Unlock your business potential with outcome-based cyber security!
This insightful webinar hosted by WithSecure welcomes guest speakers from the industry's top echelons, discussing the power of aligning security goals with business outcomes.
Speakers Christine, from WithSecure and Laura, from Forrester Research, shed light on the current state of cyber security and the growing interest in outcome-based strategies.
From discussing the evolution of cyber security models to the introduction and exploitation of new technologies, this video offers unparalleled insights.
Dive deep into the untapped potential of outcome-based security, understand its significance in today's digital ecosystem, and learn how to integrate it seamlessly into your organization's journey towards robust and effective cyber security.
So, are you ready to transform your organization's cyber security strategy? Engage with us, and let's explore the future of cyber security together.
When your organization does an investment you expect results from that investment and this should be no different in cyber security that's why at with secure we'll be working on outcome-based security where the results of security are aligned with your business goals you see all too often cyber security is seen as something which hinders or slows down your operations or your functions and that's not the way it's supposed to be cyber security should be the enabler it should be the part of your operation which enables your employees to be productive and effective and creative we see growing interest in outcome-based security and no wonder because there's a lot of untapped potential in it as you will soon hear so welcome to the stage Christine and Laura our featured speaker from Forrester research enjoy the show hello and welcome to this with secure webinar my name is Jana cohenen and I will be your host tonight we've got a great lineup of speakers to talk to you about outcome-based security first up we have Christine bejrasco the Chief Information Security Officer at with secure her topic is the current situation in the Cyber Dimension and why do we need outcome-based security thinking she will be followed by our guest speaker Laura ketzley from Forrester the vice president and group research director she will be talking presenting the Forester research on outcome-based security and giving us the theoretical background for what we're talking about today without further Ado Christine welcome to the stage thank you young hello and welcome to the webinar as well on my behalf now as I see so I could easily spend my days looking at every cyber threat out there especially the ones that are in the news and especially the ones that people all over my organization are asking me about and then thinking about how can we secure ourselves or if we even have the right kind of defenses against these threats but this is a recipe for stress and burnout because the truth is there are as many threats out there as there are Technologies and for some of these Technologies you even multiply that hundreds of thousands or even millions of times and not every threat is actually relevant to my organization but it wasn't it wasn't so long ago actually a little bit more than two decades ago where when Technologies were still like Islands so to speak and if there is information that you would like to transfer from one device to another there needs to be sort of like a physical medium a party a logistics provider that carries the information from one device to another using what we called removable disk drives and of course there were still threats during those times but it seems that the threats were very slow moving because of course we were also quite slow moving and then there was mass adoption of the internet and I don't know about you maybe some of us dinosaurs would probably still remember a time when somebody was visiting online in our homes and then you pick up the landline phone and there's this very peculiar and distinct sound and you can't even use the phone so you know that somebody was visiting online but people can still go offline during those times and when they went offline then they were completely disconnected and more and more we wanted more bandwidth we wanted more speed and it was given with cheaper and cheaper price tags until eventually today the real world that we're living in is both physical and digital and it's really challenging now the concept of how do you go offline when there are different tech companies who even have the vision of covering this whole planet with satellite connectivity and 5G already coming into play and of course our phones every day we are having them always in our pockets so the concept of going offline is becoming more and more sort of a remote reality a remote event that may have happened in the past and this is the scenario where we really need csos because probably during the time when things were still offline I mean if there were csos then life would be probably pretty boring but today in this type of ecosystem and disciple environment well there are different threats that are coming with these new technologies and we are even trying to blur these lines even more with Concepts such as the metaverse or augmented reality and the future if you think about it is full of possibilities for all of us including the threat actors because what we have seen so I I have been a cyber security industry for around two decades and what we have seen is whenever there are new technologies that are introduced threat actors are going to find a way to exploit their those Technologies for their own personal gain and in the past 20 years we have experienced the introduction of Technologies at Breakneck speeds I mean today we are so much better at adopting new technologies than we are at deprecating or retiring old ones think about it if we want to get in a new technology and we want to use a software as a service platform we can get it in in five minutes all you need is a credit card but if you want to get rid of that server in the basement that is probably some old version of Debian in there I don't know how many years it would take to actually deprecate that or to totally eliminate that from your organization so this is what's happening in our organization today we have so many new technologies that are coming in and yet the older ones are still around so think about it for a moment we have teams