Accenture released the results of its State of Cyber Resilience study earlier this month, and the results were disarming, to say the least.
The study asked more than 4,700 executives about their organisation's resiliency against cyber attacks, which according to Ryan LaSalle, Accenture’s senior managing director, is broken down into several key questions.
“Can you fulfil your business mission? Can you support your customers? Your stakeholders?” he said “Can you fulfil your mission while living in a contested environment?”
An organisation’s resiliency was measured by Accenture through these questions. They used them to gauge how fast a company could recover from an attack, how quickly they remediated successful attacks, how effective they were in preventing attacks, and how well they managed the fallout of attacks.
A key element they also measured was an organisation's speed in detecting and responding to threats.
This survey comes at a time where the frequency and sophistication of cyber crimes continue to escalate. From state-sponsored attacks that compromise government infrastructure to ransomware attacks on small and large businesses alike, no company is safe from this wave of cyber criminality.
The survey covered a range of attack types, from ransomware to data leaks to phishing style attacks. LaSalle made clear that in doing this they were specifically looking at “the impact of those attacks. And those impacts had dollar values in terms of outages, penalties, and recovery costs.”
So, what were the results?
Well, the survey instead of just slapping organisations' resiliency with a label of ‘bad’ or ‘good’, categorised respondents using a graph. Your position on it depends on performance on the X axis (cyber defence resilience) and Y (business strategy alignment).
This then placed organisations into four distinct groups:
1. “Business Blockers” sought to prioritise cybersecurity resilience over the organisation’s business strategy even to the point of being seen as impeding business objectives.
2. “The Vulnerable” who did not have security measures aligned with their business strategy. Their security consisted of according to Accenture, the 'bare minimum'. This included the majority of participants.
3. “Cyber Risk Takers” focused on business growth and speed to market for the sake of the company strategy, though they understood and accepted the risks.
4. “Cyber Champions” pursued a balance where they aimed to protect the organisation’s key assets while also aligning with business strategy so key objectives could still be pursued in a meaningful, reasonable fashion.
LaSalle has said that this approach was necessary due to the tendency of security teams to overfocus on threat and risk and ignore the business itself.
LaSalle noted that the majority of participants classified as “The Vulnerable” shared several key traits. They all had “low-security performance and low business alignment” concluding that “The market still looks like that mostly.”
“For a lot of people in the ‘Vulnerable’ category, their security and technology debt is pretty high,” he continued. “They haven’t historically kept up with [tech] investment; they haven’t been able to get security embedded into all the programs they need; they’re always playing catchup and they will always be behind the curve.”
By immense contrast, the select group categorised as “Cyber Champions” not only were up to date on their Tech investment and overall IT but also had their IT intimately integrated into all aspects of their business, including senior decision making.
“The business runners, a VP or a business line president, actually had accountability for security,” LaSalle said. “It’s in their culture; it’s in their strategy and they perform better because of it.”
LaSalle argues that when chief security officers become better at speaking the language of business and risk, learning to “manage security like a business" they earn the trust of CEOs and board members, especially in “cyber champion” organisations where everyone is working to improve their cyber security awareness.
“Having the board start ask more questions about security and the resiliency of the enterprise around cyber threats, the board will affect change. They’ll provoke getting better.” LaSalle advised.
This study highlights the absolute necessity of businesses not only having high-quality, up-to-date IT but also leveraging their IT to further their business goals. It should inspire business owners to truly evaluate the relationship in their organisation between IT and strategy and how it could be improved.
The conclusions and groupings of this study are extremely reminiscent of a recent study Microsoft conducted on the seemingly paradoxical low productivity plaguing London.
In this study, Microsoft and associated experts in the world of business and IT asserted that the root cause of these low levels of productivity, in a time when many are working more than ever before, is due to organisations failure to use technology effectively and appropriately to further their business aims.
Microsoft in this vein classified UK organisations and their preparation for the future based on their “tech intensity”, ergo their ability to use IT in this way. We discuss the results of this study, and how they should influence the ways businesses adopt technology and IT in our guide to choosing an IT support provider.