By Ryan LaSalle
As the cyber-threat environment evolves rapidly—with new threats emerging all the time—cyber-security has rocketed to the top of the list of concerns that keep C-suite executives and board members up at night. Shareholders, the media, customers, regulators and others share these concerns in light of the increasing pace and scale of attacks.
Almost all companies are aware of cyber-threats and have taken various steps to prevent and/or mitigate losses from security breaches. We have found, however, significant differences between companies that have been successful in making major improvements to their security effectiveness (“Leapfrogs”) and those that have not made such improvements (“Statics”).
To identify the characteristics of companies making real progress in cyber-security, we worked with the Ponemon Institute LLC to study 247 organizations. Using Ponemon’s Security Effectiveness Score (SES), which rates 48 security features or practices, we identified 110 Leapfrogs that had experienced at least a 25 percent increase in their SES over a two-year period. The average increase for those companies was 53 percent.
We also identified 137 Static companies that had experienced no more than a 5 percent net change in their SES over a two-year period, with an average change of 2 percent. We also interviewed senior-level IT and IT security practitioners from the 247 companies to determine how these organizations were responding to security requirements and related challenges.
As we conducted our research, some broad principles became evident. For example, companies with effective security strategies align those strategies with overall business objectives and establish accountability for security throughout the organization.
The companies identified as Leapfrogs recognize the need for innovation to keep defenses strong and to keep pace with evolving needs. Leapfrogs use advanced technologies to get ahead of the threat environment. They are also quick to adopt governance measures, such as the use of metrics, benchmarking, risk-management procedures, and ongoing communication with the C-suite and the board of directors.
As we dug more deeply into the differences between Leapfrogs and Statics, six major themes emerged. The first three themes are discussed below, and the last three will be covered in part 2 of this article.
1. Leapfrogs use both innovation and strategy. Leapfrog companies look ahead and seek out new approaches to emerging problems. They work on next-generation solutions, collaborating with groups such as universities, research and development organizations, venture capital firms or startup companies. These enterprises are much more likely than Statics to emphasize the importance of security innovation in achieving a strong security position.
Leapfrogs are also more likely to have an officially sanctioned security strategy: Seventy percent of Leapfrogs had such a strategy versus 55 percent of Statics. Also, this strategy is more likely to be the main driver for their company’s security program. These companies also display flexibility, with 68 percent of Leapfrogs reporting that they have significantly changed their approach to security management in recent years.
Static companies, in contrast, believe that regulations, rather than strategy, direct the organization’s security requirements. They focus their security efforts on external threats and emphasize prevention rather than detection or containment.
2. Leapfrogs take a proactive approach to the threat landscape. In keeping with their flexibility, Leapfrogs recognize that persistent attacks should change the company’s approach to IT security. Consequently, they adapt their security posture in response to threats.
The biggest changes to security strategy among Leapfrogs were made in response to advanced persistent threats (APTs) and malware. In comparison to Static companies, Leapfrogs made more significant changes in response to phishing, malicious insiders and social engineering.
In addition, they implemented initiatives such as specialized training and awareness activities. These companies also put sophisticated monitoring tools in place to identify suspicious employee behaviors.
3. Leapfrogs see the chief information security officer as a strategic role. Both Leapfrog and Static organizations have CISOs; the differences are in how the CISO’s role is viewed and executed. All of the organizations we studied had CISOs with hiring and firing authority, with responsibility for enforcing security policies, and with authority over budget and investment decisions.
In Leapfrog organizations, however, the CISO is more likely to directly report to a senior executive, to set the security mission by defining strategy and initiatives, and to have a direct channel to the CEO in case of a serious security incident.
For example, the CISO is responsible for defining security strategy and initiatives at 71 percent of Leapfrog companies, but at only 60 percent of Static organizations.
Leapfrogs establish strong relationships among the CISO, the CEO and the board of directors. In Static organizations, that relationship is filtered through several levels of operational management.
These three themes yield valuable insights into how Leapfrog and Static organizations view innovation, strategy and the role of the CISO. In Part 2 of this article, we will look at three additional themes and discuss what they tell us about the development of effective security strategies.
Ryan LaSalle is Accenture’s global managing director for Growth & Strategy, Security Services. In that role, he directs offering and innovation strategy, the practice people and talent agenda, and industrialization and global delivery strategy to improve clients’ security effectiveness. LaSalle recently served as the managing director of the Cyber Lab, part of Accenture’s cross-industry R&D Technology Labs.