So, tell me what you want, what you really, really want?
In the face of an ever-evolving threat landscape, businesses are having to tread the thin line between physical and cyber battlefields carefully, while managing rising costs and a turbulent economic environment. The past year has been particularly challenging, with large enterprises accounting for 40% of cyber incidents, according to our Security Navigator 2024 report.
The magnitude of these incidents, stemming from a larger, often sprawling, workforce and potentially conflicting perspectives by many stakeholders with their own priorities, underscores the need for a strategic reallocation of budgets and open discussions about the inherent risk versus cost challenges posed by potential cyber threats. It is against this context of complexity that we asked security leaders at our annual Orange Cyberdefense Summit what their business leaders want – what they really, really want – from their security teams to help deliver business outcomes.
Every organisation operates uniquely, from its strategic response to incidents to the culture it embraces and the technology it employs. This diversity in operations even stretches to teams in the same company, making alignment and prioritisation more challenging and emphasising the importance of effective communication. Hence the importance for security teams to understand what the business wants from them, as well as a clear view of how to deliver against those expectations.
As budgets remain tight, any lack of alignment will have a challenging impact on security teams, which are finding themselves at a crossroads. With senior decision-makers focused on tackling their own priorities, security staff are being tasked with keeping the business secure without impacting operations, and in many cases without the benefit of additional funding to tackle growing threats. In some cases, security budgets are even being cut – at least 'in real terms’, given the impact of inflation.
When two become one
At our latest Summit, we discussed how to overcome these challenges by fostering conversations between business leaders and security teams. With inflation ongoing, GDP growth best described as ‘anaemic,’ and an ever-increasing global security skills gap, it’s never been more important that security professionals learn the language of the board to help them unlock the funding they need to deliver on their security goals within a framework that also support business objectives.
Understanding wider business struggles and finding ways to provide support and relate them to their work is crucial. Ultimately, everyone’s goal is to minimise enterprise risk, so the security team should assist business leaders in thinking creatively about how finance, security, and business strategies align, and how security is fundamental to enable business as usual. This collaborative approach empowers security teams to have a say on the agenda, ensuring that security becomes an integral part of the solution rather than being perceived as a money pit that can be deprioritised. However, a consistent challenge for attendees at our Summit event was the means by which to quantify security risk, in order to support the business case for making new security investments.
Spice up your life
Amidst the pressure to decrease risk, the adoption of AI emerges as a beacon of hope for cybersecurity teams. When combined with automation, AI becomes a powerful tool for proactively identifying and addressing vulnerabilities, which in turn offers strategic and competitive advantages when navigating the threat landscape. The current uncertainty has forced businesses to rethink their cybersecurity investments, emphasizing the need for security personnel to secure a strategic role in the boardroom by delivering a meaningful impact on boosting security outcomes while maintaining, or even reducing, costs. Attendees at our summit agreed that the combination of automation with AI can be one means by which to achieve this goal.
However, discussions at our Summit highlighted a critical disparity in the adoption of generative AI tools such as ChatGPT. While some had embraced it, around three-quarters had it blocked for security reasons. The lesson here is clear: security teams need to enable tools such as generative AI through the development of ‘secure by design’ approaches, rather than blocking them wholesale regardless of the utility that the offer for the business.
However, to be successful in unlocking such ‘secure by design’ approaches to innovative new tools and technologies that can ‘spice up’ the growth ambitions of the business, security teams need to be supported by leadership teams who provide the freedom and finances to achieve this. This is critical because those businesses that can effectively adopt such tools will not only enhance their security posture, but also position themselves ahead of competitors who don’t.
Viva forever
To ‘viva forever’ and achieve true cybersecurity resilience, businesses must let security teams become an integral part of their corporate strategy. However, they must first earn their seat at the table by understanding the unique challenges faced by the wider business and tailoring their advice and reporting accordingly. By doing so, security will be able to proactively ensure that the business is secure by design.
The consistent theme that emerged from our Summit as the key means by which to achieve this goal was by positioning security as an enterprise risk topic. A fundamental objective of the CEO and board of any company is to manage their enterprise risk posture, and requires them to settle on a risk appetite that drives their decision-making – and spending – around security. Risk appetite is one of those factors that is unique for every organisation, dependent on a multitude of factors ranging from the individuals involved to the industry conventions and regulations they operate under and the culture that has developed.
Given the individuality of risk posture and risk appetite, an important opportunity for security leaders to demonstrate their business credentials is to demonstrate their understanding of security as an enterprise risk management topic by using the right metrics to demonstrate the effectiveness of their current security environment against that appetite, and to justify any new investments required accordingly. But, while easily said, adopting this metrics-driven approach to security risk is much harder to demonstrate. In fact, this is an area where security leaders at our summit were open to support from their partners in order to optimise their approach.
In conclusion, turbulent times call for businesses to reevaluate their cybersecurity strategies, and should allocate budget to this accordingly. While some of the financial pressure can be mitigated with the integration of AI and automation, open discussions between business and security teams are pivotal to ensure security knows what the board really, really wants.