SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Cybersecurity often overlooked by business leaders: Delinea
Thu, 11th May 2023

Delinea, a solution provider that seamlessly extends Privileged Access Management (PAM), has announced findings from a global survey revealing the impact of misalignment between the cybersecurity function and broader business. Over 2,000 IT security decision-makers (ITSDMs) were polled, including respondents from Australia, New Zealand, Singapore, Malaysia, India, Taiwan and Hong Kong.

Asked about the understanding of cybersecurity across the organisation, only 39% of respondents think their company's leadership understands cybersecurity's role as a business enabler. Over a third (36%) believe it is considered important only in compliance and regulatory demands, while 17% said it is not seen as a business priority.

The disconnect between business and security goals appears to have caused at least one negative consequence for 89% of respondents’ organisations, with more than a quarter (26%) also reporting it resulted in an increased number of successful cyber-attacks at their company.

The impact of misaligned goals on cybersecurity was wide-ranging, as it contributed to delays in investments (35%), delays in strategic decision-making (34%), and unnecessary increases in spending (27%).

There were also consequences for the individuals themselves, with 31% of respondents reporting it impacted the whole security team in terms of stress. Furthermore, global economic uncertainty has worsened the situation, with half of those surveyed (48%) stating that aligning cybersecurity and broader business goals is becoming more challenging to achieve as a result.

Structural processes are key to aligning goals, and encouragingly, the survey revealed that most security teams (62%) meet regularly with their business counterparts at the highest level.

Additionally, 54% of companies have embedded security team members within business functions. However, the research showed there is still room to improve, as less than half of organisations (48%) document policies and procedures to facilitate alignment, and a further third of all respondents (33%) reported that alignment is ad hoc and only happens when needed.

The report also highlighted that metrics used to measure and demonstrate cybersecurity's value are still strictly linked to technical or activity-based figures. For example, the number of prevented attacks (31%) was cited as the most important measure of success, followed by meeting compliance objectives (29%) and reducing the costs of security incidents (29%).

“Cybersecurity can be a huge business enabler, but this research reflects that there is still some work to do at the board level in shifting mindsets. Executive leaders need to think of cybersecurity not only in terms of ticking the compliance box or protecting the company, but also in terms of the value it can deliver at a more strategic level,” says Joseph Carson, chief security scientist and advisory chief information security officer (CISO) at Delinea.

Building out business skill sets may provide the path to better alignment. However, respondents listed technical skills as the most valuable for cybersecurity leaders to possess. These are rated above skills such as communication, collaboration, business acumen, and managing people.

Nearly a third (31%) believed that making the business case to their Board and C-Suite was a gap in their skill set, while communication skills were recognised as an area for improvement by 30% of respondents.

Aligning goals also involves reviewing the reporting lines and CEO-level visibility. However, the Delinea survey suggests little appetite for change in reporting structures, as only 27% of ITSDMs believe the CISOs or the most senior cybersecurity leaders should report to the CEO to align cybersecurity with the overall goals of the business.

“Alignment between cybersecurity and business goals is essential for success. This research clearly highlights the negative consequences when teams’ objectives aren’t fully in sync. Ensuring common agreement across business functions is vital and there is a real value in metrics that not only measure security activity, but which also demonstrate the impact on business outcomes,” adds Carson.

“Communication is key, and while strong technical skills are still important, security leaders need the ability to communicate, influence and present the value they add to business outcomes more frequently than ever. Security leaders that demonstrate this mix of skills, and that have the same end goal in sight as the business, are a force to be reckoned with.”