Report: Cyber Security Purchases Lag Needs

A report reveals gaps between business needs and cybersecurity planning. (Source: Forrester Consulting for WithSecure)

Companies Fail to Understand Best Way to Use Cyber Security Programs Before Buying Them

There is a vast difference between tactical and strategic approaches to a problem. A tactical approach is relating to or constituting actions carefully planned to gain a specific military end. A strategic approach is associated with identifying long-term or overall aims and interests and the means of achieving them. So basically short-term and long-term plans.

According to a recent report from the cybersecurity firm WithService and Forrester Consulting, many companies report that their security tends to be reactive rather than proactive. The companies interviewed people from more than 400 companies on their approaches to cybersecurity.

“According to Forrester, outcome-based security supports business goals rather than merely reacting to perceived vulnerabilities. It enables business leaders to simplify cybersecurity by ‘Cultivating only those capabilities that measurably deliver their desired outcomes as opposed to a traditional threat, activity-based, or ROI-based methods,’ said WithSecure’s report.”

The report said a more holistic approach to cybersecurity should strive for outcomes related to risk management, customer experience, resilience, and visibility of the threat surface and risks. The outcomes should also pertain to skills, resources, and response speed and agility (Figure A).

The article from techrepublic.com details the report’s questions and the answers businesses seek from cybersecurity tools and services.

Survey respondents cited some of the biggest security challenges: visibility into cyber risks, finding the required skills and resources, and responding quickly and effectively

The report outlined the gap between cybersecurity needs and how to best use the systems purchased:

Only 20% of respondents said their organization has complete alignment between cybersecurity priorities and business outcomes.
75% of respondents said cyber-risk management is receiving increased attention from the board of their organizations.
60% of firms are willing to spend 6% or more of their operating profit to achieve the benefits they see in adopting an outcome-based approach for cybersecurity investments.
50% of firms struggle to measure cybersecurity value and have trouble articulating the contribution of security to business outcomes.

Paul Brucciani, cybersecurity adviser and head of product marketing for solutions at WithSecure, said that the concept of outcome-based cybersecurity constitutes both a way to make cybersecurity executions align with business goals, and to reduce clutter and redundancy of security solutions and tactics.

“Cybersecurity is a massive business; depending on how you define the market there are 10,000 cybersecurity companies in the world which creates a noisy marketplace, and many of those companies are venture capital backed, so their job is to get to market as fast as possible. As a consequence it creates a market that is difficult to navigate, with the added challenge of measuring quality: Buyers have no way of assessing the quality of what they are being sold,” Brucciani said.

Brucciani said that the current market for cybersecurity Software as a Service itself constitutes a “market for lemons,” a term coined by economist George Akerlof to describe a circumstance in which the market is peppered by good and bad products and the buyer is hobbled by an inability to discern which is which.

About the Author: Paul Morris

Morris has a background in multimedia and is a published author. He also has spent years in radio broadcasting, the music industry, and is now a contributor to Seeflection.com.