slack Zoo and then maybe the digital dinosaurs like us who still love our emails we still have emails in there and probably this will stick around for as long as we're not extinct and then for instant messaging because we like to have our end-to-end encryption so we have signal we have what's up but then maybe we need a backup and then we keep our SMS in there so we just keep on piling all of these things and calling this a complex ecosystem is actually an understatement and of course if Technologies come in and they are bringing in new threats that could also play on top of these Technologies then we just keep on piling up all of these new threads as well so for example fishing it has been around well for as long as I was here in my career for two decades but the fishing that we had then was fishing with emails but today we have fishings with SMS a bunch of instant messaging we have voice fishing so fishing has expanded into the other technologies that have also been introduced and there are even threats here that we can see for example crypto jacking which is targeting a concept of currency that didn't accept didn't exist like two decades ago and crypto mining that's happening on cloud platforms Cloud platforms also didn't exist two decades ago so in this scenario where we keep on adding new things and we keep on piling up all these different all these different threats that we are working with then the scope of cyber security and the scope that cesos or the head of security within organizations now would need to Grapple with just keeps on getting wider and this is why we need sea cells but when it comes to cyber security like how have we really viewed this to be what is the purpose of cyber security that we have thought about over these past decades and essentially how we have seen this is cyber security is kind of like the tax that you need to pay to do business in the digital space and if you have attackers that are trying to infiltrate your organization then if we can raise the bar high enough such that it becomes costlier for them to actually infiltrate and attack and compromise the organization than it is to bypass the security that we have then they might not do it so it's a game of raising the cost it's a game of raising the bar and that's how that's how we have always introduced this a cyber Security Experts and to be honest some of this does not resonate really with people in the organization because sometimes it becomes that we need to add an additional layer of security we need to add an additional product in order to strengthen this layer of security so sometimes we just keep on adding new products new cyber security products and then we forget maybe that a product is also software and software also is technology that will increase the attack surface and so it adds to the Vicious Cycle of accumulation of these different technologies that may or may not really deliver towards the goals that the business would like to have and the challenge with the discussion also came about because well a lot of us who are practicing cyber security came from really technical backgrounds and if I look at the past how is a how this has been for the past 20 years maybe the model that we started in like asked people who are technical cyber security practitioners has been a threat based model because what happened then was there was a threat and then you have protection capabilities against these threats but then again you have another thread and then you add another level of protection and then you just keep on adding this and then eventually you realize hey wait a minute some of these threats they have the same behaviors maybe you now try to think about okay maybe we can build a framework on top of this and for example the miter the miter attack framework that's a very useful framework that specifies the techniques tactics and procedures that actually the cyber security threat actors would then perform but the challenge with that model is that it's a bit hard to understand as like even the technical ID people they don't really get what we were talking about certain types of attack and how do we protect against those type of attacks so we shifted towards a model that is more inclusive towards different technical people which is more of an asset based model because people are handling the assets of the organization know that well there is a way that they need to do protection for these capabilities they need to patch their software etc etc and they would like to take a look at that that certain assets have certain protection capabilities and there are Frameworks also that came up for this for example Sony will use cyber defense Matrix is quite good on this one because you have the you have the full nist cyber security framework on one hand and then you have the assets of the organization on the other hand and you have a nice Matrix that you can work with but the challenge with this Matrix is that in addition to the fact that it's still quite technical some of these boxes are actually bigger or deeper than the others and there's a tendency to maybe turn them into check boxes then we have risk-based Frameworks which many organizations are using today and the beauty now of the risk-based framework is that it includes the different people in the organization who have already been handling risks in the first place because there is already risk management in different types of organizations they do business continuity management and they do risk management and cyber risks are just one of the risks and therefore the conversation now becomes a little bit more easier but still one of the challenges when it comes to risk is that how do you then prioritize now these risks because typically we prioritize them based on potential cyber security impact to the organization So based on how we the cyber security practitioners think about it from our perspective and at times this is a little bit challenging to explain towards the executive audience or the board of directors that this x is more important than the others because sometimes it doesn't really coincide towards the direction that the business would like to go towards and this is why we're introducing outcome-based security because if the goals of cyber security are aligned towards the outcomes that the business would like to go towards then for one it's a little bit easier to fund cyber security it's a little