The attacks on Indian organizations have increased in the past two years, yet only four in 10 security leaders in India have a clear picture about how much at risk, or how secure their organizations are. Most Indian organizations (97%) have experienced a business-impacting cyberattack in the past 12 months, according to both business and security executives. And 76% of respondents in India have witnessed a dramatic increase in the number of business-impacting cyberattacks over the past two years. The data is drawn from “The Rise of the Business-Aligned Security Executive,” a commissioned study of more than 800 global business and cybersecurity leaders, including 54 local respondents, conducted by Forrester Consulting on behalf of Tenable, a Cyber Exposure company.
“Business-impacting” relates to a cyberattack or compromise that results in a loss of customer, employee, or other confidential data; interruption of day-to-day operations; ransomware payout; financial loss or theft; and/or theft of intellectual property.
Unfortunately, these business-impacting cyberattacks had damaging effects, with organizations reporting identity theft (44%), financial loss or theft (38%), and ransomware payout (33%). 67% of security leaders in India say these attacks also involved operational technology (OT).
Business leaders want a clear picture of how much at risk they are and how that risk is changing as they plan and execute business strategies. But only four out of 10 of local security leaders say they can answer the fundamental question, “How secure, or at risk, are we?” with a high level of confidence, despite the prevalence of business-impacting cyberattacks.
Speaking to CISO MAG Adam Palmer, Chief Cybersecurity Strategist, Tenable said, “Many security leaders use the heat matrices, the red, amber, green (RAG) scores to try to describe risk to the business leaders. This is really IT talk. Every organization I worked at did this. RAG scores do not say anything to really quantify the risk or help people understand the reduction in risk. How can a business leader make a decision, based on a color in RAG scores? There is a gap in communication between how IT people speak (technical or ambiguous) and the expectations of business leaders–quantitative understanding of risk.”
Global findings for business-impacting cyberattacks
Looking at global respondents, fewer than 50% of security leaders said they are framing cybersecurity threats within the context of a specific business risk. For example, though 96% of respondents had developed response strategies to the COVID-19 pandemic, 75% of business and security leaders admitted their response strategies were only “somewhat” aligned.
“The heart of it is really the lack of partnership between the security and the business leaders. There’s not enough alignment of metrics and objectives with business strategic priorities. I see that organizations report risk in a very qualitative language. This is not the language of business leaders. They have to consider industry benchmarking frameworks and accurately report it to the business. In times like today, with the pandemic, it is more important than ever for business leaders to understand their level of risks,” added Palmer.
Organizations with security and business leaders who are aligned in measuring and managing cybersecurity as a strategic business risk deliver demonstrable results. Compared to their siloed peers, business-aligned security leaders are:
- Eight times more likely to be highly confident in their ability to report on their organizations’ level of security or risk.
- 90% are very or completely confident in their ability to demonstrate that cybersecurity investments are positively impacting business performance compared with 55% of their siloed counterparts.
- 85% have metrics to track cybersecurity ROI and impact on business performance versus just 25% of their siloed peers.
- Organizations with business-aligned cybersecurity leaders are also:
- Three times more likely to ensure cybersecurity objectives are in lock step with business priorities.
- Three times more likely to have a holistic understanding of their organization’s entire attack surface.
- Three times more likely to use a combination of asset criticality and vulnerability data when prioritizing remediation efforts.
“In the future, there will be two kinds of CISO — those who align themselves directly with the business and everyone else. The only way to thrive in this era of digital acceleration is to bring cyber into every business question, decision, and investment,” said Renaud Deraison, Chief Technology Officer and co-founder, Tenable. “We believe this study shows that forward-leaning organizations view cybersecurity strategy as essential to innovation and that when security and the business work hand-in-glove, the results can be transformational.”
Forrester Consulting conducted the online survey of 416 security and 425 business executives, as well as telephonic interviews with five business and security executives, to examine cybersecurity strategies and practices at midsize to large enterprises in Australia, Brazil, France, Germany, India, Japan, Mexico, Saudi Arabia, the U.K., and the U.S. The study was fielded in April 2020.
To read the full study, visit https://www.tenable.com/analyst-research/forrester-cyber-risk-report-2020