Understanding Outcome-Based Cybersecurity and Its Interaction with AI: Insights from Laura Koetzle

In a recent interview with Augustin Kurian, Editor-in-Chief of The Cyber Express, Laura Koetzle, Vice President & Group Director at Forrester Research, shed light on the current cybersecurity landscape, the shift to outcome-based security, and the intersection of AI and cybersecurity. 

Koetzle began the interview by emphasizing the increasing importance that cybersecurity holds in modern businesses.

According to a study, 75% of respondents revealed that their board of directors and executives view cybersecurity as a top-level risk, comparable to financial risk.

This is a significant improvement from five years ago, but there is still a long way to go.

Despite advancements, a quarter of respondents did not share this sentiment, indicating the need for ongoing efforts to raise awareness and importance of cybersecurity in the business landscape. 

The conversation then pivoted to the concept of outcome-based security, a proactive approach aimed at minimizing the number of incidents and damage caused by them.

This approach requires businesses to focus on top-level key outcomes and align their security investments accordingly.

These could be specific business goals like entering a new market or reaching a new customer segment. In this context, Koetzle mentioned that businesses should question their investments in specific controls or technologies if they don’t contribute to the desired outcomes. 

As the interview continued, the discussion revolved around the identification of core metrics for outcome-based cybersecurity.

According to Koetzle, these are typically the company’s key goals over the next few years. The security leader should align security investments with these goals, asking whether each investment aids the company in achieving its desired outcomes. 

Addressing the role of Chief Information Security Officers (CISOs) in implementing outcome-based cybersecurity, Koetzle highlighted the challenge of translating business outcomes into security contributions.

This involves determining how to contribute to the business outcomes and communicating that contribution effectively. The metrics used will vary depending on the outcomes.

For example, if a business aims to increase online sales by 10%, the CISO could demonstrate a reduction in legitimate customers getting blocked during the purchase process or a decrease in customer service calls related to purchase issues. 

When asked about the hot topic of artificial intelligence (AI) and its intersection with cybersecurity, Koetzle divided the discussion into two parts.

First, she touched upon the usage of AI and machine learning in improving detection rates and automating tasks in cybersecurity. These tools can learn baseline activity levels for users and systems, raising flags when unusual activity occurs. 

The second part of the discussion centered on the challenges posed by generative AI. She highlighted how AI can craft convincing phishing emails on a large scale, calling for improved detection and training to tackle these threats.

Furthermore, the issue of AI-led disinformation poses significant challenges, both in public discourse and in business operations. To address this, she believes organizations will need to bring disinformation expertise into their cybersecurity frameworks. 

Laura Koetzle concluded the conversation by highlighting the need for businesses to prioritize cybersecurity, adopt an outcome-based approach, and understand the implications of AI in cybersecurity.

As the landscape evolves, organizations must continue to adapt, integrate new expertise, and remain vigilant against the ever-evolving threats.