When I conducted our State of Cyber Resilience research earlier this year, we repeatedly heard about conflicting agendas between business and cybersecurity leaders. A CISO we spoke to described it succinctly, “When I first started, one of the things I heard from a business leader was, ‘Well, you guys stop us from doing everything.’”
That sort of “us and them” thinking is not new. Though our research found an organization’s cyber resilience is strongest when security and the business sides of an enterprise work together, it’s not always easy to make that happen. Research shows business and cybersecurity leaders need to be aligned on strategic planning, product development, customer interactions and a host of other areas critical to achieving business objectives.
But how often is this concept of alignment happening in organizations? And what happens when visions are aligned? Can it provide a foundation for more secure operations without sacrificing growth and speed to market?
We decided to test it, as part of this year’s State of Cyber Resilience research program.
For us researchers, it was a challenging hypothesis to measure. Companies define alignment differently, as do individuals within an organization. There are many players: CEOs, CFOs, Board Members and other executive leaders who have different ideas about how cybersecurity can enable rather than hinder business objectives.
We wanted to find out: How does alignment affect your company’s ability to achieve its desired business and cyber outcomes?
Our research showed that bringing cybersecurity closer to the business doesn’t significantly hinder organizations from achieving their business objectives. Not only that, but already resilient companies can further improve their resilience with alignment. For example, companies who met our criteria for alignment and resilience—our “cyber champions”—showed a 10% improvement on finding attacks in less than a day and were more likely to increase the number of “no-impact” breaches than those who do not align—72% versus 64%, respectively.
We also found that contrary to conventional wisdom, alignment does not appear to be a significant roadblock to business growth. In chart 2, we compared companies focused strictly on business over cyber (“cyber risk-takers”) and all other companies and measured their expected performance in key business objectives.
We found that cyber risk-takers were slightly more likely to achieve business objectives than all respondents.
However, this came at a huge cost to their cyber resilience. Compared to Cyber Champions, Cyber risk-takers are:
- Twice as likely to suffer ransomware attacks
- Three times as likely to see significant attacks (beaches with more than 500,000 records lost.
- Six times as likely to see attacks become translate into successful ones
Alignment is the key to success
Companies with a strong CISO and good cybersecurity outcomes that are not well aligned with their business segments should push for better strategic connections across their organization’s leadership structure. Consider steering committees tasked with improving cybersecurity across all business segments, increased red teaming and tabletop exercises and continuously developing training programs on cyber hygiene and awareness. We heard this again and again in our conversations with CISOs.
<<< Start >>>
Our research showed that bringing cybersecurity closer to the business doesn’t significantly hinder organizations from achieving their business objectives.
<<< End >>>
For example, the Global Head of Cybersecurity Architecture at a global bank said, “I chair a cyber steering committee, where cyber sits in the table with all our capabilities and rights. We raise questions: Has it gone through a risk assessment? Has it gone through a vendor risk assessment? How is the encryption done? What about our identity and access management? This is standardized, very well-defined and nobody can bypass the process.”
One CISO we spoke with underscored the importance of placing responsibility for cyber resilience across the organization rather than just with those in charge of cybersecurity. “It is essential to get people up to speed, have training sessions, and make it clear that, you know what? It's not just IT or security that's involved with incident response. Legal, compliance, communications…they all have roles to play as well,” explained one cybersecurity leader. “Very important roles, especially if you have to notify a regulator, authority, the police or anyone else. They can't just sit on the sideline.”
As the profile and importance of cybersecurity rises within organizations, and as the practice of measuring cyber resilience matures, we will continue to test the impact of cyber + business alignment on outcomes. Our preliminary research suggests alignment is good for the entire organization. And it’s not just between business and cybersecurity leaders. When an organization holistically embraces an aligned vision, business thrives.