Beyond Traditional Cyber Defences: The Rise of Outcome-Based Security In Modern Business

By Paul Brucciani, Cyber Security Advisor at WithSecure™

Cyber security is no longer just about keeping systems and devices safe, it’s also become central in enabling business to achieve their strategic objectives.

Paul Brucciani, Cyber Security Advisor at WithSecure™, has important information about helping organisations overcome challenging times, and shedding light on how the outcome-based security mindset can be a game changer.

He offers this Q&A format presentation on Outcome-based Security in Modern Business.

How does shifting from a reactive approach to an outcome-based security approach enhance an organisation’s security posture?

Organisations are finding it increasingly tough to manage cyber threats. According to a study by Forrester, commissioned by WithSecure, 75% of organisations have placed cyber security on their priority list, influenced by a combination of global events, digital transformation and tightening regulations. However, adversaries constantly evolve their methods, catching many off-guard.

Even with budget hikes, 90% of global IT decision-makers are in a constant scramble to counteract these ongoing threats. Many companies are on the defensive, reacting to threats as they come. The study found that 60% of companies operate in this ‘fire-fighting’ mode, leading to a mismatch in team efforts, processes, and tech tools.

One way to get beyond this cycle is by embracing an outcome-based approach to security, which provides a clear direction for cyber security measures. This emphasises the outcome of cyber strategies, rather than security activity itself. Also known as ‘servitisation’, the outcome-based approach has been around for many years in fields like manufacturing. But with cyber security being a relatively young industry, it’s a new concept in this field.

The idea is to seamlessly weave cyber security into the business fabric, positioning it as an enabler through which organisations can achieve their strategic objectives. Companies are turning to an outcome-driven cyber security strategy to enhance business results, bolster resilience, and elevate productivity and competitiveness, all while safeguarding their operations.

It’s a strategy that places the focus on tangible outcomes a strategy which not only helps in fending off unforeseen challenges but also positions cyber security as a catalyst for business growth.

How does proactively prioritising and safeguarding critical business assets lead to a higher ROI?

Imagine driving with an outdated map and suddenly finding infrastructural advancements that have left you feeling lost. Transitioning to an outcome-based security model is much like changing your navigation method from traditional maps to modern GPS. The starting point is to establish clear goals that resonate with business ambitions, such as enhancing risk management, optimising customer experience, or strengthening operational agility. One useful approach here is the ‘security canvas’, mapping out key initiatives, resources, and costs, and balancing them against opportunities, risks, and business outcomes.

As Forrester outlines, outcome-based security is all about harnessing capabilities that help to achieve these set objectives. This means that your risk management plans need to be in harmony with these organisational aims. It’s not just about building walls but strategically placing watchtowers to see and counter potential threats.

Most importantly, this transformation calls for a fresh viewpoint. Instead of seeing cyber security as a cost centre, businesses should recognise its potential as a key driver of growth, helping the organisation achieve key objectives such as securely rolling out new services or helping teams collaborate safely. By doing so, not only can companies propel their development, but they can also elevate their stature in the marketplace, which leads to higher ROI.

What are some of the challenges organisations face when trying to align cyber security strategies with business outcomes?

One significant roadblock organisations grapple with is the need for clear visibility into cyber threats. There’s minimal margin for error in cyber risk management, and stakeholders – from boards and investors to customers – demand a crystal-clear view of a company’s cyber security strategy. Yet, in our study, 41% of professionals have expressed difficulties in achieving this visibility.

Additionally, there’s the pressing issue of talent acquisition.  Just over a third of businesses, 35%, find it challenging to hire skilled cyber security professionals without breaking the bank.

Alongside this, most cyber threats are time-sensitive, and organisations find themselves in a tricky spot, often unable to respond promptly due to this limited visibility. This has further hindered the synchronisation of cyber security efforts with broader business objectives.

Cyberspace can be likened to a rapidly growing city, with new constructions popping up every day, making the landscape more intricate. 37% of professionals have pointed out how this expanding digital territory makes even the most fundamental cyber security tasks challenging. So, how do we navigate this bustling cityscape?

Organisations must adopt a well-structured cyber security roadmap, offering a bird’s-eye view of their entire IT territory, pinpointing potential hazards, delivering business benefits, and enhancing operational efficiency. Investing in cutting-edge tools is key. These digital watchdogs, powered by machine learning such as artificial intelligence, keep an eye on your network in real-time and foresee potential threats. With such tools at their disposal, organisations can take the front foot, intercepting cyber threats before they snowball into larger crises, ensuring a smoother journey in the digital domain.

One other challenge to consider is dealing with radical uncertainty – unexpected events that cannot be anticipated. In a cyber context, this usually means the appearance of totally new technology or attack techniques. It is impossible to plan ahead for these ‘unknown-unknowns’. However, businesses that have a well-established security canvas will be better positioned to cope with radical uncertainty, while those still struggling to align business and security objectives will be more wrong-footed by the unexpected.

About the Author

Paul Brucianni, Cyber Security Advisor at WithSecure™

“My cyber security career began shortly after the World Wide Web was invented. I am a cyber security advisor at WithSecure, one of Europe’s largest cyber security companies, headquartered in Helsinki.

I have an eclectic, largely unplanned early-career working as a gold-prospecting geologist, satellite imaging specialist, system engineering consultant, barista, baker and a teacher. I am a Fellow of the Chartered Institute of Information Security and a regular blogger on topics related to cyber security risk and uncertainty.”

Paul can be reached online at LinkedIn and at our company website www.withsecure.com