WithSecure: We need to shift to outcome-based cyber security

Paul Brucciani has worked in cyber security for over two decades, gaining experience that spans marketing, business development, consulting, and service delivery across a spectrum of industries, including the legal, financial services, telecoms, energy, and governmental sectors.

He has been working with the WithSecure team for the past three years, initially joining the company as the Head of Sales Enablement. In his current role as Head of Product Marketing, his responsibilities include market analysis, shaping product marketing strategies, and developing user-friendly outcome-based cyber security service propositions. 

Brucciani takes pride in demystifying complex cyber security concepts, ensuring they are accessible to everyone without resorting to industry jargon and is passionate about simplifying the cyber security space for businesses and individuals.

What are outcome-based security measures, and why are they so important?

Outcome-based security offers a straightforward path for cyber security measures to navigate the unpredictable cyber threats. It focuses on the results of cyber security strategies rather than the security activities themselves. 

The goal is to seamlessly integrate cyber security into the fabric of the business, so that it becomes a facilitator for achieving core objectives. Outcome-based security measures are gaining importance as they enable an organisation to clearly align its strategic goals with its cyber security practices. This shift is pivotal in aiding companies to attain their broader business objectives. 

Outcome-based security offers a dual advantage. Firstly, it allows us to assign a measurable financial value to our IT security investments. Secondly, it motivates cyber security vendors and suppliers to commit wholeheartedly to fulfilling company-specific needs. This collaborative partnership ensures vendors are dedicated to helping businesses achieve desired outcomes, as their own financial income depends on meeting these goals.

Companies like Rolls Royce also use outcome-based security. Rolls Royce's transition from selling jet engines to offering "power by the hour" serves as an example of the effectiveness of outcome-based thinking in cyber security.

There’s a notable drive towards outcome-based security in the industry, with organisations increasingly recognising its value. Our research highlighted that 83% of participants expressed interest in or actively planning to adopt outcome-focused cyber security services and solutions to align with their business objectives. 

Why do you think traditional cyber security methods are no longer working as well? 

Cyber security has evolved significantly over the years, and distinct phases have marked this evolution. In the early 2000s, the focus was predominantly threat-based and input-driven. The prevailing message was, "Buy our Anti-Virus; it's the best at blocking known threats." This approach primarily revolved around identifying and countering specific threats.

Subsequently, we transitioned towards output-oriented solutions that adopted a risk-based approach. Companies promoted their products with the promise of generating reports on malicious activities and blocking certain types of emails. While this approach had its merits, it often led to increased workloads for security teams.

However, the current cyber security landscape has shifted its focus, and the key question now is, "What do customers want in terms of security outcomes?". Regardless of their existing security infrastructure, the emphasis is on understanding how security can empower businesses to achieve their goals.

This shift embodies the essence of outcome-based cyber security. As defined by Forrester, it's a strategy that empowers business leaders to streamline cyber security by nurturing capabilities that demonstrably deliver desired outcomes. This approach distinguishes itself from traditional threat-centric, activity-based, or ROI-driven methods. Organisations are increasingly drawn to it not only as a means to mitigate risks but also to achieve their business objectives. 

How can businesses shift their cyber security focus? 

Understanding an organisation's cyber security maturity is essential in moving towards an outcome-based approach. But it does come with challenges. Almost half of the respondents in our research acknowledge that their company lacks a clear grasp of their current and target-state maturity levels for evaluating their security postures, which can hinder progress.

Another critical aspect is measuring the value that cyber security strategies bring to the table in supporting broader business goals, however our research revealed this is also a challenge for 37% of respondents. 

Additionally, capturing consistent and meaningful data as a recurring obstacle. Security leaders often struggle with obtaining reliable data when evaluating how effectively their cyber security priorities contribute to business outcomes. Having the right data and insights is vital for informed decision-making regarding cyber security strategies, policies, and approaches, and allows security leaders to showcase their achievements in a data-driven manner.

Furthermore, security heads often struggle to explain the complexity of potential threats to executive leadership or boards in language and metrics that make sense to them. And if cyber security risks can’t be explained in terms of their business impact, it can prevent security teams from securing the investment they need. 

WithSecure has recently announced new capabilities to help organisations better manage security risks. Can you talk about some of these and what the company is doing to help mitigate threats? 

We’ve continued to develop our cloud-based platform to help organisations better deal with an increasingly hostile cyber threat landscape.

We know that flexibility is one of the key requirements from organisations and they need tailored solutions which meet their individual business needs. We can deliver this through our platform which includes modules such as Endpoint Protection and Vulnerability Management, so that users can add and remove new capabilities as their circumstances change. 

Our platform is continuously updated to ensure that our clients are equipped with the security capabilities they need, both today and in the future. Additionally, we've expanded the Elements platform to incorporate Co-Monitoring and Cloud Security Posture Management solutions. The Co-Monitoring service offers 24/7 access to world-class threat analysts, bridging the gap for companies that may have limited budgets or resources, but which still need to have round-the-clock monitoring of their digital estate.

Finally, our Cloud Security Posture Management solution offers invaluable support to organisations navigating the complexities of cloud migration. It provides visibility into potential misconfigurations within their Azure and AWS cloud infrastructures and provides actionable guidance on how to remediate these issues effectively.

************************************************

For more insights into the world of Cyber - check out the latest edition of Cyber Magazine and be sure to follow us on LinkedIn & Twitter.

Other magazines that may be of interest - Technology Magazine | AI Magazine.

Please also check out our upcoming event - Net Zero LIVE on 6 and 7 March 2024.  

************************************************

BizClik is a global provider of B2B digital media platforms that cover Executive Communities for CEOs, CFOs, CMOs, Sustainability leaders, Procurement & Supply Chain leaders, Technology & AI leaders, Cyber leaders, FinTech & InsurTech leaders as well as covering industries such as Manufacturing, Mining, Energy, EV, Construction, Healthcare and Food.

BizClik – based in London, Dubai, and New York – offers services such as content creation, advertising & sponsorship solutions, webinars & events.

************************************************