The Cyber Security Leap: From Laggard to Leader April 2015
How do some organizations achieve better security performance? We compared organizations that were able to leapfrog their security effectiveness against others that remained static. Defining a Leapfrog organization Key findings Implications About the research 2
Security effectiveness can be notably improved over a short period of time, by applying lessons learned from three priority areas: Strategy Technology Governance 3
Leapfrog organizations improved their security effectiveness an average of 53% over two years. Success characteristics can be summarized across three areas: Strategy Technology Governance Security is a business priority aligned with the enterprise s goals Focus on innovation Outsourcing is a component of the security program Respond proactively to major changes to the threat landscape Deploy enterprise risk management procedures Embrace new and disruptive security technologies as part of the strategy Open communications with CEOs and corporate boards Establish dedicated security budgets that have steadily increased Chief Information Security Officer (CISO) has authority to define and manage the security strategy Research and analysis conducted by Accenture in Collaboration with the Ponemon Institute, LLC. All data in this presentation taken from The Cyber Security Leap: From Laggard to Leader, 2015 4
Suggestions for developing or improving your security strategy: Establish a security strategy that encourages innovation, has dedicated budget and programs, a strong ecosystem and a clear vision for how innovation gets on-boarded into production Develop the ability to adapt quickly and proactively to the changing threat landscape Help the organization embrace digital disruption Align security and organizational priorities Treat security as a business priority 5
Leapfrog organizations improved their security effectiveness an average of 53% over two years. Success characteristics can be summarized across three areas: Strategy Technology Governance Security is a business priority aligned with the enterprise s goals Focus on innovation Outsourcing is a component of the security program Respond proactively to major changes to the threat landscape Deploy enterprise risk management procedures Embrace new and disruptive security technologies as part of the strategy Open communications with CEOs and corporate boards Establish dedicated security budgets that have steadily increased Chief Information Security Officer (CISO) has authority to define and manage the security strategy Research and analysis conducted by Accenture in Collaboration with the Ponemon Institute, LLC. All data in this presentation taken from The Cyber Security Leap: From Laggard to Leader, 2015 6
Suggested areas for technology focus: Seek out technology and capabilities that enhance the user experience and productivity Balance prevention, detection and response better lessen the focus on prevention Better exploit data within the organization to gain an advantage in detection and response times move toward security intelligence 7
Leapfrog organizations improved their security effectiveness an average of 53% over two years. Success characteristics can be summarized across three areas: Strategy Technology Governance Security is a business priority aligned with the enterprise s goals Focus on innovation Outsourcing is a component of the security program Respond proactively to major changes to the threat landscape Deploy enterprise risk management procedures Embrace new and disruptive security technologies as part of the strategy Open communications with CEOs and corporate boards Establish dedicated security budgets that have steadily increased Chief Information Security Officer (CISO) has authority to define and manage the security strategy Research and analysis conducted by Accenture in Collaboration with the Ponemon Institute, LLC. All data in this presentation taken from The Cyber Security Leap: From Laggard to Leader, 2015 8
Governance measures to improve performance: Foster a working relationship between CISO and the board to take effective action; educate and collaborate to articulate and prioritize business risk Use benchmarks and metrics to continually assess the strategy and evolve the organization s posture Outsource security operations as appropriate for best use of available expert resources Eliminate fire-fighting and use resources effectively 9
For more information, visit: accenture.com/cybersecurity 10
Organizations with static security effectiveness demonstrated different characteristics. Operate security under a veil of stealth, secrecy and underfunding Prioritize external threats Focus on prevention rather than quick detection or containment Drive security investments by compliance with regulations and policies View security as diminishing employee productivity Believe security budgets are inadequate for meeting the company s security mission 11
Leapfrog organizations value innovation as a way to strengthen their security posture. 33% 45% 20% Higher value placed on security innovation Higher level of security innovation change in the past two years More security innovation 12
Establishing a security strategy as a business priority separates Leapfrog from Static organizations. Security strategy exists LEAPFROG STATIC 55% 70% Security is priority LEAPFROG STATIC 45% 69% Security and business objectives aligned LEAPFROG STATIC 40% 63% 13
Security outsourcing is often a component of Leapfrog organization strategies. Outsourcing core security operations can greatly increase security effectiveness by providing access to advanced technology and expert resources. 55% 32% 15% 23% Has strategy and outsources security operations Leapfrog Has strategy and does not outsource security operations Static 14
Leapfrog organizations proactively use advanced technologies to secure their network and cloud environments. 6.00 7.18 4.94 6.33 7.45 8.55 7.56 8.27 Secure (encrypt) data stored in cloud environments Establish security protocols over big data Pinpoints anomalies in network traffic Provide advance warning about threats and attackers Static Leapfrog (Rankings on a 10 point scale, 1 = low; 10 = high) 15
Leapfrog organizations focus more on securing network, sensitive data and the cloud while Static organizations focus more on locking things down. 7.76 7.16 7.18 6.03 Control insecure mobile devices including BYOD Limit insecure devices from accessing security systems Static Leapfrog (Rankings on a 10 point scale, 1 = low; 10 = high) 16
Establishing strong governance and controls supports Leapfrog security effectiveness. Important governance components include dedicated budget, use of benchmarks and metrics, and regular communications with the board of directors. 35% 34% 20% 26% Metrics to evaluate security operations Enterprise risk management procedures Regular reporting to the board of directors Benchmark security operations 17
The CISO role in Leapfrog organizations reflects the importance placed on security. While both types of organizations have a CISO, the level of responsibility is notably different. Leapfrog 71% 71% 65% CISO defines security strategy and initiatives CISO directly reports to a senior executive CISO is accountable for budgets or discretionary spending Static 60% 58% 55% 18
Organizations studied represent various industries and sizes across NA, Europe, Middle East and Asia Pacific. Industries represented: Organization size: Technology and software Consumer Health & pharmaceutical 6% Industrial Hospitality Other Transportation 6% 5% Financial 4% 4% services 16% 11% 9% 5% 25,000 to 75,000 9% 8% Energy and utilities Education and research, 1% Communications, 1% 10% Retail 14% 14% Public sector Services 18% 10,001 to 25,000 More than 75,000 24% Less than 1,000 11% 28% 1,000 to 5,000 5,001 to 10,000 19