the cyber security leap: from laggard to leader

19
The Cyber Security Leap: From Laggard to Leader April 2015

Upload: accenture-technology

Post on 15-Jul-2015

7.514 views

Category:

Technology


0 download

TRANSCRIPT

Page 1: The Cyber Security Leap: From Laggard to Leader

The Cyber Security Leap:

From Laggard to Leader

April 2015

Page 2: The Cyber Security Leap: From Laggard to Leader

2Copyright © 2015 Accenture All rights reserved. 2Copyright © 2015 Accenture All rights reserved.

How do some organizations achieve better security performance?

We compared organizations that were able to “leapfrog” their

security effectiveness against others that remained static.

Defining a Leapfrog organization

Key findings

Implications

About the research

Page 3: The Cyber Security Leap: From Laggard to Leader

3Copyright © 2015 Accenture All rights reserved. 3Copyright © 2015 Accenture All rights reserved.

Leapfrog organizations improved their security effectiveness an average of 53% over two years

Success characteristics can be summarized across three areas

Research and analysis conducted by Accenture in Collaboration with the Ponemon Institute, LLC.

All data in this presentation taken from “The Cyber Security Leap: From Laggard to Leader, 2015

• Security is a business

priority aligned with the

enterprise’s goals

• Focus on innovation

• Outsourcing is a

component of the

security program

• Respond proactively to

major changes to the

threat landscape

• Open communications with

CEOs and corporate boards

• Establish dedicated

security budgets that have

steadily increased

• Chief Information Security

Officer (CISO) has authority

to define and manage the

security strategy

• Deploy enterprise risk

management

procedures

• Embrace new and

disruptive security

technologies as part

of the strategy

Strategy Technology Governance

Page 4: The Cyber Security Leap: From Laggard to Leader

4Copyright © 2015 Accenture All rights reserved. 4Copyright © 2015 Accenture All rights reserved.

Leapfrog organizations improved their security effectiveness an average of 53% over two years

Success characteristics can be summarized across three areas

• Security is a business

priority aligned with the

enterprise’s goals

• Focus on innovation

• Outsourcing is a

component of the

security program

• Respond proactively to

major changes to the

threat landscape

• Open communications with

CEOs and corporate boards

• Establish dedicated

security budgets that have

steadily increased

• Chief Information Security

Officer (CISO) has authority

to define and manage the

security strategy

Strategy Governance

• Deploy enterprise risk

management

procedures

• Embrace new and

disruptive security

technologies as part

of the strategy

Technology

Research and analysis conducted by Accenture in Collaboration with the Ponemon Institute, LLC.

All data in this presentation taken from “The Cyber Security Leap: From Laggard to Leader, 2015

Page 5: The Cyber Security Leap: From Laggard to Leader

5Copyright © 2015 Accenture All rights reserved. 5Copyright © 2015 Accenture All rights reserved.

Leapfrog organizations improved their security effectiveness an average of 53% over two years

Success characteristics can be summarized across three areas

• Security is a business

priority aligned with the

enterprise’s goals

• Focus on innovation

• Outsourcing is a

component of the

security program

• Respond proactively to

major changes to the

threat landscape

• Open communications with

CEOs and corporate boards

• Establish dedicated

security budgets that have

steadily increased

• Chief Information Security

Officer (CISO) has authority

to define and manage the

security strategy

• Deploy enterprise risk

management

procedures

• Embrace new and

disruptive security

technologies as part

of the strategy

Strategy Technology Governance

Research and analysis conducted by Accenture in Collaboration with the Ponemon Institute, LLC.

All data in this presentation taken from “The Cyber Security Leap: From Laggard to Leader, 2015

Page 6: The Cyber Security Leap: From Laggard to Leader

6Copyright © 2015 Accenture All rights reserved. 6Copyright © 2015 Accenture All rights reserved.

Organizations with static security effectiveness demonstrated different characteristics

• Operate security under a veil of stealth, secrecy and

underfunding

• Prioritize external threats

• Focus on prevention rather than quick detection or containment

• Drive security investments by compliance with regulations and

policies

• View security as diminishing employee productivity

• Believe security budgets are inadequate for meeting the

company’s security mission

Page 7: The Cyber Security Leap: From Laggard to Leader

7Copyright © 2015 Accenture All rights reserved. 7Copyright © 2015 Accenture All rights reserved.

Leapfrog organizations value innovation as a way to strengthen their security posture

Higher value placed on

security innovation

33%

Higher level of security

innovation change in

the past two years

45%

More security

innovation

20%

Page 8: The Cyber Security Leap: From Laggard to Leader

8Copyright © 2015 Accenture All rights reserved. 8Copyright © 2015 Accenture All rights reserved.

Establishing a security strategy as a business priority separates Leapfrog from Static organizations

Security and business objectives aligned

70%

55%

69%

45%

63%

40%

Security is priority

Security strategy exists

LEAPFROG

STATIC

LEAPFROG

STATIC

LEAPFROG

STATIC

Page 9: The Cyber Security Leap: From Laggard to Leader

9Copyright © 2015 Accenture All rights reserved. 9Copyright © 2015 Accenture All rights reserved.

