informa
/
Feature

Gauging Cybersecurity Resiliency and Why It Matters

A survey from Accenture shows many organizations have plenty of room for improvement with meshing business strategy with cybersecurity needs.

Early this month, Accenture released results of its annual State of Cyber Resilience study, which asked more than 4,700 executives questions about their organizations’ effectiveness in halting cyberattacks. It is no secret that the frequency of cyber crimes continues to escalate along with the sophistication behind such digital infiltrations. There are even state-sponsored attacks that have compromised sensitive infrastructure.

Ryan LaSalle, senior managing director and Accenture Security’s North America lead, says resiliency (as the survey defines it) is a measure of the ability to survive and thrive while under cyberattack. “Can you fulfill your business mission? Can you support your customers? Your stakeholders?” he asked. “Can you fulfill your mission while living in a contested environment?”

The survey covered a gamut of attack types, from data leaks to malicious actors gaining unauthorized access to equipment, or destructive ransomware that could encrypt or delete entire compute environments, LaSalle says. “What we looked at was the impact of those attacks. And those impacts had dollar values in terms of outages, penalties, and recovery costs.”

Organization resiliency could be gauged by how effective they were in preventing such attacks from being successful, how fast they discovered attacks, how quickly they remediated the situation, and how well they controlled the impact and fallout. “Speed to detection and speed to response were absolutely key elements of high performance,” LaSalle says.

Which Cyber Defender Are You?

The survey categorized respondents based on how they landed on a graph where the X and Y axes represent cyber defense resilience and business strategy alignment:

  • “Business Blockers” sought to prioritize cybersecurity resilience over the organization’s business strategy even to the point of being seen as impeding business objectives.
  • “The Vulnerable” did not have security measures aligned with their business strategy and held security at bare minimum.
  • “Cyber Risk Takers” focused on business growth and speed to market for the sake of the company strategy, though they understood and accepted the risks.
  • “Cyber Champions” pursued a balance where they aimed to protect the organization’s key assets while also aligning with business strategy so key objectives could still be pursued in a meaningful, reasonable fashion.

LaSalle says such graphing was necessary because security teams can have a reputation of being so focused on threat and risk, they do not understand how the business works. In some organizations, security might overcompensate to better align with the business strategy. “By far, the majority have low security performance and low business alignment,” he says, referring to The Vulnerable. “The market still looks like that mostly.”

Security spending is up, LaSalle says, coming in at 15% of IT budgets in 2021 compared with 10% in 2020. How organizations invest in security can determine whether increased spending actually results in improved performance, he says. “For a lot of people in the ‘Vulnerable’ category, their security and technology debt is pretty high,” he says. “They haven’t historically kept up with [tech] investment; they haven’t been able to get security embedded into all the programs they need; they’re always playing catchup and they will always be behind the curve.”

In the select group categorized as “Cyber Champions,” working with the business was essential, often with direct line of sight from the organization, LaSalle says. “The business runners, a VP or a business line president, actually had accountability for security,” he says. “It’s in their culture; it’s in their strategy and they perform better because of it.”

Cloud Security Questions

Numerous enterprises are still trying to figure out how to securely advance their business strategies in the cloud. For about one-third of respondents, discussions on security were not part of the early planning to leverage the cloud, a move that left them racing to catch up. “From the early days of the cloud journey, security was the No. 1 reason organizations resisted moving to the cloud,” LaSalle says.

The conversation is changing, he says, with organizations showing that by making security part of the plan early, it is possible to accelerate cloud adoption. “You can get there faster and more surely by having security at the table in the beginning and starting to look at ways to automate the capabilities that are needed,” LaSalle says.

As chief security officers evolve, where they get better at speaking the language of business and risk, quantify outcomes of the security program, and manage security like a business, they start to earn the trust of the rest of the C-suite, he says. CEOs and board members are also improving their cybersecurity awareness, LaSalle says, to do more than meet CSOs and the IT departments halfway. “It’s a very jargon-filled discipline,” he says. “Having the board start ask more questions about security and the resiliency of the enterprise around cyber threats, the board will affect change. They’ll provoke getting better.”

Related Content:

Skilling Up the Cybersecurity Workforce of Tomorrow

CIO Agenda: Cloud, Cybersecurity, and AI Investments Ahead

The Cybersecurity Minefield of Cloud Entitlements