Organisations follow a reactive approach to cyber security which is stifling their progress in demonstrating value and aligning with business outcomes, according to a new commissioned study conducted by Forrester Consulting on behalf of WithSecure.

83% of respondents surveyed in the study were interested in, planning to adopt, or expanding their adoption of outcome-based security solutions and services. However, the study also found that most organisations currently approach cyber security on a reactive basis. 60% of survey respondents said they react to individual cyber security problems as they arise.

There was some variance according to industry: 71% of manufacturers highlighted this reactivity, compared to just over half of the highly regulated financial services sector.

Regardless of industry, respondents overwhelmingly felt the reactive approach was problematic for their organisations. 90% of them said they struggle with challenges when they react to cyber security problems as they arise. This was in spite of the fact that cyber security budgets are growing, with 71% of respondents agreeing that they spend more on cyber security each year.

Visibility of cyber risks, finding the required skills and resources, and responding quickly and effectively, were the most common challenges highlighted by respondents.

“Today, most cyber security investments are aimed towards the reduction of cyber risks. However, the problem arises when the risks that are being mitigated are not the ones that are most important for the outcomes the business wants to achieve. This could either result in cyber security investments being completely disconnected from the business or cyber security not getting the appropriate funding at all,” explained WithSecure Chief Security Officer Christine Bejerasco.

According to the Forrester study, outcome-based cyber security is an approach that enables business leaders to simplify cyber security by cultivating only those capabilities that measurably deliver their desired outcomes as opposed to traditional threat, activity-based, or ROI-based methods.

The most common outcomes that respondents wanted security to support included risk management, with 44% of survey respondents wanting to reduce risk to meet their top cyber security goals; customer experience, with 40% of respondents wanting security to improve customer experience; and revenue growth, which was highlighted by 34% of respondents.

While many respondents had clear outcomes they’d like security to help them achieve, only one in five organisations claimed to have complete alignment between cyber security priorities and business outcomes.

There are numerous obstacles problematising efforts to align cyber security with business outcomes, including but not limited to managing a complex IT environment, handling conflicting cyber security and business goals, and maintaining desired results of detection technologies.

However, assessing how well security priorities helped support business outcomes was equally problematic. Significant challenges highlighted by respondents included:

- 42% had an insufficient understanding of current and target state maturity against which security value should be assessed.

- 37% expressed difficulties in measuring cyber security value.

- 36% were challenged by capturing consistent and meaningful data.

- 28% found challenges in overcoming the security paradox when communicating value (investment in effective security results in fewer opportunities to demonstrate value).

- 23% encountered challenges in translating cyber security metrics into something meaningful to the board.

The study, The Value Of Putting Security Outcomes First: Rethink Cybersecurity To Amplify Resilience, Productivity, And Competitiveness, is available at https://www.withsecure.com/security-outcomes (no registration required).