Security outsourcing is often a component of Leapfrog organization strategies

Outsourcing core security operations can greatly increase

security effectiveness by providing access to advanced

technology and expert resources.

Leapfrog Static

Has strategy & does

not outsource

security operations

23%15%

55%

32%

Has strategy &

outsources security

operations

Page 10: The Cyber Security Leap: From Laggard to Leader

10Copyright © 2015 Accenture All rights reserved. 10Copyright © 2015 Accenture All rights reserved.

Leapfrog organizations proactively use advanced technologies to secure their network and cloud environments

LeapfrogStatic (Rankings on a 10 point scale, 1 = low; 10 = high)

Secure (encrypt)

data stored in

cloud environments

7.186.00

Establish security

protocols over

big data

6.334.94

Pinpoints

anomalies in

network traffic

8.557.45

Provide advance

warning about

threats and

attackers

8.277.56

Page 11: The Cyber Security Leap: From Laggard to Leader

11Copyright © 2015 Accenture All rights reserved. 11Copyright © 2015 Accenture All rights reserved.

Leapfrog organizations focus more on securing network, sensitive data and the cloud; Static organizations focus more on locking things down.

Control insecure

mobile devices

including BYOD

7.167.76

Limit insecure

devices from

accessing

security systems

6.037.18

LeapfrogStatic (Rankings on a 10 point scale, 1 = low; 10 = high)

Page 12: The Cyber Security Leap: From Laggard to Leader

12Copyright © 2015 Accenture All rights reserved. 12Copyright © 2015 Accenture All rights reserved.

Establishing strong governance and controls supports Leapfrog security effectiveness

Important governance components include dedicated budget,

use of benchmarks and metrics and regular communications

with board of directors.

Metrics to

evaluate

security

operations

20%

26%

Enterprise risk

management

procedures

35%

Regular

reporting to the

board of

directors

34%

Benchmark

Security

operations

Page 13: The Cyber Security Leap: From Laggard to Leader

13Copyright © 2015 Accenture All rights reserved. 13Copyright © 2015 Accenture All rights reserved.

The CISO role in Leapfrog organizations reflects the importance placed on security

While both types of organizations have a CISO,

the level of responsibility is notably different.

CISO defines

security strategy

and initiatives

Leapfrog 71%

Static 60%

CISO directly

reports to a

senior executive

71%

58%

CISO is accountable

for budgets or

discretionary spending

65%

55%

Page 14: The Cyber Security Leap: From Laggard to Leader

14Copyright © 2015 Accenture All rights reserved. 14Copyright © 2015 Accenture All rights reserved.

Security effectiveness can be notably improved over a short period of time, by applying lessons learned from three priority areas

Strategy Technology Governance

Page 15: The Cyber Security Leap: From Laggard to Leader

15Copyright © 2015 Accenture All rights reserved. 15Copyright © 2015 Accenture All rights reserved.

Suggestions for developing or improving your security strategy

• Establish a security strategy that encourages innovation, has

dedicated budget and programs, a strong eco-system and a clear

vision for how innovation gets on-boarded into production.

• Develop the ability to adapt quickly

and proactively to the changing threat landscape

• Help the organization embrace digital disruption

• Align security and organizational priorities

• Treat security as a business priority

Page 16: The Cyber Security Leap: From Laggard to Leader

16Copyright © 2015 Accenture All rights reserved. 16Copyright © 2015 Accenture All rights reserved.

Suggested areas for technology focus

• Seek out technology and capabilities

that enhance the user experience

and productivity

• Balance prevention, detection and

response better—lessen the focus

on prevention

• Better exploit data within the

organization to gain an advantage in

detection and response times—move

toward security intelligence

Page 17: The Cyber Security Leap: From Laggard to Leader

17Copyright © 2015 Accenture All rights reserved. 17Copyright © 2015 Accenture All rights reserved.

Governance measures to improve performance

• Foster a working relationship between

CISO and the board to take effective

action; educate and collaborate to

articulate and prioritize business risk

• Use benchmarks and metrics to

continually assess the strategy and

evolve the organization’s posture

• Outsource security operations as

appropriate for best use of available

expert resources

• Eliminate fire-fighting and use

resources effectively

Page 18: The Cyber Security Leap: From Laggard to Leader

18Copyright © 2015 Accenture All rights reserved. 18Copyright © 2015 Accenture All rights reserved.

Organizations studied represent various industries and sizes across NA, Europe, Middle East and Asia Pacific

16%

14%

14%

10%8%

9%

6%

6%

5%

5%

4%4% 9%

11%

28%

24%

18%

11%

Less than

1,000

1,000 to

5,000

5,001 to

10,000

10,001 to

25,000

25,000 to

75,000

More than

75,000Financial

services

Industries represented Organization size

Public

sector

Services

RetailEnergy and

utilities

Industrial

Health &

pharmaceutical

Consumer

Technology

and software

Transportation

Other

Hospitality

Education and research, 1%

Communications, 1%

Page 19: The Cyber Security Leap: From Laggard to Leader

19Copyright © 2015 Accenture All rights reserved. 19Copyright © 2015 Accenture All rights reserved.

For more information, visit:

accenture.com/cybersecurity

19Copyright © 2015 Accenture All rights reserved.