A recent survey of cybersecurity decision-makers by Delinea explored how effectively organisations are aligning cybersecurity with the wider goals of the business, and how security leaders measure and demonstrate the value of their work.
Researchers found that, while there was widespread recognition of the significance of business and security alignment, organisations often fail to look at cybersecurity through the business lens – thus failing to recognise its role in supporting objectives and driving competitive advantage.
Joseph Carson, Chief Security Scientist at Delinea, provides an analogy to hammer home this apparent oversight.
“Imagine two drivers on parallel roads, each travelling towards their end point,” he says. “They make their way towards their destination, yet their paths never quite converge.
“For many enterprises, cybersecurity programmes and business objectives are like these roads, with teams progressing towards their respective goals but rarely intersecting. This lack of cohesion can hold back an organisation in an era of digital transformation and escalating cyber threats.
“Moreover, misalignment between cybersecurity and business objectives can not only impact the resilience of a business, but also impede its ability to grow and thrive.”
Carson’s belief is that a huge opportunity lies ahead for cyber leaders to communicate the impact of their security programmes and demonstrate the value they provide as business enablers.
The business impact of disconnection
Failing to achieve alignment can have significant consequences for businesses, asserts Carson.
In fact, the vast majority (89%) of respondents in Delinea’s research reported at least one negative impact from the misalignment of cybersecurity and business objectives in the past 12 months, with more than a quarter (26%) revealed it had resulted in an increased number of successful cyber attacks.
Moreover, without alignment, it can be harder for CISOs to secure the necessary funds for their initiatives, with around a third (35%) reporting they had struggled with delays in investment.
The fact is, the role of cyber leaders is becoming more complicated by the day, as Carson explains.
“Cybersecurity leaders are of increasing strategic importance within organisations and must simultaneously handle multiple demands,” he adds. “They must oversee routine activities such as patch management and regulatory compliance with larger transformational projects such as implementing a zero-trust strategy, while poised to respond to a potential cyber attack which could strike at any time.
“Each of these activities comes with its own metrics to track, such as the number of attacks thwarted, time to resolve issues and progress in meeting compliance and auditing objectives. While these metrics are vital in demonstrating the effectiveness of security controls and pinpointing areas of improvement, they only tell half of the story as cybersecurity activities also support business outcomes such as revenue, cost savings, growth and the user experience.
“However, it may be unclear how cybersecurity can contribute, and reaching a consensus on what success looks like is key.”
Priorities differ between roles and companies
Delinea’s research shows the metrics used to demonstrate the value of security measures – and how these metrics are prioritised – varies based on company size and the relevant individual’s level of responsibility.
“CISOs generally focus more on measuring the technical and operational aspects of cybersecurity,” Carson states. “This may be due, in part, to the fact many security decision makers are too busy ‘fighting fires’ to address business goals as well.
“Meanwhile, individuals with wider organisational responsibilities, such as CEOs, tend to emphasise measuring broader aspects such as ‘user experience’ and ‘reducing friction’.”
Delinea also discovered that ROI and economic value is more significant for companies with less than 1,000 employees. With smaller budgets, there is an even greater need to make every penny count.
However, the research also highlighted metrics which are important across various roles, such as reducing risk and the time and cost of rolling out solutions and strategies.
“This common ground is a good starting point for building alignment between security and business goals,” Carson continues, “but enterprises should also consider adopting new metrics that directly connect cybersecurity objectives with the wider organisation's business success.”
Getting objectives alignment right
Carson says the first step to aligning security and business objectives is identifying assets, systems and services that will cause significant business disruption if they are compromised or offline.
This opens up possibilities in terms of defining metrics that gauge the impact of security controls on those assets’ availability, confidentiality and integrity.
“Leaders should directly link technical metrics, such as preventing attacks, with business outcomes like productivity or service uptime, to draw a clear parallel,” Carson explains.
“When a service is down due to a security issue, the financial and operational cost is clear. So, cybersecurity results should be measured by the cost of doing nothing, versus the cost of doing something.”
Carson’s take is that organisations should be setting metrics based on their unique risk profile, security capabilities and objectives, while taking into account baseline metrics such as risk management, compliance, business continuity, cost and productivity.
“Focusing on these areas provides the best chance of accurately assessing the effectiveness of cybersecurity strategies in business terms,” he adds.
Communication is key
It goes without saying that communication and collaboration have a big part to play in achieving closer alignment.
Cultivating stronger ties between security teams and other parts of the organisation, such as teams dealing with risk management, product development and sales, inevitably helps to build greater understanding of the link between business needs and technical decisions.
“Every assessment, board report and communication with the wider business needs to include the message that cybersecurity is about more than simply protecting resources – it is there to help achieve strategic business goals,” Carson concludes.
“Ultimately, by providing a clear view of the business value security activity is delivering, it will be far easier for CISOs to achieve the buy-in and investment they need to keep the business secure.
“We must start to transition from being focused on cybersecurity to business security.”
You may also be interested in the Business Chief UK & Europe website.
BizClik is a global provider of B2B digital media platforms that cover executive communities for CEOs, CFOs and CMOs, as well as leaders in Sustainability, Procurement & Supply Chain, Technology & AI, Cyber, FinTech & InsurTech. We also cover industries including Manufacturing, Mining, Energy, EV, Construction, Healthcare and Food & Drink.
BizClik, based in London, Dubai and New York, offers services such as content creation, advertising and sponsorship solutions, webinars and events.
- Microsoft and Tech Mahindra share cybersecurity insightsTechnology & AI
- What’s separating digital ‘pioneers’ from ‘procrastinators’?Digital Strategy
- The Broadcom acquisition machine keeps on rollingLeadership & Strategy
- Five Minutes With: Kelly Ahuja, CEO at Versa NetworksLeadership & Strategy