The Cyber Security Leap: From Laggard to Leader

The Cyber Security Leap:From Laggard to LeaderApril 2015

2Copyright © 2015 Accenture All rights reserved. 2Copyright © 2015 Accenture All rights reserved.

How do some organizations achieve better security performance?We compared organizations that were able to “leapfrog” their security effectiveness against others that remained static.

Defining a Leapfrog organization

Key findings

Implications

About the research

3Copyright © 2015 Accenture All rights reserved. 3Copyright © 2015 Accenture All rights reserved.

Leapfrog organizations improved their security effectiveness an average of 53% over two yearsSuccess characteristics can be summarized across three areas

Research and analysis conducted by Accenture in Collaboration with the Ponemon Institute, LLC.All data in this presentation taken from “The Cyber Security Leap: From Laggard to Leader, 2015

• Security is a business priority aligned with the enterprise’s goals

• Focus on innovation• Outsourcing is a

component of the security program

• Respond proactively to major changes to the threat landscape

• Open communications with CEOs and corporate boards

• Establish dedicated security budgets that have steadily increased

• Chief Information Security Officer (CISO) has authority to define and manage the security strategy

• Deploy enterprise risk management procedures

• Embrace new and disruptive security technologies as part of the strategy

Strategy Technology Governance

4Copyright © 2015 Accenture All rights reserved. 4Copyright © 2015 Accenture All rights reserved.

Leapfrog organizations improved their security effectiveness an average of 53% over two yearsSuccess characteristics can be summarized across three areas

• Security is a business priority aligned with the enterprise’s goals

• Focus on innovation• Outsourcing is a

component of the security program

• Respond proactively to major changes to the threat landscape

• Open communications with CEOs and corporate boards

• Establish dedicated security budgets that have steadily increased

• Chief Information Security Officer (CISO) has authority to define and manage the security strategy

Strategy Governance

• Deploy enterprise risk management procedures

• Embrace new and disruptive security technologies as part of the strategy

Technology

Research and analysis conducted by Accenture in Collaboration with the Ponemon Institute, LLC.All data in this presentation taken from “The Cyber Security Leap: From Laggard to Leader, 2015

5Copyright © 2015 Accenture All rights reserved. 5Copyright © 2015 Accenture All rights reserved.

Leapfrog organizations improved their security effectiveness an average of 53% over two yearsSuccess characteristics can be summarized across three areas

• Security is a business priority aligned with the enterprise’s goals

• Focus on innovation• Outsourcing is a

component of the security program

• Respond proactively to major changes to the threat landscape

• Open communications with CEOs and corporate boards

• Establish dedicated security budgets that have steadily increased

• Chief Information Security Officer (CISO) has authority to define and manage the security strategy

• Deploy enterprise risk management procedures

• Embrace new and disruptive security technologies as part of the strategy

Strategy Technology Governance

Research and analysis conducted by Accenture in Collaboration with the Ponemon Institute, LLC.All data in this presentation taken from “The Cyber Security Leap: From Laggard to Leader, 2015

6Copyright © 2015 Accenture All rights reserved. 6Copyright © 2015 Accenture All rights reserved.

Organizations with static security effectiveness demonstrated different characteristics

• Operate security under a veil of stealth, secrecy and underfunding

• Prioritize external threats

• Focus on prevention rather than quick detection or containment

• Drive security investments by compliance with regulations and policies

• View security as diminishing employee productivity

• Believe security budgets are inadequate for meeting the company’s security mission

7Copyright © 2015 Accenture All rights reserved. 7Copyright © 2015 Accenture All rights reserved.

Leapfrog organizations value innovation as a way to strengthen their security posture

Higher value placed on security innovation

33%

Higher level of security innovation change in the past two years

45%

More security innovation

20%

8Copyright © 2015 Accenture All rights reserved. 8Copyright © 2015 Accenture All rights reserved.

Establishing a security strategy as a business priority separates Leapfrog from Static organizations

Security and business objectives aligned

70%

55%

69%

45%

63%

40%

Security is priority

Security strategy exists

LEAPFROG

STATIC

LEAPFROG

STATIC

LEAPFROG

STATIC

9Copyright © 2015 Accenture All rights reserved. 9Copyright © 2015 Accenture All rights reserved.

Security outsourcing is often a component of Leapfrog organization strategiesOutsourcing core security operations can greatly increase security effectiveness by providing access to advanced technology and expert resources.