bit easier to argue for the Investments that we would like to have and also it's easier for the executive team or the board of directors to understand to what ends is this cyber security investment going towards but I'm not saying here that we remove all of these other models because outcomes is a place to start but then once you have the outcomes it becomes not a question of what are the risks to those outcomes what are the assets behind the risks and what are the threats towards those assets so there is still a continuity of conversation all the way going towards the technical people who are actually going to implement the solutions okay let me show you a few examples and just to give a little bit of color to what I'm talking about what if the outcome of the organization would be maximize productivity especially in this economic climate I mean different organizations would like to be more efficient to maximize their productivity which is well and good and therefore maybe in a way of doing this they would like let's say their asset which is a web server to be present in the cloud because the more visitors do have the more you can scale up and if you don't have any visitors then you sort of like scale to the lowest possible resource that you would need but of course the risk to this is that since this is auto scaling then you can scale as much as well the resourcing will allow and therefore there's a possibility to it to impact your operating expenses essentially if for instance there are threats like crypto miners and from our incident response engagements we have seen that most of the payload that we have seen in compromised Cloud environments have crypto miners delivered to them and we have actually seen that in an Azure web server environment there was crypto Miner delivered that scaled all the way up to how much the environment actually allowed and then let's talk about how would the outcome of increased competitiveness well if we want to be very competitive we want to move really fast then maybe we don't really wait four months for software to be deployed in different environments let's use sauce because you know in five minutes we can get a software we can use it in our organizations swipe your credit card and off you go the question here really is what is then the risk like who are these third-party partners that you are now working with in your organization how well do they secure their environments because the data that you have and the data that your customers have are now flowing towards these different SAS environments that's an asset and that's a risk and then the threat to that could be that a data breach in this third-party environments could actually be impactful towards your organization and finally one more outcome strengthen business resilience which is also very relevant in this economic climate so as a business if you want to weather for instance the current economic climate and you'd want to emerge and even thrive on the other side you need to make sure that the reputation that you have with your customers is intact so the asset could be a reputation and the asset could be that if you're a software provider could be the applications that you have and the rest of that could be that if you end up introducing malware to your customers estate and it could be problematic it could erode that trust it could erode your reputation as an organization and a threat to this would be a force supply chain attacks because these are typically used by threat actors to introduce malicious code especially via open source code that have been compromised and if you have these discussions for instance when it comes to outcomes then when you talk about Solutions even though the executive team or the board of directors may not understand what exactly you're talking about with these very Technical Solutions they understand what it's for this time they understand what outcomes are you trying to protect and it's not detached from the threats or the risks or the assets as well because that is part of the conversation already but this is about bringing that additional level of understanding to the people who can actually help our cyber security budgets and steer them towards the right direction and you know how it is when you tap into an idea whose time has come is when you have conversations is when you have surveys is when other people actually take a look at the idea and say that yeah that sounds interesting I would actually like to adopt that or maybe I would like to do more of that because we're we're doing a little bit of that in the organization or maybe I would like to explore that and this is what we have today because as we have conducted together with Forester Consulting This research we have seen that 83 percent of the Cyber Security leaders within the organizations or cyber security influencers in the organization I actually believe that they would like and they are interested in adopting outcome-based security and this is what Laura who is here with us today is going to explore more and it's going to dig in deeper into the details behind that research she's gonna be coming in soon after me Laura thanks very much Christine so I'm going to be making the case for outcome-based security in a bit more detail so Christine's already told you that we've got lots of people who are interested in this based on the research that we've done and like with all good ideas it sounds really obvious when you actually describe it right why wouldn't we have thought about the outcomes that we wanted as a business and thus the outcomes that we want in cyber security to contribute to those business outcomes and why don't we just do those things well as with all kind of good ideas that seem obvious once you talk about them I think it's been challenging for us as cyber Security Professionals to think of everything in this way simply because we and our businesses didn't have the level of maturity that we needed to actually articulate and construct everything that way and have it actually work so we did a little research on this as Christine said and so I'm going to tell you a little bit about the research and how we did it and what everybody is excited about and what their challenges are and that will lead us to how do we kind of seize on this idea of outcome-based security and what do we do with it as we go forward so first a little bit about the research that we