Adopting outcome-based security

A computer being guarded by cybersecurity.
(Image credit: iStock)

In the past, cybersecurity was a risk-management and compliance-driven activity focused on reactive practices and post-breach strategies. However, a reactive approach not only leaves organizations more vulnerable - moving from incident to incident - but also drains resources that could be better allocated elsewhere.

The threat landscape has drastically evolved in recent times and, as such, cybersecurity is not just about responding to threats, but also enabling core strategic functions within a business. From new service rollouts to adding value to the entire customer experience and enabling the workforce to be more productive and efficient, it’s the foundation for almost every business unit across an organization.

The challenge now is to unlock the real value that cybersecurity can deliver and closely and clearly connect cybersecurity with the wider business goals. Shifting to an outcome-based security approach is not just about defending against attacks, it’s also about delivering a real competitive advantage.

Cyber security drives business outcomes

Clearly linking security and business goals enables security leaders to demonstrate the true value of their investment. Forrester defines outcome-based cybersecurity as an approach that cultivates only those capabilities that measurably deliver desired outcomes, as opposed to traditional threat or ROI-based methods. By aligning risk with organizational priorities, business leaders can maximize their chances of mitigating cyber threats.

Key business outcomes to align with cybersecurity strategies include risk management, customer experience (CX), revenue growth, improved governance and compliance, and increased operational resilience. IT and security leaders need to demonstrate cybersecurity as a proactive strategy to achieve these business goals, rather than just a means to tackle incoming digital threats on a tactical level. In fact, our research found that over 40% of the decision-makers want to see reduced risk and improved customer or partner experience as a top cybersecurity goal.

Cybersecurity is a fundamental part of the customer experience. If a customer or partner’s data is compromised, buyers lose trust and companies can lose clients. Beyond data protection and privacy, customers also want a flawless experience when they interact with an organization, such as quick authentication and better mobile and web experiences, which is likely to increase their engagement with the business. This will ultimately lead to increasing revenue for the businesses.

Shifting away from a reactive security model and establishing cybersecurity as an enabler of business outcomes will create a “golden thread” to help organizations achieve and sustain their goals, while also reducing risk.

Paul Brucciani

Paul Brucciani is the Cyber Security Advisor at WithSecure.

Overcoming common challenges

As our recent commissioned study conducted by Forrester Consulting shows, the need for shifting to an outcome-based model is recognized by most IT and security decision-makers. However, organizations face several issues in aligning their cybersecurity priorities and business outcomes. The top challenges include visibility into cyber risks, finding the required skills and resources, and responding quickly and effectively.

40% of respondents in this study said their firm currently struggles to manage the complexity of the IT environment hindering its ability to align with business outcomes. This challenge will constantly grow as firms continue investing in different solutions, and responses to individual cyber incidents creates a fragmented technology landscape.

With the digital attack surface continuously expanding, this fragmentation is also increasing, making even the most basic tactical activities time-consuming and difficult to manage, as indicated by 37% of the respondents.

To address these challenges, organizations must adopt a structured approach to cybersecurity strategies that provides comprehensive visibility of the entire IT landscape, identifies risks, creates business value, and elevates performance.

Organizations should invest in advanced tools and technologies that provide real-time visibility into their network, enabling them to detect and mitigate threats before they escalate. Cybersecurity solutions are starting to use machine learning and artificial intelligence to enable organizations to better predict potential threats and respond more effectively.

Moreover, 34% of survey respondents cited the speed and effectiveness of response as key challenges, making it difficult to react to cybersecurity issues. This challenge is more pronounced for larger organizations with over 1,000 employees and those within the financial services sector. To address this issue, organizations should implement a robust incident response plan that outlines roles, responsibilities, and procedures for managing cyber security incidents. This plan should be regularly reviewed and updated to ensure its continued effectiveness.

Getting everyone on the same page

An outcome-based approach starts with reaching a consensus on business outcomes with your stakeholders and correlating these to your security investments, threat model, and security controls. These should clearly articulate how certain security investments would contribute to achieving these outcomes. This process requires explicit agreement from key stakeholders like the board and executive team.

Furthermore, security and IT leaders should reframe their communication with stakeholders. Shift from simply stating, "We’re implementing this security measure because it's superior" to specifying, "Here are the particular benefits we gain from this particular security measure." For instance, using risk-based authentication in e-commerce not only enhances security but also improves the customer experience by simplifying low-risk transactions.

Next, reassess your security maturity to ensure alignment with the outcomes you aim to achieve. The goal isn't perfect security but rather sufficient security. If achieving the highest level of maturity in a certain security area isn't necessary for your desired business outcomes, then don't pursue it.

Also, business leaders should work closely with procurement and legal teams for outcome-based security purchasing. Contracts for this approach will differ from traditional ones as vendors commit to delivering specific security outcomes, potentially capturing additional gains if successful. To prevent last-minute roadblocks, coordinate with your procurement and legal teams to address their queries in advance.

It’s also critical to encourage cross-departmental collaboration as security doesn't operate in isolation; it's a tool to support business objectives. Regular interaction with stakeholders beyond the security and IT teams offers valuable insight for aligning outcomes with the business.

Moreover, it’s imperative to audit your current security technology portfolio to ensure it's outcome-focused. Phase out any technology that doesn't contribute to your desired outcomes and redirect that expenditure towards your goals. Lastly, establish monitoring to confirm that your efforts are achieving the agreed outcomes. Maintain simplicity in measurement to avoid overemphasis on the metrics themselves.

By bringing everyone on the same page, promoting collaboration across departments, achieving greater visibility across the IT infrastructure, and establishing a culture of assessment, monitoring, and improvement, businesses can start transitioning to the much required outcome-based security model and align their critical business goals with proactive cybersecurity practices.

We've featured the best productivity tools.

Paul Brucciani is the Cyber Security Advisor at WithSecure with 20 years of business development, consulting and service delivery experience to global organizations amongst many sectors.