Why you should consider outcome-based security

TU IS/Getty Images

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By Stephanie Kanowitz,
Contributor, Route Fifty
 

Connecting state and local government leaders

By Stephanie Kanowitz

|

Agencies can better align their cybersecurity and business priorities when they have affordable risk management solutions that deliver measurable results.

Most organizations take a reactive approach to cybersecurity, but a better way is to focus on outcomes, a new survey report shows.

Sixty percent of respondents said their organizations react to individual cyber issues, but 83% are interested in, planning to adopt or expanding their adoption of outcome-based security solutions. Those approaches “simplify cybersecurity by cultivating only those capabilities that measurably deliver their desired outcomes as opposed to traditional threat, activity-based, or [return on investment]-based methods,” according to “The Value of Putting Security Outcomes First,” a report by Forrester Consulting commissioned by security firm WithSecure. 

Experts agree that outcome-based security is beneficial. “To me, outcome-based cybersecurity is really focusing our attention on achievement, rather than dogmatically on the parts of the stuff that got us there,” said Matt Butkovic, technical director of the Cyber Risk and Resilience Assurance Directorate in the CERT Division of the Carnegie Mellon University Software Engineering Institute. “To answer the question ‘Did we achieve our outcome?’ you have to have a system of measure … to express the completeness of what you’ve done, which is different than, ‘OK, there’s 14 somethings. Have we done all 14 of those things?’”

As an example of how outcome-based security might work, he pointed to the Sarbanes-Oxley Act of 2002, which required public companies to develop controls  for better financial tracking.

“The way you got there was left up to you,” Butkovic said. “It was a slight change in mindset, going from ‘this is the specific steps A through Z’ to ‘as long as we get to Z, we can skip M and L in a risk-informed way. We know that’s OK.’”

For state and local governments, it might look like this: A water treatment plant needs to ensure only people with proper authorization can adjust the mix of chemicals for purifying water. That is the outcome, so officials need to determine the cybersecurity controls to achieve it, Butkovic said.

To adopt outcome-based cybersecurity, agencies must first understand their risk tolerance and current risk management practices, said Kevin Jackson, chief executive officer at Level 6 Cybersecurity. The company created a data analytics service that would enable public-sector organizations to see what security approaches have worked for other organizations of similar size and complexity.

One of the 23 cybersecurity strategy domains that the analytics engine measures is risk management. “You get areas where your strategies are at risk because perhaps you are implementing strategies that are not optimal, simply because you don’t have the resources or because for one reason or another, that’s not the choices you made,” Jackson said of the analysis. It “tells that city manager or that state-level [chief information officer] or [chief information security officer], ‘Here’s what actually has produced the best results for the dollar for organizations like yours.’” 

Outcome-based cybersecurity allows for better alignment between an agency’s cybersecurity priorities and goals or business outcomes, according to the Forrester report—something only one in five respondents said their organization has. An inability to capture meaningful data to understand cybersecurity maturity and use it to measure the progress of business outcomes is a main contributor to this misalignment, the report states.

Related articles

CISA, FBI need data from cybercrime victims to support policy

How one state looks to shared cyber services to defend rural areas

Unpatched, known vulnerabilities still key driver of cyberattacks

Shifting to outcome-based cybersecurity doesn’t mean throwing out existing approaches, just adjusting them. “It’s far easier to compare yourself against a very circumscribed checklist than it is to ask in an open-ended way, ‘Did we achieve our outcome?’” Butkovic said. “Rather than starting with the checklist, start with, ‘What are the things we want to happen or not happen?’ Those are the outcomes, and you work backwards from there.”

To begin using outcome-based cybersecurity, Jackson said the first steps are to identify who the decision-makers are and set up parameters for roles and responsibilities. Next, agencies should determine the value of the approach—a key component for funding-strapped agencies. Artificial intelligence can help by analyzing what would maximize limited budgets, he added.

Security managers must also understand that the way they evaluate outcomes and risks needs to change along with new threats and technology, Butkovic said. 

“In the not-too-distant future, we’re going to need to take on post-quantum encryption as a concern,” he said. “We need to understand that [threat] should modify our assumptions about the outcome and will certainly modify the way we evaluate ourselves…. You’ve got to refresh the things that go in the hopper that allow you to make these determinations.”

Stephanie Kanowitz is a freelance writer based in northern Virginia.

Risk management Case Studies
Powered By
Browse The Atlas full case study database or read more case studies about Risk management.
IT Department establishes centralized cybersecurity roadmap by leveraging CIS18 framework
Contra Costa County, CA
Harris County, TX initiates AI flow data collection to better forecast flood risk
Harris County, TX
Real-Time Ponding Monitoring Reduces Flood Risk in Sugar Land, TX
Sugar Land, TX
BROWSE LOCAL GOV CASE STUDIES

NEXT STORY: Lawmakers advocate more funds for state fusion centers

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.