How secure or at risk are organisations from cyberattacks? Only four out of 10 security leaders can answer this question with a high level of confidence. The Rise of the Business-Aligned Security Executive, a commissioned study conducted by Forrester Consulting on behalf of Tenable, surveyed over 800 security and business leaders. Its findings are sobering, with 94% of respondents confirming their organisation had suffered one or more business-impacting cyberattacks in the last year — that is, an attack resulting in a loss of customer, employee, or other confidential data; interruption of day-to-day operations; ransomware payout; financial loss or theft; and/or theft of intellectual property. Roughly two-thirds (65%) said these attacks involved Operational Technology (OT) assets. Multiple attacks were not uncommon, with 46% confirming they’d weathered five or more business-impacting cyber events in the last 12 months.
The same study found that 68% of respondents said they’d experienced an increase in the number of business-impacting cyberattacks in the last two years. When looking to the future, 77% of respondents expect an increase in cyberattacks over the next two years.
Cybersecurity needs to mature as a business risk strategy
In order to protect themselves against such attacks in the future, business leaders need a clear picture of how vulnerable their company is and how risk changes as business strategies are planned and implemented. The study results show that 75% of global business and security executives only ‘partially’ align their strategies. Current developments make it clear that security and business managers must start to pull together.
So, what has to change? It is difficult for security leaders to get a comprehensive picture of weaknesses in the company without the proper people, processes and technology. It’s vital that they are able to identify which services and applications are critical to the business and then focus on them. To minimise the impact on their business, they need to work closely with their business partners and set priorities together.
Currently, fewer than 50% of security leaders worldwide frame the impact of cybersecurity threats within the context of a specific business risk. This must change quickly. Forward-thinking companies recognise the need to include cybersecurity in all business issues, decisions and investments. In fact, the study found that, when security and business leaders are aligned, they deliver positive results. Business-aligned security leaders are eight-times as likely as their more siloed peers to be highly confident in their ability to answer the question, ‘How secure or at risk are we?’
The only way to thrive is to include cyber considerations in every business question, decision and investment. Instead of talking about vulnerability reduction or offering tactical metrics about controls, business-aligned security leaders will confidently evaluate the vulnerabilities that are critical to the assets that have the greatest effect on the business. They will align the risk reporting in terms the business understands — customer churn as a result of a data breach or spoiled goods if a production line fails. This enables security leaders to provide an unambiguous, authoritative, answer when asked by business leaders, ‘How secure, or at risk, are we?’