did overall it's uh into it's with about 400 and some very small number so like 409 or something like that uh respondents who are cyber security decision makers and Technology decision makers generally in several different countries so as you can see 75 percent of folks were from Europe and then we had uh the other quarter of respondents from the US and from Japan so it gives you a good kind of cross-section of some of the most sophisticated countries in the world of cyber security and the firms that are sort of participating in the world of cyber security and if you look at the respondents in detail the bulk of them are from companies that have between 500 and 5 000 employees so we're talking mostly about reasonably large entities in all kinds of Industries so what do we know about these survey respondents and sort of the challenges they face and what they're interested in well in the first place in most of these firms as you'd expect right because these are companies that are a bit larger and organizations that are a bit larger they've now well established their cyber security practices so the idea of having a CSO and having a cyber security team and people who focus on the world of cyber security threats and and managing the risk is not a new thing to them and the honestly the first number of 80 who say that the overall level of threats that we face each year is increasing probably is a surprise to you exactly no one because that has been true for as long as I've worked in this field which is a longer time than I really care to discuss and uh it's I don't anticipate that that'll be changing very much in the future if it does then we all get to retire which will be very exciting but it doesn't seem likely anytime soon and cyber risk being a top priority for the organization and Boards of directors and and such wanting it managed as though it's a top priority at 75 that is different from if you were to go kind of 10 years into the past certainly it wouldn't have made the top ten probably and so getting all this attention from the board of directors is a bit of a double-edged sword because on the one hand having them pay attention is good because then we can manage the risk risk we can make sure that we do what needs to be done but it also means that if we don't do as good a job as we should they will probably notice and that will be very uncomfortable and then you see it 71 we're spending more on cyber security each year that has been true for as long as I can remember and part of me has long wondered how long we can keep that up because asking for more money every year and not having things get apprecially better is not perhaps the nicest place to be now that's been the reality for quite a while and it's one of the things that I'm hopeful that outcome-based security and thinking about things a bit differently can help us break out of because eventually the treadmill will need to stop you can only spend so large a percentage of your budget on cyber security before you have to start to ask some very hard questions about what return are we really getting out of this and are we actually doing what we should so unsurprisingly in this kind of environment half of the companies that responded to our research find it difficult to align their cyber security priorities with business outcomes and so I think you can see a bunch of different reasons for this the sort of first four or so or essentially a statistical tie so you see managing complexity at the top and that's one that I am not surprised to see at the top of the list simply because for all of us who've been in this field for a while we have been adding new risks and new threats and new technologies and all sorts of things to our environments for as long as I can remember and those sort of pile up like a slightly unsteady pile of blocks until you end up with a whole load of complexity and you're trying to do the right thing and manage the risks and the problems and react to the things that come your way to react to the things that come your way in a useful and effective manner but that becomes harder as the environment becomes more complex because you get the standard something half happened and it creates a cascading effect that no one expected and then you have to deal with the consequences of that so in the list also there you see handling conflicting cyber security and business goals because sometimes you're in a situation where you've got a business that wants to expand and wants to do it really fast and that creates a whole load of risks and cyber security challenges that then as a cyber security leader it's your job to say Yes And as Christine said earlier like yes we can do that but here are going to be the consequences so we have to decide if we can accept that level of risk if the mitigations that we think we can manage are going to take it to an acceptable level or meet somewhere in the middle and all agree that if something bad happens it's a set of risks that we've accepted and we're all going to then respond to whatever the sort of immediate crisis is acknowledging that we had said that we knew this might happen but the opportunity that we were going after was worth it so it's a complex environment out there for really any company that's been around for any longer than a couple of years and aligning what you're doing with cyber security with the outcomes outcomes that the business is looking for is harder than it should be but that's the kind of Crux of the thing that you need to do if you're pursuing an outcome-based security approach is to be very clear on here are the business outcomes that our company or organization is seeking over the next three years five years whatever your typical time Horizon is and then these are the security outcomes that will support or lead to those business outcomes and so you sort of very explicitly link them together get all the stakeholders to agree yes we've got the right business outcomes at least as far as we know them right now obviously things change and we've got the right cyber security priorities and outcomes to support those business outcomes and now we're going to single-mindedly pursue that set of outcomes and we're going to evaluate all of the decisions that we make in the light of does this help me advance the outcomes that I am looking for or not and asking that kind of simple and clarifying question really helps when you've got a really