Why executives are drilling down on security ROI and business disruption
The operational chaos of last year is accelerating a number of cybersecurity trends. And as companies pushed their infrastructure to the cloud, Zero Trust security and other security frameworks became top priorities.
In addition, executives are more focused on connecting cybersecurity with business priorities. Over the last year, business continuity rose to become the top concern, while companies also increased their focus on whether the security team is delivering the most bang for the business’s buck.
Security return-on-investment (ROI) and the security team’s ability to stay within budget has also become more important this year, according to the 2021 Signals in Security Report, a newly released survey of more than 600 security professionals. Read more about these insights in the 2021 Signals in Security Report. Click here to download the full report.
Amongst the different metrics executives hold security teams accountable, only measures of ROI and ability to stay within their budget increased by 3 percentage points in 2021, this is no small measure especially for security teams covering more attack surfaces with less budget.
Common operational metrics, such as the number and severity of vulnerabilities detected, how efficient teams were in fixing issues, and how long issues were in the IT environment all declined in 2021. The ability to stay within budget tied with the number of vulnerabilities found as the No. 2 accountability metric, still behind the severity of vulnerabilities found.
The focus on metrics that matter to the business matches the overall trend of companies gauging the impact that security has on the business. Case in point: The top cybersecurity concern for executives and workers is no longer data breaches but business downtime. Less than a sixth of respondents listed data breaches as their top worry, a drop of 5 percentage points in the past year, while 17% of respondents listed business downtime as their biggest cybersecurity concern, an increase of 3 points.
Worries of business interruption were likely exacerbated by the economic turbulence caused by the pandemic—and from the shift to the trend among cybercriminals toward favoring ransomware over stealing data. Two separate reports noted that the absolute number of breaches declined in 2020—19% in one report and 48% in another—and the number of people affected by breaches dropped by two-thirds. At the same time, ransomware attacks doubled in 2020, compared to the previous year.
Business executives also likely felt more vulnerable in 2020, because the firms now have a greater reliance on cloud infrastructure—rather than on-premise technology—to power their operations, requiring greater visibility and coverage to maintain business operations. Most companies scaled back capital (83%), operations (53%) and workforce (49%) expenses in 2020, while keeping a focus on digital transformation and cybersecurity, with only 16% and 3% of companies considering cutting the budgets for those areas, according to consultancy PricewaterhouseCoopers.
The result is that companies will focus on increasing cloud infrastructure with an eye toward business resiliency and tracking metrics to determine security efficiency.
Executives should adopt a continuous approach to security that matches the cloud-native approach to business applications and infrastructure. Visibility into cloud services and infrastructure should be considered mandatory.
For security teams, orchestrating tests around peak demand, for example, can reduce the risk of overloading applications and infrastructure. In addition, the security team should have an automated process—a “one button” approach—to restore operations in the event of an outage.