What Is the Current State of Cyber Resilience?
In March 2018 Accenture released a report, 2018 State of Cyber Resilience: Gaining Ground on the Cyber Attacker, which provided an updated perspective on enterprise-level efforts to become more cyber-resilient. The researchers surveyed over 4,600 security decision-makers from companies with revenues of $1 billion or higher, located in 15 countries throughout North and South America, Europe and Asia-Pacific.
To reduce the amount of noise stemming from the barrage of attacks enterprises face on a daily basis, the research focused primarily on organizations’ ability to handle targeted attacks — those threatening high-value assets and processes — as opposed to routine incidents aimed at low-hanging fruit.
Top Management Improves Engagement Around Resilience Efforts
The concept of cyber resilience merges cybersecurity, business continuity and enterprise-level resilience. The primary goal is to detect threats and respond to them quickly to minimize and contain the damage, resume operations and protect the confidentiality, integrity and availability of data against future attacks. Good news: Top management and board directors are finally starting to grasp the urgency of the situation, shifting from a reactive to a proactive mindset.
This shift appears to be partly driven by the realization that cyber-resilient organizations are better positioned to introduce innovations to market without having to backtrack — or suffering from negative news headlines due to security holes or data privacy violations. Other key drivers mentioned in the report include the pursuit of customer trust and the ability to balance innovation with sufficient risk management frameworks.
Breaking Down the State of Cyber Resilience
The report described many positive developments, especially when compared to the previous edition from 2017. For example, 87 percent of focused attacks were prevented in 2018 — meaning only about one in eight attacks made it through cybersecurity defenses — as opposed to just 70 percent in 2017. In line with this improvement, 23 percent of organizations reported they were able to identify between 76 and 100 percent of breach attempts, more than twice the reported figure last year.
Judging by these results, organizations appear to have made significant improvements in their ability to prevent threats and detect successful intrusions. They are also doing so in record time: 89 percent of organizations said they could detect a breach within one month, nearly a threefold improvement over the 2017 rate of 32 percent. Meanwhile, 55 percent of organizations said they were able to detect a breach within a week, compared to 10 percent last year.
While organizations have translated these improvements into increased confidence, the report warned that executives might be falling into the trap of “overactive optimism.” The authors asserted that much more than 40 percent of companies should be investing in “breakthrough technologies” — such as machine learning, user behavior analytics (UBA) and automation — to match the higher percentage of executives who claimed that cybersecurity is firmly embedded into the organizational culture. Furthermore, 71 percent of respondents reported that cyberattacks are still a “bit of a black box” and admitted that they “do not quite know how or when they will affect our organization.”
Finally, the report noted that 66 percent of security executives now report to either the CEO or the board. Top leaders are also becoming more engaged with security budget negotiations: 27 percent of respondents said their budgets were authorized by the board (compared to 11 percent in 2017), while 32 percent of budgets fall under the CEO’s authority (versus 22 percent in 2017).
Business leaders are also allocating a larger slice of the overall IT budgetary pie to security. In fact, the percentage of respondents who reported spending more than 10 percent of their IT budget on security efforts has more than tripled since 2017 (74 percent versus 22 percent).
Five Steps to Improve Cyber Resilience
Much of Accenture’s research revealed good news, but the report also outlined a five-step strategy to help organizations improve their cyber resilience posture:
- Harden and protect core assets: This starts with identifying high-value assets, including mission-critical data, important trade secrets and customer data that may subject the organization to hefty fines if exposed. The report advised companies to “design and execute your overall security program with cyberattacks in mind” while also considering “the people dimension.”
- Test incident response processes regularly: The report specifically called out the need for “coached incident simulation” to help security teams and executives build muscle memory when it comes to remediating threats and minimizing damage.
- Invest in “breakthrough technologies”: This includes automated orchestration and advanced identity and access management (IAM). The report noted some organizations overspend on superfluous security technologies that are not as effective as previously thought.
- Proactively hunt for threats and share intelligence: Organizations must develop strategic, operational and tactical threat intelligence to stay on top of anomalous activity.
- Empower the security leader: Executives should regularly review the role of the chief information security officer (CISO) to ensure he or she has appropriate levels of visibility and support and realign the organizational chart accordingly. As the report noted, companies should “move from individual to shared accountability among senior management and infuse a culture of cyber resilience across the organization.”
Accenture’s report on the state of cyber resilience highlighted the progress many organizations have made in their cyber readiness efforts. However, it also exposed the lack of maturity many companies demonstrate when it comes to measuring the effectiveness of cybersecurity investment decisions — and warned against the false sense of security that can result from “conventional ways to ‘stress-test’ defenses,” such as red on blue exercises.
No matter how much ground security leaders and executives cover in their cyber-resilience journeys, the evolving nature of the threat landscape ensures that there will always be room for improvement.