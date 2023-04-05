The cybersicurezza it must be proactive, not reactive. The mantra repeated by computer security experts is known but not yet assimilated into the practices of most companies, secondo un nuovo studio (“The value of putting security outcomes first“) conducted by Forrester Consulting on behalf of WithSecure (the IT service provider formerly known as F-Secure Business). The problem with the reactive approach, Forrester points out, is that it not only makes organizations less effective at protecting themselves, but also less efficient at investing in cybersecurity and aligning investment with business outcomes.

Indeed l’83% of those interviewed said they intend to implement or are already in the process of expanding security solutions and services results-basedbut 60% currently takes a reactive approachas it reacts to individual cybersecurity problems as they arise. The percentage is even higher in manufacturing companies (71%)while financial services, a highly regulated sector, are just over 50%.

Reactive cybersecurity, because it’s a problem

Regardless of industry, respondents admit that the reactive approach is problematic for their organizations. Il 90% claimed to have difficulty reacting to cybersecurity problems when they arise. This happens despite the fact that cybersecurity budgets are growing: in fact, 71% of respondents agree that they spend more on cybersecurity every year.

Visibility into cyber risks, sourcing the necessary skills and resources, and the ability to respond quickly and effectively were the most common challenges highlighted by respondents.

“Today, most investments in cybersecurity are aimed at reducing cyber risks. However, the problem arises when the risks that are mitigated are not the most important ones for the results that the company wants to achieve. This can lead to a total disconnect of cybersecurity investments from the enterprise or a lack of funding of cyber security,” he explained Christine BejerascoChief security officer di WithSecure.

Outcome-based cybersecurity

For this study Forrester conducted an online survey of 409 decision makers It and cybersecurity in organizations of USA, Japan, UK, France, Germany, Finland, Denmark and Sweden to evaluate approaches to cybersecurity. The study took place between November 2022 and December 2022.

Outcome-based cybersecurity, they detect the analysts, is an approach that allows managers to simplify cybersecurity by cultivating only the capabilities that measurably deliver desired outcomes, versus traditional threat-based, activity-based, or ROI-based methods.

The most common results that respondents want to be backed by security include: the risk managementwith 44% of respondents wanting to reduce risk to achieve their cybersecurity goals; the customer experience, with 40% of respondents wanting security to improve customer experience; And revenue growthhighlighted by 34% of the interviewees.

While many respondents were clear about the outcomes they would like to achieve through security, only one in five organizations reported having complete alignment between cybersecurity priorities and business outcomes.

The obstacles to overcome

Numerous hurdles complicate efforts to align cybersecurity with business outcomes, including, but not limited to, managing a complex IT environment, managing conflicting business and cybersecurity goals, and maintaining the desired outcomes of sensing technologies.

Assessing the ability of security priorities to support business outcomes has also been problematic. In particular, 42% of companies do not have a sufficient understanding of the maturity of the current state and the one on target, against which to evaluate the value of security. 37% expressed difficulty measuring the value of cybersecurity and 36% encountered difficulty in acquiring coherent data and significant. 28% found it difficult to overcome the security paradox of communicating value (investments in effective security result in fewer opportunities to demonstrate value), and 23% experienced difficulty translating cybersecurity metrics into something meaningful to the board.

