Most security leaders have been regularly hit with the common question, “How secure are we?” from a business executive or board member. Despite the simplicity of the question, the answer is complex, and requires more than sharing a spreadsheet of the vulnerabilities that have been tackled this week. Quantifying and communicating an organization’s level of cyber risk in terms business leaders can understand remains a challenge for security leaders, one that can impede cybersecurity investments as an organization grows.
Ninety-four percent of global organizations have experienced at least one business-impacting¹ cyberattack in the past year, according to a recent study conducted by Forrester Consulting and commissioned by Tenable. The study, which surveyed 416 security and 425 business executives at mid-size to large enterprises, also revealed a disconnect between the expectations of the business and the realities facing security leaders. As organizations shift to remote work in the midst of the COVID-19 pandemic, identifying cyber threats across the attack surface—and understanding which of these presents the greatest risk to the business—becomes increasingly challenging. In addition, security leaders need to be prepared to justify their investments in the face of a potential economic downturn as the result of prolonged lockdowns. With cybersecurity now a topic receiving increased board-level scrutiny, security leaders can expect to face growing pressure to demonstrate results to the business.
Evolving to Business-Aligned Security Leadership
The study aimed to identify key challenges and help security leaders initiate a meaningful dialog with their business counterparts. From its findings, four key themes emerged:
- Cybersecurity threats thrive amidst a climate of uncertainty. Forty-one percent of decision makers reported that their firms had experienced at least one business-impacting cyberattack related to COVID-19 in the prior 12-month period, as of April 2020.
- There is a disconnect in how businesses understand and manage cyber risk. Fewer than 50% of security leaders are framing the impact of cybersecurity threats within the context of a specific business risk. Only half of security leaders (51%) say their security organization works with business stakeholders to align cost, performance, and risk reduction objectives with business needs. Only four in 10 security leaders (43%) report they regularly review the security organization’s performance metrics with business stakeholders.
- Business leaders want a clear picture of their organizations’ cybersecurity posture, but their security counterparts struggle to provide one. Just four out of 10 security leaders say they can answer the question, “How secure, or at risk, are we?” with a high level of confidence.
- Cybersecurity needs to evolve as a business strategy. This can’t happen until security leaders have better visibility into their attack surface. Just over half of security leaders report that their security organization has a holistic understanding and assessment of the organization's entire attack surface and fewer than 50% of security organizations are using contextual threat metrics to measure their organizations’ cyber risk. This means their ability to analyze cyber risks and prioritize and execute remediation based on business criticality and threat context is limited.
The study further shows that when business and security leaders are able to achieve alignment, the business benefits are significant. For example, the study found that business-aligned security leaders have metrics to track cybersecurity ROI and impact on business performance versus just 25% of their more reactive and siloed peers. This type of leader is also eight times as likely as their more siloed peers to be highly confident in their ability to report on their organizations’ level of security or risk.
Tackling cyber risk and alignment amongst leadership starts with the right combination of people, technology, data, and processes. Some organizations start by appointing leadership: organizations that have tight alignment between business and security are 2.3 times more likely to have a BISO or similar executive. From there, many organizations move to implementing strategic security solutions, analyzing vulnerability data based on risk, establishing an escalation and remediation process, and communicating results and risk in business terms. While there is no “one-size-fits-all” approach to understanding and communicating risk, we can start by working together as an industry to begin formulating the kinds of business risk metrics that will be most meaningful to C-level business leaders.
¹“Business-impacting” relates to a cyberattack or compromise that resulted in a loss of customer, employee, or other confidential data; interruption of day-to-day operations; ransomware payout; financial loss or theft; and/or theft of intellectual property.
Interested in reading more articles like this? Subscribe to the ISAGCA blog and receive weekly emails with links to the latest thought leadership, tips, research, and other insights from automation cybersecurity leaders.