complex environment you've only got so much resource you've only got so much investment so it can help you prioritize which things are worth doing and which things are less important and so that maybe you could stop doing because now that our sort of field has reached an approp well a level of maturity and complexity we really do have to ask not just what more should we do but what should we stop doing because otherwise we're going to be sort of continually accreting these layers of sediment of complexity and new technologies and new processes on top of old ones and that starts to get very rickety like the Tower of blocks that I talked about before so stopping doing things is almost more important than starting doing new things in an environment like that so the outcome-based approach connects cyber security to the business and so if you look at all of our respondents who are kind of interested in who are interested in outcome-based security writ large in sort of chaining their business outcomes and the cyber security outcomes together and then pursuing those and making sure that what you do actually advances those goals you'll see that they're looking for kind of all the right outcomes that you might expect so reducing risk improving customer and partner experience now there's a thing you might not have seen on a list with a bunch of cyber security respondents say 10 years ago but it's absolutely essential if we want our companies to grow and to succeed we want to make sure that our customers are having a superior experience and obviously we want to grow Revenue we want to increase our operational resilience in an uncertain environment this is like some of the worst cliche ever at the moment you've heard everybody talk about it as an ad nauseam but the reality is we do face a lot of uncertainty in the coming year and so making sure that we're resilient enough to deal with that uncertainty is actually really important and of course improving our governance and our compliance because in many cases we are legally required to do so so good idea to follow those instructions but also those things will add to our resilience and make it easier for us to do the things that we want to do and pursue the business outcomes that we're looking for without adding more than is acceptable to our risk to our risk level and sort of thus breaking our risk tolerances so I thought I'd talk a tiny bit about the Forester high performance security program model here because a lot of you are leading security organizations and so you're thinking about how do I lead this organization help my company grow protect our business help us do all the things we need to do pursue the outcomes that are most important to the business and this kind of very simple model can help you think about how to do that and indeed being outcome based and outcome driven helps you kind of brush away the tons of stuff that can clutter up the agenda with the with sort of day-to-day things and get you to a place where you can lead an organization in a direction and know that since everybody has agreed on the outcomes that we're pursuing that gives people the ability to make the right decisions easily which is as an information security leader what you most want you can't always be standing there over people's shoulders telling them what the right decision is so if you give them the tools to make those right decisions on their own such as by agreeing those outcomes and hammering them home every chance you get you will get loads more people making the right decision both for the business and from a cyber security perspective without you having to do anything fantastic that's what we want so companies really struggle with this they struggle to assess their maturity to measure value and to capture meaningful data because one of the things you might ask about being outcome based is how do I show that we're actually achieving the outcomes that we agreed on and I wish I could tell you that that's super simple to do uh but you when you at least have a reduced set of things that you have to measure progress toward that does help so settling on a finite number of outcomes both from the business perspective and the cyber security perspective and then devoting the measurement resources that you have to that finite number of things can make it easier to do things like measure cyber security value and capture consistent and meaningful data and to understand your current and Target State maturity a bit better so that you can continually improve and not miss things so I wish this is a lot easier to say than it is to actually do but focusing on that small number of outcomes at least makes it slightly easier because it's a reduced set of things that you actually have to think about outcome-based security attaches unlocks a bunch of benefits as you sort of evolve in your journey towards it so for the kind of companies and and decision makers who are looking to do this they're already doing it so they're kind of expanding or upgrading their adoption of outcome-based security it's not a product obviously but you can think about it that way should you wish and those who are planning to adopt it over the next year or so they're hoping for greater cost control so to get rid of the expense in depth uh mentality that a lot of us have fallen into over the years to reduce their business risk to proactively support business goals if you're doing outcome-based security you're hopefully by definition doing that and to gain some competitive advantage through increased agility and to gain some commercial flexibility as well and even if you kind of go to the so-called bottom of the list you'll see that you still have quite sort of high levels of benefit for things like operational resilience giving Regulators the insurance that you're the Assurance rather that you're doing what you're supposed to and making effective responses to cyber threats and so on and so forth so I think there are a whole host of benefits that people are expecting out of outcome-based security and the good news is those should be achievable so as you think about what outcomes do you want how do they connect to from the business side through to the cyber security side through to your day-to-day activities you should see a through line with producing all of these things so what are the benefits of reducing risk with outcome-based security well there there are quite