Security Experts Must Connect Cybersecurity to Business Outcomes

Cybersecurity has been on board agendas for at least a decade, but the recent coronavirus outbreak puts a spotlight on the disconnect between executive understanding of cybersecurity and their organization’s actual capabilities.

Download IT roadmap: Cybersecurity

“The stories that we’ve seen during the COVID-19 outbreak are the latest example highlighting the failed approach to cybersecurity that many organizations take,” says Paul Proctor, Distinguished VP Analyst, Gartner. “While executives were focused on ensuring compliance and stopping hackers, simple opportunities like enabling secure remote access technologies — which have a much larger business impact — were ignored. Now, organizations are scrambling to catch up.” 

“ The COVID-19 disconnect should create a wakeup call for CIOs, CISOs and IT executives”

These missed opportunities detected during the coronavirus outbreak are just the most recent example of how the disconnect between security and business outcomes is often underestimated. Organizations should focus on the creation of adequate, reasonable, consistent and effective controls in a business context.  

Read more: 7 Security Areas to Focus on During COVID-19

The COVID-19 disconnect should create a wakeup call for CIOs, CISOs and IT executives about the critical need to address cybersecurity in a business context and as a business decision. But IT leaders can build an executive narrative to change how cybersecurity is treated in their organization.

Address failing cybersecurity approaches

Many organizations take an ineffective approach to cybersecurity. These failed approaches lead to poor decisions and bad investments. Here are the four key challenges that limit cybersecurity’s business impact.

1. Societal perception is that cybersecurity is a technical problem, best handled by technical people.

This results in a lack of engagement with executives, unproductive exchanges and unrealistic expectations. Ultimately, it leads to poor decisions and bad cybersecurity investments.

2. Organizations ask the wrong questions about cybersecurity.

Questions like "How much should I spend on cybersecurity?" or "How can I comply with regulations?" don’t reflect the organization's level of protection. These misplaced questions drive attention away from improved priorities and better investments.

Read more: 5 Security Questions Your Board Will Inevitably Ask

3. Current investments and approaches designed to address limitations are not productive.

Organizations are focused on new approaches that have great promise, but through a combination of failed execution and poorly set expectations, these investments are only delaying activities that will better improve cybersecurity. For example, many companies use quantification to present risk and security in terms of money (is that a $5 million risk or a $50 million risk?) and likelihood of damage (what is the percentage chance of getting hacked?).

However, these calculations are often based on assumptions and “expert opinion” that essentially dictate the result, rather than real quantitative business assessment. Using the veneer of quantification to get what you want does not support improved cybersecurity.

4. Real failures are not getting enough attention to productively change behavior.

For instance, the manufacturer of a medical monitoring device ignored cybersecurity in the development of its internet-connected product to cut costs and speed up production time. The foundational software was riddled with vulnerabilities, and once discovered, cybercriminals exploited the devices to deploy ransomware. This rendered the devices unusable to medical professionals and created a critical shortage during a time of peak need. 

This disconnect between executive decision making and effective cybersecurity should encourage both business and security leaders to focus their attention on new ways to approach the problem.