As per the recent survey conducted from across the globe – including the UAE and Saudi Arabia, Delinea revealed the impact of misalignment between the cybersecurity function and wider business. The survey was answered by the IT Security Decision Makers (ITSDMs) of all the companies approached.
Asked about the Board and C-Suite’s understanding of cybersecurity across the organization, only 37% of respondents in the UAE and Saudi Arabia think their company’s leadership has a sound understanding of cybersecurity’s role as a business enabler. Over a third (34%) of respondents believe that it is considered important only in terms of compliance and regulatory demands, while one in five said it is not seen as a business priority. Furthermore, just over half of respondents (55%) believe that there is a “strong alignment” between business and cybersecurity objectives.
The disconnect appears to have caused at least one negative consequence to 94% of regional respondents’ organizations, with more than a quarter (28%) also reporting it resulted in an increased number of successful cyber-attacks at their company. The impact of misaligned goals on the cybersecurity posture of organisations in the UAE and Saudi Arabia was wide-ranging as it contributed to delays in investments (42%), delays in strategic decision making (41%), and unnecessary increases in spending (33%).
There were also consequences for the individuals themselves, with 31% of regional respondents reporting it impacted the whole security team in terms of stress. Furthermore, global economic uncertainty has worsened the situation with the majority of those surveyed (61%) stating that aligning cybersecurity and broader business goals is becoming more difficult to achieve as a result.
The report also brought to light that metrics used to measure and demonstrate the value that cybersecurity delivers. Interestingly, improved experience for business users (33%) was cited as the most important measure of success, followed by more technical and activity-based metrics such as meeting compliance objectives (32%) and reducing costs of security incidents (29%).
“While security teams appear to be more ingrained into the organisational processes, it is clear that the majority of regional enterprises still fail to consider cybersecurity as a competitive advantage. What’s more concerning is that our report shows that this disconnection translates into delayed investments, which put the business at risk, It is time for company leaders to reassess their approach to cybersecurity – seeing it as not just as an obligation, but as a profit center,” said Mohammad Ismail, Regional Director – Middle East, Delinea.
“Cyber security can be a huge business enabler, but this research reflects that there is still some work to do at the board level in shifting mindsets. Executive leaders need to think of cybersecurity not only in terms of ticking the compliance box or protecting the company, but also in terms of the value it can deliver at a more strategic level,” said Joseph Carson, Chief Security Scientist and Advisory CISO, Delinea.
Aligning goals also involves reviewing the reporting lines and CEO-level visibility. However, the Delinea survey suggests that there is little appetite for change in reporting structures, as less than a third (31%) of regional ITSDMs believe the CISOs or the most senior cybersecurity leaders should report to the CEO to best align cybersecurity with the overall goals of the business. Alignment between cybersecurity and business goals is essential for success. This research clearly highlights the negative consequences when teams’ objectives aren’t fully in sync. Ensuring common agreement across business functions is vital and there is a real value in metrics that not only measure security activity, but which also demonstrate the impact on business outcomes. Carson further added, “Communication is key, and while strong technical skills are still important, security leaders need the ability to communicate, influence and present the value they add to business outcomes more frequently than ever. Security leaders that demonstrate this mix of skills, and that have the same end goal in sight as the business, are a force to be reckoned with.”