Leapfrog Static

Has strategy & does not outsource

security operations

23%15%

55%

32%

Has strategy & outsources security

operations

10Copyright © 2015 Accenture All rights reserved. 10Copyright © 2015 Accenture All rights reserved.

Leapfrog organizations proactively use advanced technologies to secure their network and cloud environments

LeapfrogStatic (Rankings on a 10 point scale, 1 = low; 10 = high)

Secure (encrypt)data stored in

cloud environments

7.186.00

Establish security protocols over

big data

6.334.94

Pinpoints anomalies in

network traffic

8.557.45

Provide advance warning about

threats and attackers

8.277.56

11Copyright © 2015 Accenture All rights reserved. 11Copyright © 2015 Accenture All rights reserved.

Leapfrog organizations focus more on securing network, sensitive data and the cloud; Static organizations focus more on locking things down.

Control insecuremobile devicesincluding BYOD

7.167.76

Limit insecure devices from

accessing security systems

6.037.18

LeapfrogStatic (Rankings on a 10 point scale, 1 = low; 10 = high)

12Copyright © 2015 Accenture All rights reserved. 12Copyright © 2015 Accenture All rights reserved.

Establishing strong governance and controls supports Leapfrog security effectivenessImportant governance components include dedicated budget, use of benchmarks and metrics and regular communications with board of directors.

Metrics to evaluate security

operations

20%26%

Enterprise risk management

procedures

35%

Regular reporting to the

board of directors

34%

BenchmarkSecurity

operations

13Copyright © 2015 Accenture All rights reserved. 13Copyright © 2015 Accenture All rights reserved.

The CISO role in Leapfrog organizations reflects the importance placed on securityWhile both types of organizations have a CISO, the level of responsibility is notably different.

CISO definessecurity strategy and initiatives

Leapfrog 71%

Static 60%

CISO directly reports to a

senior executive

71%

58%

CISO is accountable for budgets or

discretionary spending

65%

55%

14Copyright © 2015 Accenture All rights reserved. 14Copyright © 2015 Accenture All rights reserved.

Security effectiveness can be notably improved over a short period of time, by applying lessons learned from three priority areas

Strategy Technology Governance

15Copyright © 2015 Accenture All rights reserved. 15Copyright © 2015 Accenture All rights reserved.

Suggestions for developing or improving your security strategy• Establish a security strategy that encourages innovation, has

dedicated budget and programs, a strong eco-system and a clear vision for how innovation gets on-boarded into production.

• Develop the ability to adapt quickly and proactively to the changing threat landscape

• Help the organization embrace digital disruption

• Align security and organizational priorities

• Treat security as a business priority

16Copyright © 2015 Accenture All rights reserved. 16Copyright © 2015 Accenture All rights reserved.

Suggested areas for technology focus

• Seek out technology and capabilities that enhance the user experience and productivity

• Balance prevention, detection and response better—lessen the focus on prevention

• Better exploit data within the organization to gain an advantage in detection and response times—move toward security intelligence

17Copyright © 2015 Accenture All rights reserved. 17Copyright © 2015 Accenture All rights reserved.

Governance measures to improve performance• Foster a working relationship between

CISO and the board to take effective action; educate and collaborate to articulate and prioritize business risk

• Use benchmarks and metrics to continually assess the strategy and evolve the organization’s posture

• Outsource security operations as appropriate for best use of available expert resources

• Eliminate fire-fighting and use resources effectively

18Copyright © 2015 Accenture All rights reserved. 18Copyright © 2015 Accenture All rights reserved.

Organizations studied represent various industries and sizes across NA, Europe, Middle East and Asia Pacific

16%

14%

14%

10%8%

9%

6%

6%

5%

5%4%

4% 9%

11%

28%

24%

18%

11%

Less than 1,000

1,000 to 5,000

5,001 to 10,000

10,001 to 25,000

25,000 to 75,000

More than 75,000Financial

services

Industries represented Organization size

Public sector

Services

RetailEnergy and utilities

Industrial

Health & pharmaceutical

Consumer

Technology and software

TransportationOther

Hospitality

Education and research, 1%Communications, 1%

19Copyright © 2015 Accenture All rights reserved. 19Copyright © 2015 Accenture All rights reserved.

For more information, visit: accenture.com/cybersecurity

19Copyright © 2015 Accenture All rights reserved.