a few of them and you saw some of them indeed in the data for the benefits that people are hoping to get so you've got increased resilience you've got improved productivity because your people can focus on fewer things and doing them really well you've got enhanced competitiveness you've got reduced risk you've got proactive control so that you can actually take things on proactively rather than reacting to the things that come in the door and you've got an effective response to cyber threats which of course as Christine showed in her sort of chart of where we started out in the world of cyber security that's of course the place that we all started as in bad things are happening we need to do something about them that has never gone away and we don't anticipate it that it that it will but thinking about things from an outcome-based perspective makes it a lot easier for you to triage the kind of sorts of threats that are most important and that are most likely to jeopardize the outcomes that you're pursuing because the challenge for all of us in the world of cyber security is that we're all taught from the very beginning to think about all the bad things that could possibly happen because that's kind of part of who we are as a discipline and so the challenge when you're kind of leading an organization in the real world and dealing with finite resources and finite budgets and kind of finite ability to invest is which things do I focus on and I think that's the greatest gift that outcome-based security can give us is if we start with the business outcomes we're looking for proceed through to the cyber security outcomes that support those business outcomes then a lot of the decisions become a lot easier to make and you'll prioritize the right things so what kind of recommendations do we have for everybody who's hopefully excited about pursuing this path whether you'd already started down it or are starting it now so the first and most important thing to do is to agree the business outcomes with your stakeholders and map those to your Investments your threat model and your security controls if you don't have agreement on what the business outcomes are that you're all going to pursue together outcome-based security is not going to do anything for you because if you if you start out with that agreement and then you sort of cascade it through like I said earlier to the cyber security outcomes and thus to the day-to-day practices and the investment decisions of your team then you will always be in sync and when sort of unexpected or bad or both things happen you won't have to take a step back and level sets and figure out like why are we all doing different things and why do we disagree you won't disagree you all have agreed on the outcomes and you'll all be pursuing them in Tandem and so it'll cut down on sort of a lot of the grinding of Gears that can happen in crisis situations in the second place Express the desired security outcomes that you have in terms of the business benefits they deliver or enable now this sounds like very boring advice because for as long as I can remember we have all in the information security talked about we need to actually speak to the people who are not security people in a language that will make sense to them and there's a reason we keep saying that it is critically important because you want your business stakeholders to understand why you've chosen the security outcomes that you have and how those support the business outcomes that those business stakeholders are focused on so there won't be any questions about why are you doing those things why didn't you do something else because that'll all be wrapped into this kind of aligned package thirdly make sure you do some reruns of your security maturity assessments to ensure that your priorities are correlating with the outcomes that you're trying to achieve so no points for writing down your outcomes and making them all look fabulous and then going off and doing stuff that's unrelated so evaluating yourself with sort of with some frequency and saying we really prioritizing the things that we said we'd prioritize or do we just stuff that stuff in a drawer and forget about it is very helpful so that when you go back to discuss how to revise the outcomes you won't be in a place where well we didn't really achieve any of the outcomes that we set out to achieve by this point but we'll do better next year because that's not a very pleasant conversation to have and procure prepare your procurement legal teams for outcome-based security purchasing again does not sound very exciting but in a world where you're pursuing a set of security outcomes you want to be buying products and services with an eye towards those outcomes and so traditionally procurement contracts for security products and services say like you will give me these 12 widgets and I will pay you this much or you will give me this box of service and I will pay you this much if you actually want to cooperate as you should with your suppliers in pursuit of outcome-based security you want contracts that say things like we are going to pursue this outcome and so we are Contracting with this supplier to do this set of things in pursuit of this outcome and then you structure the rewards from that contract accordingly so if you achieve the outcomes everybody wins and if you don't achieve the outcomes then everybody doesn't win and that's a real difference between how your procurement and legal folks are used to these things operating they're used to them being you're going to give us some stuff and we're going to pay you some money okay done and that contract might last a couple of years if it's for a set of services this is genuinely very different so you will need to get their buy-in and make sure that they're working with you on that basis and a couple more things encourage collaboration among all these stakeholders if you don't talk to each other and you don't work together then you won't be agreed on your outcomes and you won't achieve them get rid of technology that does not contribute to your desired outcomes so we're not quite at the sort of you have too many clothes in your closet so for every new piece of clothing you buy you throw a piece of clothing out please in cyber security I would like us to get there though and I think in many cases that should probably be closer to your mode of operation than not