What enterprise cyber resilience leaders do better – research

Cyber resilience has become imperative for digital transformation. It is even more so for organizations providing critical services and leveraging advanced technologies in the digitization and digitalization of critical infrastructure.

Whether your organization is active in industrial transformation (Industry 4.0) or relies heavily on digital ecosystems to innovate and meet changing customer needs, cybersecurity alone doesn’t cut it anymore.

Yet, cyber resilience is a complicated matter for organizations with complex hybrid IT systems and always requires a holistic approach. And even for businesses that are less on the leading edge of innovation and transformation, it’s easy to overlook essential elements.

Average time taken to remediate a security breach - cyber resilience leaders versus non-leaders - Accenture Third Annual State of Cyber Resilience Study

A company that serves larger organizations with more complicated ecosystems and IT environments is Accenture. For its Third Annual State of Cyber Resilience study, Accenture surveyed 4,644 security practitioners representing companies with annual revenues of at least US$1 billion in 16 countries. In other words: pretty large enterprises.

Among these organizations, Accenture Research detected a group of cyber resilience leaders that do significantly better than the others, the ‘non-leaders’ (not the same as laggards as the company emphasizes).

Introducing cyber resilience leaders – per Accenture Security

What makes an organization a ‘leader’ in cyber resilience? Given the many cyber risks and dozens, if not hundreds, of factors that determine how fast an organization’s core IT systems and applications are up and running again after a cyber-attack, that seems like a tough question.

Moreover, it’s not just about recovering, of course. In the cyber resilience framework, there’s also identification, protection, detection, and response. Yet, there indeed seems to be a group of companies that stand out in terms of cybersecurity and those identification, protection, detection, response, and recovery stages to ensure optimal business continuity with cyber resilience.

This group of elite “leaders” consists of 17 percent of the research sample. The organizations in the group achieve significantly better results from their cybersecurity technology investments, Accenture says. And these ‘leaders,’ in general, seem to focus on a few core elements more than the others. Let’s take a look.

Do note that cyber resilience isn’t just a matter of large organizations. One might remember that the Ponemon Institute’ Cost of a Data Breach’ report shows to what degree small and midsize organizations can be severely crippled by cyber-attacks, data breaches, ransomware, and the costs of all these and other cyber incidents as well.

Yet, back to the large enterprises. For Accenture, leaders in cyber resilience are characterized as among the highest performers in at least three out of four categories. These four categories are:

  1. Stopping more cyber attacks,
  2. Finding breaches faster,
  3. Fixing found breaches faster, and
  4. Reducing the impact of a breach.

In other words: all elements that matter in the context of the cyber resilience stages, with the effectiveness of prevention, speed of detection/recovery, and costs and other consequences being essential.

What you can learn from what cyber resilience leaders do more – and better

So, what is it that these cyber resilience leaders do differently than ‘non-leaders’ per Accenture?

Three important elements:

  1. They are over three times as likely to provide required training regarding the proper use of the security tools that users have at their disposal (30 percent of leaders versus 9 percent of the others). As you can see in SlideShare below, more training is one way for them to drive value from new investments. Others are scaling more and collaborating more.
  2. A more substantial portion of their budgets is allocated to sustaining what they have in place. ‘Non-leaders,’ on the other hand, place significantly more emphasis on piloting and scaling new capabilities, Accenture says. Sustaining what they have includes maintaining existing investments and performing better at the basics.
  3. Last but not least, cyber resilience leaders also invest for operational speed when they do invest in new technologies. In other words: their priority is to move fast and get business back on track, remembering those famous different stages of cyber resilience.

One can see that such practices also are quite relevant for smaller organizations as well. As the image below shows, investing for operational speed, driving value from new investments, and sustaining what you have are also the recommendations from Accenture Security for organizations that want to be more like leaders in terms of cybersecurity.

Accenture Security recommends three actionable steps that organizations can take to be more like cyber resilience leaders

What do organizations have to gain when they do act upon these recommendations? That’s where the four categories come in again, whereby the identified elite leaders score significantly better in terms of results from their cybersecurity technology investments than the others.

Some results found by the study:

  • Cyber resilience leaders were nearly three times less likely to have had more than 500,000 customer records exposed through cyberattacks in the last 12 months (only 15 percent of leaders versus 44 percent of the others).
  • Leaders were four times more likely than non-leaders to detect a breach in less than one day (88 percent versus 22 percent).
  • When defenses do fail, 96 percent of the leaders fixed breaches in 15 days or less, on average. Two-thirds of non-leaders needed sixteen days or longer to remediate a breach, and almost half of them even more than a month.

The image above shows the average time to remediate a breach more visually.

Cyber resilience leaders look at the business ecosystem

Another element the study emphasizes is that of ecosystems. Large enterprises – and many others as well – obviously are highly interconnected these days, in all possible senses. The extended enterprise revisited: business ecosystems, complex supply chains, vendor ecosystems, partners, you name it.

The sound old wisdom in cybersecurity that it only takes one weakness in this context can be seen as one weakness in one weaker link in a vast ecosystem. In other words: to really be a cyber resilience leader or, putting it another way, to avoid that things go really bad (and when they do, systems get up fast again), looking beyond the own organization is essential.

As the infographic below shows (a big PDF version here), the progress found in the study (for instance, the improvement of the basics of cybersecurity) masks a hidden threat since 40 percent of security breaches are indirect attacks that target weak links in the supply chain. And this, while cybersecurity programs designed to protect data and other vital assets are only actively protecting about 60 percent of an organization’s business ecosystem, which includes vendors and other business partners.

Accenture 3rd Annual State of Cyber Resilience Infographic
Accenture 3rd Annual State of Cyber Resilience Infographic – download in PDF

Quite some organizations effectively want to know about cybersecurity and cyber resilience approaches of not just vendors, but of all partners they work with.

This undoubtedly is also strengthened by the complex exercises organizations needed to do with the introduction of the General Data Protection Regulation, looking closely at the data controllers and data processors they work with, for instance.

Then there’s the increasing awareness that cyber resilience really does matter, and data breaches and ransomware attacks indeed are expensive. And, well, most organizations do realize that in some more ‘novel’ technology fields, there’s still quite some work before one can more or less leverage them for exciting applications. The Internet of Things does come to mind, as does security in industrial environments.

These aren’t the only elements. Add impatient customers, the growing role of ‘digital’ in business, the fact that data is big value and even increasing calls for organizations to be more transparent about their cyber resilience (like reporting on environmental, social, and corporate governance though that’s easier said than done).

For vendors and other partners in the ecosystems of large enterprises, the pressure is up. At least if more of the latter want to gain that ‘cyber resilience leader’ status. And then you could have a nice little cascade effect that perhaps elevates the level of cybersecurity and cyber resilience a bit everywhere. In the end, the key elements are relatively obvious.

Perhaps, just perhaps, it might help in tackling one of the other challenges you no doubt already saw in the infographic: the fact that costs are rising at unsustainable levels.

More wisdom and data in the SlideShare below, on this Accenture page with ‘lessons from leaders to master cybersecurity execution,‘ and of course in the full report which you can download in PDF here.

All pictures courtesy and property Accenture and serving illustration purposes.