The Cyber Security Leap: From Laggard to Leader · All data in this presentation taken from “The Cyber Security Leap: From Laggard to Leader, 2015 • Security is a business priority

The Cyber Security Leap:

From Laggard to Leader

April 2015

2Copyright © 2015 Accenture All rights reserved. 2Copyright © 2015 Accenture All rights reserved.

How do some organizations achieve better security performance?

We compared organizations that were able to “leapfrog” their

security effectiveness against others that remained static.

Defining a Leapfrog organization

Key findings

Implications

About the research


Security effectiveness can be notably improved over a short period of time, by applying lessons learned from three priority areas:

Strategy Technology Governance


Leapfrog organizations improved their security effectiveness an average of 53% over two years.

Success characteristics can be summarized across three areas:

Research and analysis conducted by Accenture in Collaboration with the Ponemon Institute, LLC.

All data in this presentation taken from “The Cyber Security Leap: From Laggard to Leader, 2015

• Security is a business

priority aligned with the

enterprise’s goals

• Focus on innovation

• Outsourcing is a

component of the

security program

• Respond proactively to

major changes to the

threat landscape

• Open communications with

CEOs and corporate boards

• Establish dedicated

security budgets that have

steadily increased

• Chief Information Security

Officer (CISO) has authority

to define and manage the

security strategy

• Deploy enterprise risk

management

procedures

• Embrace new and

disruptive security

technologies as part

of the strategy



Suggestions for developing or improving your security strategy:

• Establish a security strategy that encourages innovation, has

dedicated budget and programs, a strong ecosystem and a clear

vision for how innovation gets on-boarded into production

• Develop the ability to adapt quickly and proactively to the changing

threat landscape

• Help the organization embrace digital disruption

• Align security and organizational priorities

• Treat security as a business priority









component of the

security program



threat landscape





steadily increased




security strategy

Strategy Governance


management

procedures

• Embrace new and

disruptive security


of the strategy

Technology




Suggested areas for technology focus:

• Seek out technology and capabilities

that enhance the user experience

and productivity

• Balance prevention, detection and

response better—lessen the focus

on prevention

• Better exploit data within the

organization to gain an advantage in

detection and response times—move

toward security intelligence









component of the

security program



threat landscape





steadily increased




security strategy


management

procedures

• Embrace new and

disruptive security


of the strategy





Governance measures to improve performance:

• Foster a working relationship between

CISO and the board to take effective

action; educate and collaborate to

articulate and prioritize business risk

• Use benchmarks and metrics to

continually assess the strategy and

evolve the organization’s posture

• Outsource security operations as

appropriate for best use of available

expert resources

• Eliminate fire-fighting and use

resources effectively


For more information, visit:

accenture.com/cybersecurity

10Copyright © 2015 Accenture All rights reserved.

http://www.accenture.com/cybersecurity


Organizations with static security effectiveness demonstrated different characteristics.

• Operate security under a veil of stealth, secrecy and

underfunding

• Prioritize external threats

• Focus on prevention rather than quick detection or containment

• Drive security investments by compliance with regulations and

policies

• View security as diminishing employee productivity

• Believe security budgets are inadequate for meeting the

company’s security mission


Leapfrog organizations value innovation as a way to strengthen their security posture.

Higher value placed on

security innovation

33%

Higher level of security

innovation change in

the past two years

45%

More security

innovation

20%


Establishing a security strategy as a business priority separates Leapfrog from Static organizations.

Security and business objectives aligned

70%

55%

69%

45%

63%

40%

Security is priority

Security strategy exists

LEAPFROG

STATIC

LEAPFROG

STATIC

LEAPFROG

STATIC


Security outsourcing is often a component of Leapfrog organization strategies.

Outsourcing core security operations can greatly increase

security effectiveness by providing access to advanced

technology and expert resources.

Leapfrog Static

Has strategy and

does not outsource

security operations

23%15%

55%

32%

Has strategy and

outsources security

operations


Leapfrog organizations proactively use advanced technologies to secure their network and cloud environments.

LeapfrogStatic (Rankings on a 10 point scale, 1 = low; 10 = high)

Secure (encrypt)

data stored in

cloud environments

7.186.00

Establish security

protocols over

big data

6.334.94

Pinpoints

anomalies in

network traffic

8.557.45

Provide advance

warning about

threats and

attackers

8.277.56


Leapfrog organizations focus more on securing network, sensitive data and the cloud while Static organizations focus more on locking things down.

Control insecure

mobile devices

including BYOD

7.167.76

Limit insecure

devices from

accessing

security systems

6.037.18

LeapfrogStatic (Rankings on a 10 point scale, 1 = low; 10 = high)


Establishing strong governance and controls supports Leapfrog security effectiveness.

Important governance components include dedicated budget,

use of benchmarks and metrics, and regular communications

with the board of directors.

Metrics to

evaluate

security

operations

20%

26%

Enterprise risk

management

procedures

35%

Regular

reporting to the

board of

directors

34%

Benchmark

security

operations


The CISO role in Leapfrog organizations reflects the importance placed on security.

While both types of organizations have a CISO,

the level of responsibility is notably different.

CISO defines

security strategy

and initiatives

Leapfrog 71%

Static 60%

CISO directly

reports to a

senior executive

71%

58%

CISO is accountable

for budgets or

discretionary spending

65%

55%


Organizations studied represent various industries and sizes across NA, Europe, Middle East and Asia Pacific.

16%

14%

14%

10%8%

9%

6%

6%

5%

5%

4%4% 9%

11%

28%

24%

18%

11%

Less than

1,000

1,000 to

5,000

5,001 to

10,000

10,001 to

25,000

25,000 to

75,000

More than

75,000Financial

services

Industries represented: Organization size:

Public

sector

Services

RetailEnergy and

utilities

Industrial

Health &

pharmaceutical

Consumer

Technology

and software

Transportation

Other

Hospitality

Education and research, 1%

Communications, 1%

Documents

The Cyber Security Leap: From Laggard to Leader · All data in this presentation taken from “The Cyber Security Leap: From Laggard to Leader, 2015 • Security is a business priority