More than 50% of IT security decision makers do not see cybersecurity as a business priority and regard it as important only for compliance and regulatory requirements, according to a new study.
61% "Overlook" Cybersecurity
Delinea, a privileged access management provider, surveyed 2,000 security decision makers, 61% of whom believe that their company’s leadership “overlooks” the role of cybersecurity in business success. Only 39% of them think that their board of directors and C-suite has a “sound understanding” of cybersecurity’s role as a business enabler.
The survey results underscore the impact of “misalignment” between cybersecurity function and wider business, Delinea said.
Here are more findings from the report:
- 89% of respondents said the disconnect between cybersecurity and business goals resulted in negative consequences. And more than 26% said it resulted in an increased number of successful cyberattacks at their company.
- The impact of misaligned goals on cybersecurity was wide-ranging, as it contributed to delays in investments (35%), delays in strategic decision making (34%), and unnecessary increases in spending (27%).
- 31% of respondents reported that the disconnect impacted the whole security team in terms of stress.
- Global economic uncertainty has worsened the situation, with 48% stating that aligning cybersecurity and broader business goals is becoming more difficult to achieve as a result.
- Metrics and processes don’t focus on business outcome.
- 62% of security teams meet regularly with their business counterparts at the highest level.
- 54% of companies have embedded security team members within business functions.
- 48% of organizations document policies and procedures to facilitate alignment, and 33% reported that alignment is ad hoc and only happens when needed.
- The number of prevented attacks (31%) was cited as the most important measure of success, followed by meeting compliance objectives (29%) and reducing costs of security incidents (29%).
Joseph Carson, chief security scientist and advisory chief information security officer at Delinea, explained the research reflects that is still some work to be done at the board level to shift mindsets:
“Executive leaders need to think of cybersecurity not only in terms of ticking the compliance box or protecting the company, but also in terms of the value it can deliver at a more strategic level. Building out business skillsets may provide the path to better alignment. However, respondents listed technical skills as the most valuable for cybersecurity leaders to possess. These are rated above skills such as communication, collaboration, business acumen, and managing people.”
Aligning Cybersecurity with Business Goals
- Nearly a third (31%) of respondents believed that making the business case to their board and C-Suite was a gap in their own skillset while communication skills were recognized as an area for improvement by 30% of respondents.
- 27% of IT security decision makers believe the CISOs or the most senior cybersecurity leaders should report to the CEO to best align cybersecurity with the overall goals of the business.
Commenting on the importance of aligning cybersecurity with business goals, Carson said:
“Alignment between cybersecurity and business goals is essential for success. This research clearly highlights the negative consequences when teams’ objectives aren’t fully in sync. Ensuring common agreement across business functions is vital and there is a real value in metrics that not only measure security activity, but which also demonstrate the impact on business outcomes."