As the saying goes, if you want to manage something, you need to measure it.
In our annual global survey, we researched how well cybersecurity programs are aligned to business goals. We studied how 2000+ cybersecurity decision-makers around the world, in enterprises with over 500 employees, make decisions that impact their success as business enablers.
As part of the study, we took a hard look at how cyber leaders measure and communicate the impact of their efforts. We learned that while cyber decision-makers recognize that business alignment is important, they typically aren’t measuring their efforts through a business lens. Without shared metrics, cyber teams have a harder time gaining consensus for their decisions, budget for their programs, and a seat at the executive table.
In fact, 89% of survey respondents told us they suffered at least one negative impact in the past year due to lack of cybersecurity and business alignment.
The research shows that cybersecurity program performance is still primarily judged based on technical or activity-based metrics. These metrics can include the number of prevented or contained attacks, meeting compliance and auditing objectives, or whether a deployment is completed on time and on budget.
Indeed, these types of metrics are important because they provide insight into the effectiveness of security controls and allow teams to identify areas for improvement. However, they’re not the only factors that determine the success of a cybersecurity program.
Cybersecurity is ultimately about supporting strategic goals of the business. Therefore, cyber leaders must also prioritize business outcomes such as economic value, growth, revenue, cost savings, user experience, and impact on other teams.
The research shows that how survey respondents prioritize metrics varies by company size as well as level of responsibility.
For example, measuring overall ROI/economic value is more important to smaller companies under 1,000 employees.
It’s not surprising that leaders with broad organizational responsibility, such as CEOs/Owners, are more concerned with measuring user experience and reducing friction than CISOs are. It’s interesting to note, however, that Director levels/Departmental leaders also emphasize business metrics such as economic value/ROI.
To attain business enablement goals, cybersecurity team objectives and individual MBOs (Management by Objectives) or OKRs (Objective and Key Results) must be tied to business success and tracked on an ongoing basis.
Cybersecurity leaders can start by identifying the most critical assets and systems that need to be protected for the business to continue to operate and serve its customers and partners. Next, set metrics that measure the impact of security controls on the availability, confidentiality, and integrity of those assets.
Consider adopting a more risk-based approach to security, in which technical metrics are used in conjunction with business outcomes to inform decision-making. This would involve identifying the most significant risks to the business and then focusing resources on mitigating those risks, rather than just pursuing technical metrics for their own sake.
To achieve this vision of cybersecurity and business alignment, it’s essential to improve communication and collaboration with other parts of the organization, such as risk management, operations, product development, and sales. By working closely with these stakeholders, you’ll gain a better understanding of the business context for technical resources so you can align your activities and priorities accordingly.
Consider the following metrics in measuring how well cybersecurity achieves business goals:
By using these types of metrics, you can assess the effectiveness of your cybersecurity strategy in enabling your organization to achieve business goals and make informed decisions about investments in cybersecurity resources.
To learn more about the current state of cybersecurity and business alignment, download the complete research report: The Impact of Business Alignment on Cybersecurity Effectiveness: Global Survey of Cybersecurity Leaders. You’ll see what 2000+ cybersecurity decision-makers said about the best organizational structures, training, and communication strategies to achieve both business and cybersecurity goals.