The report suggests that structural processes are key to aligning goals, and most security teams (62%) already meet regularly with their business counterparts at the highest level. Furthermore, 54% of companies have embedded security team members within business functions. Despite this, more than a third (33%) of respondents reported that alignment is ad hoc and only ‘happens when needed.’ The report shows that less than half (48%) of organizations document policies and procedures to facilitate alignment, and this shows that, while some organizations have good security programs in place, there is still room for improvement.
The survey has revealed that metrics used to measure and demonstrate the value that cybersecurity delivers are still primarily linked to technical or activity-based figures. The number of prevented attacks (31%) was cited as the most important measure of success, followed by meeting compliance objectives (29%) and reducing costs of security incidents (29%). The report suggests that executive leaders need to think of cybersecurity not only in terms of ticking the compliance box or protecting the company but also in terms of the value it can deliver at a more strategic level. Communication between business and security teams is vital in this regard.
The report highlights the importance of building out business skillsets in security teams. Technical skills were rated above skills such as communication, collaboration, business acumen, and managing people. However, nearly a third (31%) believed that making the business case to the Board and C-Suite was a gap in their own skillset. Communication skills were also identified as an area for improvement by 30% of respondents.
The report concludes that alignment between cybersecurity and business goals is essential for success. Ensuring common agreement across business functions is vital, and metrics that demonstrate the impact on business outcomes should be used. While strong technical skills are still important, security leaders need the ability to communicate, influence, and present the value they add to business outcomes more frequently than ever. Security leaders that demonstrate a mix of skills and have the same end goal in sight as the business are a force to be reckoned with.
In conclusion, the report highlights how misaligned goals between business and security teams can result in negative consequences, including increased cyber-attacks, delays in investments, and unnecessary increases in spending. To achieve better alignment between cybersecurity and business goals, organizations should build out business skillsets in security teams and focus on common agreement across business functions, where metrics are used to demonstrate impact on business outcomes. Ultimately, communication between business and security teams is key to successful cybersecurity, and security leaders need the ability to communicate, influence, and present the value they add to business outcomes.
<< photo by Dan Nelson >>
