For far too long, business leaders have viewed cyber security through a narrow lens of risk and threat management. The focus has been on inputs - investments in the latest tools, staff, and controls to keep out attackers. But while such capabilities are needed, this mindset fails to connect cyber security efforts to actual strategic business value.
Security teams often take a tactically reactive approach, chasing after each new type of malware or attack. They get lost in the weeds of bolting on the latest AI system or advanced firewall. Yet rarely do they step back to ask, "How are these efforts helping us achieve our most important organizational goals?"
Not asking this fundamental question is why security teams sometimes struggle to justify resources, maintain long-term strategic focus, or enjoy an influential seat at the executive table. To elevate cyber security's strategic business role, security leaders must fundamentally shift focus toward defining and achieving positive outcomes that align with and enable priority business objectives.
Outcomes refer to the tangible results effective security delivers, such as:
Reduced financial impact from attacks
Faster detection and response to incidents
Increased customer trust and loyalty
Higher productivity by preventing downtime
In contrast, inputs are investments made to secure the organization, like tools, technologies, training, and personnel. Inputs are crucial building blocks. But outcomes are what actually gets achieved from those investments.
Think of inputs vs. outcomes like driving a car. Advanced airbags, braking, and navigation capabilities are valuable inputs. But if you don't know where you're going - your destination - those features don't offer much value. Security teams need clarity on where they're driving the organization. The outcomes provide that direction.
The most effective approach I've found for defining strategic cyber security outcomes is working backward. This technique begins by envisioning your end goal and then determining what needs to happen to get there step-by-step.
For example, envision it's one year from now, and you want minimal business disruption from cyber incidents. What are some measurable outcomes that would demonstrate you've achieved that goal? Those could include:
20% faster average incident response
Less than two hours of downtime from cyber attacks per quarter
Zero ransomware payments
With these defined, you can now work backward to understand the capabilities and resources needed to realize those outcomes. What tools or skills would reduce response time and downtime? What access controls and backups would eliminate ransom payments?
The working backward approach provides clarity and focus. You start with the business destination in mind rather than getting lost in reactive tactics.
A common struggle in justifying cyber security investments is linkage to what matters for the business. Security leaders must tie outcomes directly to priority organizational goals and objectives.
For example, if top-level goals include rapid expansion into new markets and accelerated product development, relevant outcomes could be:
Launch a secure online platform for new markets in 9 months
Reduce delays in product release cycles due to security issues by 30%
This ensures security efforts are positioned as an enabler, not a roadblock. Resources spent on capabilities that help support or drive key outcomes are far easier to justify.
Outcomes must also be quantifiable through metrics and KPIs. Rather than stating, "We will reduce risk," define that as "Lower our overall cyber risk score from 78 to 68 within one fiscal year". This allows actual measurement of progress.
Metrics that cascade across technical, financial, and business factors are ideal:
Technical: Faster threat detection, fewer software vulnerabilities
Financial: Lower costs from breaches and incidents
Business: Higher revenue due to customer trust and uptime
Performing a benefits realization analysis can further quantify upside in areas like improved productivity, brand reputation, and compliance.
Once clear outcomes are defined, the real work starts - figuring out the right mix of people, tools, and technologies to make those outcomes a reality. This demands tightly linking security strategy with on-the-ground execution.
New technologies like AI and automation can help immensely, but only if deliberately focused on moving the needle on specific target outcomes, whether faster response times or fewer breaches. Otherwise, even the most advanced tools become unused budget-gobblers.
Sometimes, the best move isn't buying the hot new cyber capability but streamlining or removing tools that have become distractions. Consolidating duplicative vendors onto a unified platform can free up budget and potentially bandwidth previously wasted on integration and maintenance.
Continuously tracking progress through metrics provides crucial feedback to refine approaches and investments. If specific capabilities aren't advancing priority outcomes, they may need to be rethought or reallocated. This measurement fuels an agile, evolving security strategy.
The focus remains fixed on actualizing the defined destinations that create business value. With that North Star guiding decisions, security leaders can confidently navigate the winding road ahead.
Shifting cyber security's focus toward enabling outcomes over acquiring inputs is critical for elevating its strategic role. Business leaders need security teams to be accountable for tangible results that support the organization's mission.
This outward focus on positive business impact also builds crucial internal partnerships across IT, finance, marketing, legal, and other groups. It fosters collaboration to drive security outcomes that enhance objectives enterprise-wide.
Finally, focusing on outcomes provides clarity even in chaotic times. New threats will emerge; investments will carry risk. With these defined destinations rooted in business needs, security leaders can confidently navigate the road ahead.
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.
John Engates — @jengates
Field CTO, Cloudflare
After reading this article you will be able to understand:
The difference in cyber security outcomes vs. inputs
The need to shift security’s role from risk management to strategic driver of business value