Gauging Cybersecurity Resiliency and Why It Matters

Early this month, Accenture released the results of its annual State of Cyber ​​Resilience study, which asked more than 4,700 questions from executives about the effectiveness of their organizations in stopping cyber attacks. It is no secret that the pace of cybercrime is on the rise along with the development behind such digital hacks. There have even been state-sponsored attacks that have damaged sensitive infrastructure.

Resilience (as defined by the survey) is a measure of the ability to survive and thrive while exposed to a cyber attack, says Ryan LaSalle, senior managing director and leader of Accenture Security in North America. “Can you achieve your business mission? Can you support your customers? Your stakeholders?” he asked. “Can you fulfill your mission while living in a contested environment?”

The survey covered the full spectrum of attack types, from data leaks to malicious actors gaining unauthorized access to equipment, or destructive ransomware that can encrypt or delete entire computing environments, LaSalle says. What we looked at was the effect of those attacks. Those effects had dollar values ​​in terms of outages, penalties, and recovery costs.”

An organization’s resilience can be measured by how effectively it prevents such attacks from succeeding, how quickly it detects attacks, how quickly it handles the situation, and how well it can control the impact and ramifications. “Speed ​​of detection and response speed were absolutely essential to high performance,” LaSalle says.

Who are you cyber defender?

The survey ranked respondents based on how they landed on a graph where the “x” and “y” axes represent cyber defense resilience and business strategy alignment:

  • “Business Blockers” have sought to prioritize the resilience of cyber security over an organization’s business strategy even to the point where it is seen as hindering business goals.
  • The “vulnerable” did not have security measures in line with their business strategy and kept security to a minimum.
  • “Cyber ​​risk enthusiasts” focused on business growth and rapid market access for corporate strategy, despite their understanding and acceptance of the risks.
  • Cyber ​​Champions sought to strike a balance as they aimed to protect the key assets of the organization while also aligning with the business strategy so that key objectives could still be pursued in a purposeful and reasonable manner.

LaSalle says such a graph was necessary because security teams can have a reputation for being so focused on threat and risk, they don’t understand how the business works. In some organizations, security may be overcompensated in order to better align with business strategy. “By far the majority have low security performance and low commercial alignment,” he says, referring to The Vulnerable. “The market still looks mostly like this.”

LaSalle says security spending is up, reaching 15% of IT budgets in 2021 compared to 10% in 2020. How organizations invest in security can determine whether increased spending actually improves performance, as Says. “For a lot of people in the ‘vulnerable’ category, their security and technology debt is very high,” he says. They didn’t keep up historically [tech] investment; They couldn’t include security in all the software they needed; They are always playing catch-up and they will always be behind the curve.”

In the select group classified as “Internet Champions,” working with the company was essential, often with a direct line of sight from the organization, says LaSalle. “The business runner, the vice president or head of the business line, they actually had a security responsibility,” he says. “It’s in their culture; it’s in their strategy and they’re doing better because of it.”

Cloud Security Questions

Many organizations are still figuring out how to develop their business strategies securely in the cloud. For about a third of respondents, discussions about security were not part of early planning to take advantage of the cloud, a move that left them racing to catch up. “Since the early days of the cloud journey, security has been the number one reason organizations resist moving to the cloud,” says LaSalle.

The conversation is changing, he says, as organizations show that by making security part of the plan early, it is possible to speed up cloud adoption. “You can get there faster and with more certainty by having security at the table up front and start looking for ways to automate the capabilities that are needed,” LaSalle says.

As senior security officers develop, get better at speaking the language of business and risk, define security program outcomes, and manage security like a business, he says, they begin to earn the trust of the rest of Group C members. CEOs and board members are also improving their cybersecurity awareness, LaSalle says, to do more than meet civil society organizations and IT departments halfway. “It’s a system full of linguistic jargon,” he says. “After the board starts asking more questions about security and the organization’s resilience around cyber threats, the board will influence change. They will spark improvement.”

Related content:

Developing the skills of the workforce in the field of cybersecurity in the future

CIO Agenda: Cloud, Cyber ​​Security, and AI Investments in the Future

The cloud’s entitlement cyber security minefield

.

Leave a Comment