Flamingo Images - stock.adobe.co

Reactive approach to cyber procurement risks damaging businesses

Too many organisations are following a reactive approach to cyber security, which WithSecure believes is stifling security teams ability to demonstrate value and align with business outcomes

Too many organisations are taking a reactive approach to procuring cyber security services and solutions, reaching for the phone only after a problem has arisen, and thus hindering the ability of security pros to demonstrate value and properly align with business outcomes, according to a study published today by WithSecure.

Produced alongside analysts at Forrester Consulting, the study highlights the need for organisations to consider so-called outcome-based security in their procurement, which the study authors believe will ultimately improve resilience, competitiveness and productivity.

Outcome-based security – which is not a new term by any means – is best described as an approach that allows organisations to simplify their cyber security by cultivating only the capabilities that can measurably deliver on the outcomes they want as a business, rather than traditional threat-, activity-, or return on investment-based methods.

The most common business outcomes that respondents wanted security to support included risk management, customer experience, and revenue growth – but only one in five respondents claimed that their security priorities and business outcomes were fully aligned.

“Today, most cyber security investments are aimed towards the reduction of cyber risks. However, the problem arises when the risks that are being mitigated are not the ones that are most important for the outcomes the business wants to achieve,” said WithSecure chief security officer Christine Bejerasco.

“This could either result in cyber security investments being completely disconnected from the business or cyber security not getting the appropriate funding at all.”

The study found that there is appetite for such an approach. Indeed, 83% of organisations that responded said they were either interested in, planning to adopt, or expanding their adoption of outcome-based security services and solutions. However, this desire has yet to translate into reality, with 60% saying that they mostly reacted to individual cyber security problems as and when they arrive.

The demand for outcome-based security was further reflected by the statistic that 90% of respondents struggled with existing reactive approaches and respondents overwhelmingly agreed that this was problematic for them. Some of the challenges they cited in following a reactive path were a lack of visibility of cyber risks, an inability to find the needed skills and resources, and problems in responding quickly and effectively to incidents.

But that is not to say that there are not obstacles inherent in realigning towards outcome-based security. Some of the challenges brought up in the research included managing a more complex IT environment, coping strategies when cyber and business goals come into conflict, and maintaining the desired results of existing detection technologies.

Assessing how well security priorities actually help support business outcomes could prove equally problematic, WithSecure found, with significant challenges highlighted including an insufficient grasp of current and target state maturity against which security value can be assessed; difficulties in measuring security value in general; capturing consistent and meaningful data; overcoming the paradox that truly effective security results in fewer opportunities to demonstrate meaningful value; and, finally, translating often complex security metrics into something that the board can understand.

The full paper, The value of putting security outcomes first: Rethink cyber security to amplify resilience, productivity and competitiveness, can be downloaded from WithSecure.

Read more about security procurement

  • The majority of cyber security purchasing decisions are made without proper insight into the attackers organisations are facing, according to a Mandiant report.
  • Faced with a global recession in 2023, security buyers should try to direct investment towards technology that protects customer-facing and revenue-generating workloads, say analysts.
  • We look at how the market for cyber insurance is evolving and how IT security chiefs can avoid buying the wrong level of cover.

Read more on Business continuity planning