2021 Security Outcomes Study

Security is ever-evolving to the point that success can feel elusive, even for organizations with massive budgets. This global study of over 4,800 professionals aims to move past theory to empirically measure which security practices actually drive successful program outcomes. We analyze 25 security practices against roughly a dozen high-level objectives—from enabling the business to managing risk—to identify the specific “success factors” that move the needle.

The data provides a definitive answer: a proactive, best-of-breed tech refresh strategy is the single strongest driver of program success. Organizations that frequently upgrade infrastructure are significantly more likely to keep up with business growth and report successful programs overall. This report rewards the click by revealing that “good security isn’t just about the money”—sufficient budget alone did not significantly correlate with overall program success.

The second most powerful factor is a well-integrated tech stack, which surprisingly serves as a top driver for recruiting and retaining security talent. The study also challenges protection-heavy strategies, showing that the “Identify” function of the NIST CSF contributes the most to success, while the “Protect” function ranks near the bottom. This research offers a data-driven roadmap for CISOs to prioritize the habits that lead to measurable resilience.

Key Findings

• Proactive Refresh Lead: A proactive tech refresh strategy is the #1 driver of program success, increasing the probability of keeping up with business growth by 12.7%.
• Integration and Talent: Having a well-integrated tech stack is the second strongest success factor and a primary driver for retaining talented security personnel.
• Compliance Success: Meeting regulatory compliance is the outcome where organizations report the highest success rate (48%).
• NIST Function Inversion: The “Identify” function of the NIST CSF ranks as the top contributor to overall success, while the “Protect” function ranks next to last.
• Incident Review ROI: Conducting after-action reviews of major incidents is the top factor for avoiding future incidents and losses.
• Culture Drivers: Strong security culture is best fostered by providing good equipment, accurate alerts, and clear strategic direction.
• Unplanned Work Struggle: Organizations struggle most with “minimizing unplanned work and wasted effort,” which has the lowest reported success rate (35.5%).