By Ryan LaSalle
In Part 1 of this series, we discussed the growing visibility of cyber-security as a top board and C-suite concern, as well as three distinguishing characteristics of companies that made marked improvements in their security effectiveness (Leapfrogs) and those that remain in the same zone (Statics).
In Part 2, we’re reviewing three additional themes that unite Leapfrogs and differentiate them from Static organizations. We are also discussing some of the implications of improving security effectiveness.
1. Leapfrog companies excel at governance. Both Leapfrogs and Statics acknowledged the importance of appointing a chief information security officer (CISO) for the organization, of recruiting expert IT security personnel, and of conducting background checks for all privileged users as critical elements of a strong security stance.
However, the Leapfrog companies also emphasize disaster recovery and business continuity management practices. Static companies, on the other hand, are more likely to rely on clearly defined IT security policies and standard operating procedures.
The governance practices of Leapfrog and Static companies vary significantly depending on the attribute. Overall, Leapfrog companies are more likely to use advanced governance practices, such as regular reports to the board on the state of security, or deploying enterprise risk management procedures. Leapfrogs are more likely to adopt metrics for evaluating security operations, to benchmark security operations against peers or reference groups, and to conduct postmortem reviews of security compromises and data breach incidents.
In contrast, Static companies are more likely to create a self-reporting process for compliance violations, which can be less effective.
Strong governance and controls lead to established security policies, clearly defined responsibility and accountability. When decisions follow structured policies, the organization is better able to keep its risk at acceptable levels.
2. Leapfrog companies use distinct security technologies. Leapfrog companies see certain features of security technologies as very important. These include pinpointing anomalies in network traffic; prioritizing threats, vulnerabilities and attacks; curtailing unauthorized sharing of sensitive or confidential data; and enabling adoptive perimeter controls.
However, Static companies focus on technology features, such as controlling insecure mobile devices, including bring your own device (BYOD); limiting access for insecure devices; and enabling efficient backup functionality.
In general, Leapfrog companies use business strategy to inform security strategy. They display higher levels of engagement with new and disruptive technologies, and they focus more on securing the network and the cloud, rather than focusing on individual devices.
Static companies concentrate on locking things down, which can stifle business growth.
3. Leapfrog companies invest in security. At Leapfrog companies, security budgets include funding for security-related innovations in information technologies. These companies are much more likely to have a dedicated budget for security programs than are Static companies (81 percent to 64 percent), and they are more likely to have a fund dedicated to innovations in security technologies. Perhaps as a result, these companies are more positive about having the funding to meet their mission and objectives.
In contrast to Leapfrog companies, Static organizations are less likely to have a dedicated budget for their security programs. They have more budget resources allocated to prevention than detection activities, and they are less likely to spend on strategic security initiatives.
So what are the implications for companies struggling to establish the right security posture in a dangerous and rapidly evolving environment? Clearly, both Leapfrog and Static companies are well aware of the threat represented by recent major breaches—a threat that goes beyond monetary losses and endangers corporate reputation and brand value.
In fact, 52 percent of companies in our study said that loss of reputation, brand value and marketplace image were the biggest effects of a data breach. Costs relating to a data breach are also high. According to Ponemon’s research, the average time to contain a cyber-attack is 31 days, with an average cost of $639,462 during that period.
In the face of these threats, traditional defenses based on monitoring are inadequate. Organizations must instead use advanced techniques to identify threats and place them in the proper context. The Leapfrog organizations provide examples of practices that can help improve security effectiveness; equally important, many of these measures can be implemented relatively quickly.
The first and most important step, in our view, is to align the security strategy with the organization’s business goals. The strategy should be articulated by top management and communicated to all employees. Everyone should be held accountable for protecting the organization’s vital information.
The other key factor in increasing security effectiveness might best be described as a willingness to explore new ideas. These might be innovative solutions—using big data analytics and shared threat intelligence, for example, to detect and prevent cyber-attacks—or they might be new ways of organizing the security effort.
Cyber-predators are remarkably nimble, flexible and willing to try new approaches to breach corporate defenses. To keep ahead of these criminals, companies need to be even more adaptive and agile. It is a considerable challenge, but one that must be confronted in the current high-risk environment.
Ryan LaSalle is Accenture’s global managing director for Growth & Strategy, Security Services. In that role, he directs offering and innovation strategy, the practice people and talent agenda, and industrialization and global delivery strategy to improve clients’ security effectiveness. LaSalle recently served as the managing director of the Cyber Lab, part of Accenture’s cross-industry R&D Technology Labs.