especially if you've built up that big tower of blocks over time and Implement some monitoring so that you can show that you're achieving the desired outcomes because if you can't demonstrate that you actually did what you set out to do you are going to be in a much weaker position at your next kind of conversation about what outcomes are we looking for and how are we going to achieve them and how much money do we need to spend and what kind of resources do we need so don't forget about the monitoring and measurement uh you will absolutely thank me later so that is pretty much all I wanted to say about outcome-based security thank you very much for listening thank you for those presentations uh however I have questions so uh if outcome-based Security will help in connecting sort of the the cyber security side to the business side why haven't we done this earlier like what's taken us so long that's so the flip answer to that question is uh because we weren't really paying attention yeah but in all seriousness right we're making it we're making it sound easy but and it's sort of easy to think about like most good ideas it sounds pretty obvious when someone says it out loud uh as I said before but I think it requires a baseline level of maturity it requires trust and knowledge on the part of your stakeholders that truthfully we didn't always have right and you know when you saw sort of Christine build out her sort of timeline of approaches to security that sort of culminated with outcome-based security she's absolutely right about that because in sort of the early days of cyber security just getting people to even understand what it was was enough of a challenge and why anyone should care about it I mean I vividly remember for years saying look I'm a cyber security person and it's my job to pour enough cheese sauce on the broccoli so that everybody will actually eat it at least some of the time and to overextend my lovely vegetable metaphor here uh now we've gotten to the point where people understand that broccoli is good for them and we still put the cheese sauce on it to make sure they eat it uh that's what all these presentations to Boards of directors and so on are for but it took us quite a while to get to a place where a you know we had the sort of level of trust and engagement from stakeholders to actually get them not to laugh at a thing like outcome basic here it is in security is going to contribute to my business outcomes please tell me how that's gonna work nowadays people have the kind of experience with cyber security to actually credit that and so it becomes a lot easier of a conversation on okay so here's how we do the interlock and here's how we actually measure what we're doing because well sort of in the traditional model right Cypress Security is all about what you didn't have happen and it's very hard to measure the absence of anything and so now that we're a lot more sophisticated we can say like okay so we're hopefully keeping ourselves safe from from secure cyber security incidents and doing all the normal things but we're also able to show how having more sophisticated levels of data protection or whatever it is actually enables us to do things like serve a new market safely so that we can reach a whole new group of customers who previously it might have just been too risky to try and bring into the folds because too many of them were likely to be fraudulent or you know whatever of the kind of situation you might be in this so that's why it's sort of it's easy to think like why don't we do this ages ago but there's a lot that has gone into getting us to a mature enough place that we could actually do it and quite frankly to to build on top of what Laura is saying is that the evolution of Technologies and Associated threats that have now become in such massive volumes have steered us into this position that like all of the models that we have had in the past simply don't really work anymore to help steer us towards the future so we need something that can help bring the stakeholders together in a single conversation and be aligned with the outcomes that we want to accomplish if we are to move Beyond this line onwards towards a future where we can effectively address these problems when it comes to cyber security so sometimes like some of these great ideas when when you look back you you always feel like hindsight is 2020 because we should have done that but maybe this is really clearly the best time for that because this is what we're experiencing already today I mean not just when it comes to threats but also with regulations coming into play speaking of things we're experiencing today uh Laura I know you're working with a lot of companies uh is this common already this outcome-based thinking in organizations or are we just getting to it I mean I mean becoming common I think if you sort of think back to the slides I showed a bit earlier you have some companies that say they've already adopted it and that's sort of 25 ish percent and then sort of another chunks that are quite interested and plan to adopt it soon and I think there's there's a lot of sort of more business oriented thinking that has come thankfully into the world of cyber security over the last several years and so outcome-based security isn't as big a step as it might have been if you were thinking about cyber security in a kind of more technical conventional frame and so I think what you'll what I'm hoping you'll see over the next couple of years is more people adopting an approach like this because I think it'll give them a lot of possibility to prioritize and to discard the things that really aren't essential which I think is critical when you're kind of limited in what you can invest which we all almost always are and and so on and allow us to you know really deliver on what we've all long wanted which is to for cyber security to be an enabler of of business growth and like all the sort of phrases that you've heard to that effect over the last however long doing Security in an outcome-based way gives you a more straightforward path to actually achieving that which is really valuable no it is I'm just wondering that in both of your presentations talked about a Marketplace that is very saturated with products and services are people sort of understanding differentiating that this is not a new product this is not a service we're pushing this is a new way of thinking