Today, security professionals tend to lag behind the facts by being reactive. Security company WithSecure advocates a new approach where the outcome drives the process. Does your company also have to focus on result-oriented security?

Christine Bejerasco immediately opens the door during an online keynote: “Today’s cybersecurity landscape is more complex than ever.” The CISO of WithSecure, F-Secure’s B2B arm, wants to point out that we have so many technologies that it’s almost impossible to keep them all safe. Just look at the communication: We make video calls to Teams or Zoom, chat with colleagues via Slack, send messages with WhatsApp, and for the “digital dinosaurs” there are still classic emails and text messages.

Every technology is a potential gateway for cybercriminals. As a result, security professionals are under constant pressure to protect their employers and colleagues. According to WithSecure, it is imperative to question the current way of working in cybersecurity. The solution to the complex security puzzle lies in “results-based security”.

firefighters

The role of today’s safety expert is comparable to that of a fireman, explains Bejerasco. He or she is on permanent standby ready to move out as quickly as possible if a digital fire breaks out anywhere in the organization’s IT environment. This way of working is beginning to reach its limits: the number of security risks the average organization has to deal with has gotten so out of hand that it’s almost impossible to be on time for everything. As a result, the number of cyber attacks is increasing every year.

Nothing strengthens your argument like a study from a reputable research institute, so WithSecure used Forrester. The security expert recently announced the results of this investigation. A survey of more than 400 companies from eight countries, Belgium and the Netherlands were not part of this sample, shows that six out of ten companies work reactively with cybersecurity.

Regardless of the industry, the vast majority of respondents believe that the reactive approach is problematic for their organizations. Ninety percent of them said they face challenges simply responding to cybersecurity issues. The biggest problem with this reactive approach is insufficient risk visibility, and a lack of human resources and skills to respond quickly and appropriately is also an increasingly pressing issue.

Safety professionals are like firefighters. They have to be constantly on standby to turn out if a fire breaks out somewhere.

Christina Bejerasco, CISO at Secure

From reacting to strategic thinking

The cybersecurity world has of course been busy and is constantly looking for strategies to deal with this increasing complexity. In recent years we have seen different approaches. threat management went into wealth managementwith devices in the center of security and risk managementwhich states that serious threats should be prioritized in order to use available resources as efficiently as possible.

While each of these visions claims to be groundbreaking, security can only be effective when security teams and C-Levels are on the same page. Let the WithSecure study show that this is the exception rather than the rule. Only one in five companies reported that cybersecurity priorities and business outcomes were fully aligned. As a result, seven out of ten increase their security investments annually without realizing the benefits.

Results-based security is the next step in this evolution, WithSecure believes. Bejerasco made it clear during the press conference that the company does not intend to reinvent hot water or jettison all previous approaches. The underlying idea is that cyber security will become a fundamental part of business strategy.

This approach aims to enable business leaders to simplify cybersecurity by using only those opportunities that measurably deliver the desired results. This should have a positive effect on the resilience, competitiveness and productivity of the organization. So much for the WithSecure marketing pitch.

“This vision is actually an admission that the cybersecurity market is not keeping businesses safe,” said Paul Brucciani. “There are hundreds of companies selling security solutions today. Little information is available to customers to compare the quality of these solutions. The primary goal of many security vendors is to get products to market quickly, not necessarily the security of whoever is buying the product.”

Six steps to a result-oriented approach

It sounds logical on paper, and every entrepreneur will claim that they always think results-oriented. So why is this philosophy only now finding its way into cyber security? According to the study, there are numerous obstacles that complicate efforts to align cybersecurity with business outcomes.

We list some of the questions raised in the study. 42 percent said they did not have sufficient visibility into current and intended life against which to test security value, while 37 percent had difficulty measuring life. Translating cybersecurity numbers into relevant insights for the entire organization is also proving to be a difficult hurdle.

Implementing a results-based security strategy consists of six steps. Brucciani: “First you have to know what to defend the organization against; It is impossible to protect against a potential risk. From there you can set a strategy and set clear parameters to test it. Then you can see what solutions fit into that strategy. With this knowledge, you can review the contracts with your security vendors and eliminate redundant technologies. Finally, it is important to measure and report on whether you are achieving your goals.”

The cybersecurity industry fails to keep businesses safe. There are hundreds of companies selling solutions. There is little information available to customers to compare quality.

Paul Brucciani, Head of Product Marketing WithSecure

look in the mirror

The demand for a more results-oriented approach will force all players in the security industry to look in the mirror, Brucciani continues. “This is the chance to make the security market fairer. A study from 2020 already made it clear that customers need more clarity. Customers don’t care how you protect them as long as you do it. Security shouldn’t be about products or services, it should be about getting results.”

The offerings on the cybersecurity market could therefore look very different in a few years. Brucciani firmly believes this: “Our research shows that companies are willing to spend up to six percent or more of their operating profit on cybersecurity if it gives them the desired results. Customers want to buy results, not products. Security vendors will need to adapt their products accordingly. New regulations are coming that will make suppliers much more liable for cybersecurity failures.”

WithSecure’s vision sounds very relevant in the context of the European Cyber ​​Resilience Act. It places higher demands on providers of hardware and software and also obliges them to have independent security tests carried out and to communicate about them transparently. Europe can help open the door to a new era of cybersecurity where technology serves outcomes and not the other way around.