Paul Brucciani, Cyber Security Advisor at WithSecure™ has important information about helping organizations overcome challenging times, and shedding light on how the outcome-based security mindset can be a game changer. He offers this Q&A format presentation on Outcome-based Security in Modern Business.
According to a study by Forrester, commissioned by WithSecure, 75% of organizations have placed cybersecurity on their priority list, influenced by a combination of global events, digital transformation, and tightening regulations. However, adversaries constantly evolve their methods, catching many off-guard. Even with budget hikes, 90% of global IT decision-makers are in a constant scramble to counteract these ongoing threats.
Many companies find themselves on the defensive, reacting to threats as they come. The study found that 60% of companies operate in this ‘firefighting’ mode, leading to a mismatch in team efforts, processes, and tech tools. One way to get beyond this cycle is by embracing an outcome-based approach to security, which provides a clear direction for cybersecurity measures.
This emphasizes the outcome of cybersecurity strategies, rather than the security activity itself. Also known as ‘servitization’, the outcome-based approach has been around for many years in fields like manufacturing. But with cybersecurity being a relatively young industry, it’s a new concept in this field. The idea is to seamlessly weave cybersecurity into the business fabric, positioning it as an enabler through which organizations can achieve their strategic objectives.
Companies are turning to an outcome-driven cybersecurity strategy to enhance business results, bolster resilience, and elevate productivity and competitiveness, all while safeguarding their operations. It’s a strategy that places the focus on tangible outcomes, helping in fending off unforeseen challenges and also positioning cybersecurity as a catalyst for business growth.
Transitioning to an outcome-based security model is much like changing your navigation method from traditional maps to modern GPS. The starting point is to establish clear goals that resonate with business ambitions, such as enhancing risk management, optimizing customer experience, or strengthening operational agility. One useful approach here is the ‘security canvas’, mapping out key initiatives, resources, and costs, and balancing them against opportunities, risks, and business outcomes.
As Forrester outlines, outcome-based security is all about harnessing capabilities that help to achieve these set objectives. This means that your risk management plans need to be in harmony with these organizational aims. Instead of seeing cybersecurity as a cost center, businesses should recognize its potential as a key driver of growth, helping the organization achieve key objectives such as securely rolling out new services or helping teams collaborate safely.
One significant roadblock organizations grapple with is the need for clear visibility into cyber threats. There’s minimal margin for error in cyber risk management, and stakeholders – from boards and investors to customers – demand a crystal-clear view of a company’s cybersecurity strategy. Yet, in a study, 41% of professionals have expressed difficulties in achieving this visibility.
Additionally, there’s the pressing issue of talent acquisition. Just over a third of businesses, 35%, find it challenging to hire skilled cybersecurity professionals without breaking the bank. Most importantly, this transformation calls for a fresh viewpoint. Instead of seeing cybersecurity as a cost center, businesses should recognize its potential as a key driver of growth, helping the organization achieve key objectives such as securely rolling out new services or helping teams collaborate safely.
With cutting-edge tools at their disposal, organizations can take the front foot, intercepting cyber threats before they snowball into larger crises, ensuring a smoother journey in the digital domain.
In a cyber context, this usually means the appearance of totally new technology or attack techniques. It is impossible to plan ahead for these ‘unknown-unknowns’. However, businesses that have a well-established security canvas will be better positioned to cope with radical uncertainty, while those still struggling to align business and security objectives will be more wrong-footed by the unexpected. Paul Brucianni, Cyber Security Advisor at WithSecure™ has an eclectic, largely unplanned early career working as a gold-prospecting geologist, satellite imaging specialist, system engineering consultant, barista, baker, and a teacher. He is a Fellow of the Chartered Institute of Information Security and a regular blogger on topics related to cybersecurity risk and uncertainty.