Expenditure for cyber security continues to rank very high in IT budgets. This year’s expenditure is expected to rise by 11% to around 188 billion dollars. While CISOs are purchasing more and more technology, the return on this – i.e., a satisfactory business advantage – remains unclear and elusive. As a result, top management is increasingly demanding an alignment of cyber security costs with business benefits – “outcome-based security” is the keyword that has become a new paradigm.
In today’s business climate, security experts must prove that their outlay is not a cost trap, but rather an investment that helps management to optimally reach its targets. Many analysts and experts now recognize this possibility and can relay practical tips on how to implement this approach.
Stronger resilience, improved competitiveness, and higher productivity
Forrester’s analysts have been studying this topic in great detail. They define “outcome-based security” as an approach that enables management to simplify cyber security to such a degree that only measurable business-relevant elements are presented. This approach uses cyber security measures to proactively support established business targets. The resulting improved business outcomes consist of three parts: stronger resilience, higher productivity, and improved competitiveness. Forrester carried out a study on behalf of Finnish cyber security company WithSecure. This study describes the current situation and gives recommendations on how security experts can overcome the challenges involved.
3 pillars on which cyber security measures can make a positive contribution to business:
- Stronger resilience. Secure and stable processes which adapt to cloud computing and offer greater business continuity.
- Improved competitiveness. New customers can be won more easily when customer experience, compliance, and company reputation are superior to those of their competitors.
- Higher productivity. Simplified, optimized, and sustainable security leads to fewer wasted resources.
As far as the current situation is concerned, it is apparent that outcome-based security has already largely arrived. Eighty-three percent of companies interviewed say they are, “interested in outcome-based security, are planning such an approach, or are planning to extend its introduction”. Included in the recommendations are some tangible guidelines on how to successfully introduce such an approach:
- Examine individual business targets and link them to your cyber security plans, the related threat model, and the relevant control measures.
- Outline your planned security measures in the form of business advantages that you can effectively deliver or enable.
- Ensure assessments and measures correlate directly to the business targets to be reached.
- Inform your procurement and legal departments that you are only going to purchase outcome-based security products in the future.
- Move away from systems that cannot contribute anything substantive to the desired results.
These are not all the measures by any means, but they illustrate the radical changes security experts need to adopt and implement in order to communicate with business managers on equal terms. For this purpose, a webinar is also available, in which Laura Koetzle, Vice President and Group Director at Forrester, and Christine Bejerasco, Chief Information Security Officer at WithSecure, give detailed insider views regarding the new approach.
WithSecure: 35 years’ experience in the field of Cyber Security
WithSecure is an experienced and reliable partner ready to address today’s complex cyber security concerns and challenges. IT service providers, managed security services providers, and many other companies share confidence in WithSecure. These organizations include large financial institutions, industrial organizations, and leading communication and technology suppliers. With its unique approach to outcome-based security, the Finnish security supplier is helping companies align security with operational procedures, securing processes, and preventing operational interruptions.
A seamless transition to outcome-based security will provide your organization with many advantages by producing better business results. Find more useful information on this topic, and a link to the Forrester report, here.