that people need to adopt so I'm not sure yet because like as you say there's a lot of noise so it's worth stressing like this is a way of thinking about doing doing security this is not by my new shiny widget and you will get outcome-based security in fact don't buy a new shiny widget to achieve outcome based security exactly yeah or take out the turn yeah from three years ago exactly so thinking differently about the things that you do buy and the things that you do retire as as we talked about is is really what is most critical I think and so hopefully with sort of help and repetition and you know reminding because of course it's very attractive to stakeholders to tell them let me buy this new widget and then all our problems will go away right you know but you can only sell that so many times right and so for uh you know for all those sort of cyber security leaders who are thinking that probably can't tell them we need yet another widget this is a great way to make sure that you communicate what you need to do in Security in a way that people will be receptive to okay so what will this change Christine what will be different three years down the road when everybody is thinking outcome-based security everybody's in that mindset well that's actually uh that sounds like a beautiful future if everybody is in that mindset because if for example an organization aligns their business outcomes to the cyber security outcomes that they are having then it means that that organization is steered towards the direction that they are going and actually building and this is my hope and actually building things that are secure by Design because these are the things that they are investing towards and if like first for instance our Digital Society everything is interconnected I mean if all of this data that we have in our organizations are going through all of these different SAS providers and people within there that are securing your data are driving that cyber security goes together with the business outcomes then my data is probably heading and getting secured towards the direction that auto organization wants to go otherwise I can always move to another provider who probably wouldn't offer the same like level of business outcomes versus cyber security outcomes so this is sort of like my hope that once we are aligned all the way to the people who are actually releasing the budgets and the funds for this then it we might actually get a safer Digital Society as an effect when it comes to this it doesn't always have to be as Laura mention like you bolt in new cyber security capabilities you can build it into all of these different platforms all of these different systems all of these different goals and applications and whatever that supports the business outcomes and then they are actually built better and more secure does that make sense to you absolutely the sort of building the pursuit of these outcomes into the things that you build and then just in the we are going to procure XYZ cyber security product or Services is really the name of the game because you are building your web application or your kind of new digital physical combined product and there are absolutely security things that need to be paid attention in to in each of those and so thinking we want to get this product to Market we want you know 10 million people to bot to sort of be using it in three years time well if the product isn't safe it isn't secure you're going to have a bunch of customers who try it and never want to come back again because the all the data on their sleep cycle the digital physical product uh digital physical products collected ended up in places where it shouldn't be because you didn't pay sufficient attention to cyber security or data protection so understanding all these things are connected and thinking about the business outcome and the cyber security activities shall we say whether they're design activities or features you need to build in or whatever the sort of things are gets you to the right place and the sort of business outcome that you wanted to achieve as opposed to the sort of we will achieve a certain level of cyber security across our entire estate kind of peanut butter thinking that isn't quite as effective in helping a business pursue the outcomes that it wants to all right well thank you both for your presentations today Laura cutsley and Christine perasco and thank you everyone for watching our webinar and good luck on your Journeys towards outcome-based security
Christine Bejerasco has been steeped in cybersecurity for the past 19 years. She started her career when network worms were prevalent and has seen the threat landscape evolve alongside advancing technology, as well as changes in regulations and user behavior.
She has worked in various capacities – from analyzing threats and building protection capabilities to leading teams that have effectively delivered them. Before becoming CISO, Christine was WithSecure’s Chief Technology Officer. In this role, she was responsible for investigating the intersection between threats, technologies, and user behavior, to build more future-proof cybersecurity solutions. Today, as CISO, she is applying her experience in cybersecurity to ensure the organization is more resilient and better prepared to deal with cyber-attacks.
VP, Group Director, Forrester Research
As a security and risk analyst, Koetzle researched operating system security, security architecture, network security, and security incident response, and she served as the Chairperson for Forrester’s inaugural Security Forum event.
She is also a member of the Advisory Board and the Program Committee for RSA Conference. Koetzle’s work has enjoyed wide exposure in the media, including BusinessWeek, The Economist, The New York Times, and The Wall Street Journal. Koetzle has also appeared on CNN, CNBC, and Reuters Television, and she is a frequent speaker at information security and executive conferences.
Cyber Host & Account Director, WithSecure
For the last decade as a cyber translator Janne has been helping WithSecure consulting clients find solutions for their information security issues, but he also occasionally transforms into the host of the Cyber Security Sauna podcast.
Watch latest webinars
Join our mailing list
Subcribe to our news and updates from WithSecure ans acquire valuable insights directly from our industry-leading professionals.