Cybersecurity is often out of sync with business goals, according to a study conducted by Forrester Consulting, which found 97% of organizations face challenges in trying to align cybersecurity priorities with business outcomes.
More than nine in 10 respondents (93%) said their organizations struggle with measuring their cybersecurity performance in relation to business outcomes.
The challenge to align cybersecurity and business goals was most pronounced by financial services and insurance (47%) and media, entertainment and leisure industries (also 47%), followed by retail and wholesale (43%) and utilities and telecommunications (38%) verticals.
Piyush Pandey, CEO at Pathlock, explained that cybersecurity is often aligned with preventative measures and is considered successful when nothing happens to the company.
“Business outcomes are focused on something occurring–revenue increases, cost savings, efficiency gains,” he said. “These two things are therefore often considered conflicting.”
However, Pandey said, investment in cybersecurity priorities (often via CISO initiatives) results in companies more effectively passing audits (cost and reputational savings) or avoiding breaches (tangible cost and reputational savings).
“Aligning cybersecurity priorities with business outcomes is a matter of rethinking the value we find in cybersecurity and showing executive leadership how this meets business goals,” he says.
Geoff Haydon, CEO at Ontinue, said it’s a “sad reality” that truly effective communication between business and cybersecurity teams has always been notoriously hard to achieve, despite their leaders’ best efforts and intentions.
“The unfortunate result is the inability to fully align these priorities due to a lack of understanding,” he explained. “Often, the objectives of the business side are not clearly translated into actionable strategies for the cybersecurity team, leading to misalignment.
Haydon added not all organizations have such misalignment issues: Organizations that recognize cybersecurity as a business enabler empowering their workforce to work from anywhere, or that it is critical to their digital transformation efforts, tend to have better outcomes.
According to the study, the alignment challenges fall into three main categories: Conflicting goals, complexity of environment and privacy requirements.
“Adhering to privacy requirements is obviously a complicated issue for most businesses,” Haydon said. “Privacy requirements often impose restrictions on how data can be handled, which may be at odds with business strategies that require more open data utilization.”
He pointed out that this conflict forces businesses to balance adhering to privacy norms while pursuing aggressive business strategies.
“It’s a complicated and ongoing effort that organizations will likely always have to keep a pulse on,” he said.
From Pandey’s perspective, security leaders and business leaders must work together, collaborate and establish transparency to align cybersecurity and compliance initiatives with business objectives.
“In today’s complex digital landscape, there is more of a direct link than ever between cybersecurity best practices and successful business outcomes,” he said.
For example, many industries and governments require stringent regulatory compliance from organizations to do business in certain markets, from the federal government and defense to financial services and critical infrastructure.
“There are numerous best practices organizations should implement to break down the barriers between security and business leaders,” he said. “First, cybersecurity must be viewed as a top priority by board-level decision makers.”
This means that CISOs must have a seat at the table for all board meetings and cybersecurity initiatives should be proactively discussed and addressed at every board meeting.
Secondly, Pandy said organizations must accept that proactive cybersecurity best practices and sufficiently funded cybersecurity teams/programs are not cheap and never will be.
Haydon noted that companies that recognize cybersecurity as a business enabler tend to have better alignment cross-functionally and their business outcomes are achieved.
“Effectively balancing security precautions with the business needs of an organization is vital to ensuring business continuity,” he said. “Working closely together ensures a mutual understanding of the goals and restrictions each team faces.”
This fosters a collaborative environment where strategies are formulated to consider both business objectives and cybersecurity safeguards, promoting a more harmonious and effective operational strategy.
“The stakes are just too high for more complacency,” Haydon noted. “Given the increasing prevalence of cybersecurity threats and the rapid digital transformation that many businesses are undergoing, it’s never been more important for organizations to tightly align their business and cybersecurity strategies.”