The disconnect between security and business goals had negative consequences for 89% of respondents and increased the success of cyber attacks in one in four companies
SAN FRANCISCO, May 9, 2023 /PRNewswire/ — Outlinesa leading provider of solutions that seamlessly extend Privileged Access Management (PAM), today announced findings from a global survey of over 2,000 IT Security Decision Makers (ITSDMs) revealing the impact of the mismatch between the cybersecurity function and the broader business.
When asked about the Board and C-Suite’s understanding of cybersecurity across the organization, only 39% of respondents felt that their company’s management had a good understanding of the role of cybersecurity as a business enabler. Over a third (36%) believe it is only considered important in terms of compliance and regulatory requirements, while 17% say it is not seen as a business priority.
The divergence between business goals and security objectives appears to have caused at least one negative consequence for 89% of respondents’ organizations, with more than a quarter (26%) also reporting that it has led to an increased number of successful cyber attacks at their company.
The impact of misaligned goals on cybersecurity was wide-ranging, contributing to investment delays (35%), strategic decision-making delays (34%) and unnecessary cost increases (27%).
There were also consequences for the people themselves, with 31% of respondents reporting that it affected the entire security team in terms of stress. In addition, global economic uncertainty has exacerbated the situation, with half of respondents (48%) saying that aligning cybersecurity and broader business objectives is becoming increasingly difficult to achieve as a result.
Metrics and processes do not focus on business results
Structured processes are key to aligning goals and, encouragingly, the survey revealed that most security teams (62%) meet regularly with their top-level business counterparts. Additionally, 54% of companies also have security team members embedded in business functions. However, the research showed that there is still room for improvement, with less than half of organizations (48%) documenting policies and procedures to facilitate compliance, and a further third of all respondents (33%) reporting that compliance compliance is ad hoc and only “happens when needed.”
The report also revealed that the metrics used to measure and demonstrate the value that cybersecurity delivers are still closely tied to technical or activity-based figures. For example, the number of attacks prevented (31%) was cited as the most important measure of success, followed by meeting compliance goals (29%) and reducing security incident costs (29%).
“Cybersecurity can be a huge factor for businesses, but this research reflects that there is more work to be done at board level to change attitudes. Executives need to think about cybersecurity not just in terms of ticking a box for compliance or protecting the company, but also in terms of the value it can deliver at a more strategic level.” said Joseph Carsonchief security scientist and CISO consultant at Delinea.
Building the Board Business Case: ITSDM Skills Gaps and Changing Reporting Lines
Building a business skill set can provide the path to better alignment, but respondents cited technical skills as the most valuable cybersecurity leaders possess. They are valued over skills such as communication, collaboration, business acumen and people management.
Nearly a third (31%) believe that making the business case to their board and executive team is a gap in their own skill set, while communication skills are recognized as an area for improvement by 30% of respondents.
Aligning goals also includes reviewing reporting lines and visibility at the CEO level. However, the Delinea survey suggests there is little appetite for change in reporting structures, as only 27% of ITSDMs believe that CISOs or top cybersecurity leaders should report to the CEO to best lead cybersecurity in line with the overall objectives of the business.
“Alignment between cybersecurity and business goals is critical to success. This research clearly highlights the negative consequences when teams’ goals are not fully synchronized. Ensuring common agreement across business functions is vital, and there is real value in metrics that not only measure security activity, but that also demonstrate the impact on business outcomes,” Carson added. “Communication is key, and while strong technical skills are still important, security leaders need the ability to communicate, influence and deliver the value they add to business outcomes more often than ever. Security leaders who demonstrate this combination of skills and who have the same end goal visible as the business are a force to be reckoned with.”
For more information, insights and guidance, download a free copy of the full report at https://delinea.com/resources/aligning-cybersecurity-and-business-outcomes
Notes to the editors
The results are from an online survey conducted by Sapio Research on behalf of Delinea during the March 2023. 2,007 IT and security professionals in 23 countries representing a variety of decision makers responded.
Delinea is a leading provider of Privileged Access Management (PAM) solutions for modern, hybrid enterprises. The Delinea platform seamlessly extends PAM by providing authorization for all identities, providing access to an organization’s most critical hybrid cloud infrastructure and sensitive data to help reduce risk, ensure compliance and simplify security. Delinea removes complexity and defines access boundaries for thousands of customers worldwide. Our customers range from small businesses to the world’s largest financial institutions, intelligence agencies and critical infrastructure companies. Learn more about Delinea at LinkedIn, Twitterand YouTube.
© Delinea Inc. (formerly Centrify Corporation) 2023. Delinea™ is a trademark of Delinea Inc. All other trademarks are the property of their respective owners.