threat intelligence reports and incident response metrics that can inform cyber security policies and broader business strategies. Yet, the challenge doesn't end there.
Many professionals have cited executive leadership's lack of cyber security understanding as a significant hurdle. This gap in comprehension makes it difficult for cyber security professionals to optimize strategies, build compelling business cases for investment, and secure necessary budgets. For cyber security leaders, mastering the art of communicating cyber security metrics in terms of business results is not just beneficial -- it's imperative.
BN: How do technologies like machine learning contribute to real-time threat visibility, and how does this align with the principles of outcome-based security?
CB: Technologies like machine learning act as assistants, providing a much needed additional resource for monitoring of network activities and potential threats. According to Forrester research, 40 percent of IT and security decision-makers report struggling with the complexity of their IT environments, a challenge that hampers alignment with business outcomes. In such a complex landscape, the role of machine learning and AI becomes even more critical.
These technologies enable organizations to cut through the noise and focus on what matters most -- identifying and mitigating threats before they escalate into full-blown crises. They facilitate the development of robust incident response plans, outlining clear roles, responsibilities, and procedures for managing cyber security incidents. This real-time threat intelligence allows businesses to stay on course toward achieving their strategic objectives, ensuring that resources are deployed effectively and aligned with a well-defined plan.
Therefore, machine learning is not just a technological add-on; it is an integral component of an outcome-based security strategy, enabling businesses to navigate the complexities of today's cyber security landscape.
BN: Why are cross-departmental collaboration and the culture of the organization as a whole so important for making the shift to an outcome-based security model?
CB: The shift to outcome-based security requires cross-departmental collaboration. It begins with a shared understanding among all stakeholders -- from board members to executive teams -- of what business outcomes need to be achieved and how cyber security initiatives align with those. This common understanding must extend beyond IT and security, involving procurement and legal teams to ensure vendor contracts align with specific security outcomes.
The importance of a collaborative culture cannot be overstated. The statement, 'security is everyone's responsibility,' may sound like a cliché, but it's the only sustainable way to do cyber security. It's not merely about having the right technology in place; it's about ensuring that every department is both influenced by, and contributes to, cyber security practices. This involves auditing your current security technology portfolio to identify and replace outdated solutions that don't serve your business goals. A reliable monitoring system is also crucial for tracking progress and making necessary adjustments.
The journey toward outcome-based security is not a solo mission but a co-ordinated effort enabling your organization to navigate the complexities of today's cyber security landscape more effectively.
Image credit: IgorVetushko/depositphotos.com