Skip to main content Skip to Footer

Latest thinking

High Performance Security - Report 2016 for EnergyOutside the (Black) Box - Protecting Core Operations in EnergyHigh Performance SecurityReport 2016 for EnergyOutsidethe (Black)BoxProtectingCore Operationsin Energy

Perception vs. Reality

Energy companies are evolving their cybersecurity strategies, but most companies still view cyberattacks as a "black box."

We recently surveyed 2,000 security executives at large, global enterprises and found that about one in three focused, targeted breach attempts succeeded.

In oil and gas, 60 percent of executives saw cyberattacks as a bit of a "black box."

Still, 75 percent of respondents were “confident” they were doing the right things with their security strategies, and a similar number said security is “completely embedded” in their cultures, with support from the highest-level executives.

Clearly, there’s a disconnect.

Surviving in this increasingly risky environment requires a cybersecurity “re-boot” to embrace an end-to-end approach that recognizes a spectrum of threats across the information technology (IT) and operational technology (OT) environments, minimizes exposure and identifies high-priority assets. In particular, oil and gas businesses must expand their cybersecurity strategies to include operational technology and invest in advanced analytics, incident management programs and ongoing testing focused on protecting core operations. This takes a few fundamental steps.

Download: Outside the (Black) Box

Oil and gas companies should invest in analytics, cyber incident management and continuous testing to crack the cybersecurity black box.

View SlideShare

Define Success

To reframe their cybersecurity perspectives and establish a new definition of success, oil and gas organizations need to understand what is happening on their IT and OT networks.

Start by answering several critical questions:

  • Have we identified all priority business data assets and their locations?
  • Can we defend the company from a motivated adversary?
  • What are the potential ramifications of a successful cyberattack in terms of environmental, health, safety and productivity?
  • Do we have the tools and techniques to react and respond to a targeted attack?
  • Do we know what adversaries really want and what we really want to protect?
  • Where should we make our cybersecurity investments based on potential risk?
  • How often do we “practice” our plan to improve our responsiveness?
  • Are we using the data and other outputs from our cybersecurity strategy to improve our program over time?

We believe energy security organizations need to better align their strategies with business imperatives. While many organizations are making progress in compliance and risk management, security programs must continue to improve detection and prevention of more advanced attack scenarios.

Through investments in improved cybersecurity analytics, incident management programs, and testing for OT and IT networks, energy companies can better protect their core operations.

Download: the full transcript

Make security everyone’s job

Organizations should make cybersecurity an organizational mindset—one capable of continually evolving and adapting to changing threats.

To foster a culture of cybersecurity and move closer to a state of digital trust, organizations should emphasize an adaptive, evolutionary approach to addressing all aspects of security on an ongoing basis.

This means investing in education and training for IT and OT staff alike so that they can step out of their comfort zones and collaborate across the organization.

Together, they can help devise security strategies that make sense in both business and operational contexts, while encouraging deeper engagements with enterprise leadership on a day-to-day basis. Doing so requires IT to speak the language of OT, and vice versa.

Reboot your approach

See the results of our global survey for the Energy industry, and learn what must be done.

  1. Define cybersecurity success

    Improve alignment of cybersecurity strategies with business imperatives, and improve ability to detect and prohibit more advanced attacks.

  2. Pressure-test security capabilities

    Engage "white-hat" external hackers for attack simulations to establish a realistic assessment of internal capabilities—across IT and OT environments.

  3. Protect from the inside out

    Prioritize protection of the organization’s key assets (including industrial control systems) and focus on the internal incursions with greatest potential impact.

  4. Keep innovating

    Invest in state-of-the-art programs that enable outmaneuvering adversaries, versus investing more in existing programs.

  5. Make security everyone’s job

    99% of breaches not detected by security team members, are found by employees. Prioritize training for all employees, including cross-training for IT and operations personnel.

  6. Lead from the top

    CISOs must materially engage with enterprise leadership and make the case that cybersecurity is a critical priority in protecting company value.

View the infographic

About the research

Accenture’s High Performance Security Report 2016 sought to get an insider’s view into how companies are dealing with cyber threats

  • 15 countries

    Australia, Brazil, Canada, France, Germany, Ireland, Italy, Japan, Netherlands, Norway, Singapore, Spain, UAE, United Kingdom, United States.

  • 12 industries

    Banking, Capital Markets, Communications, Energy (Oil & Gas), Healthcare (provider & payer), High Technology, Life Sciences, Products, Industrial Equipment, Retail, Utilities.

  • Those surveyed included

    Security, IT and business executives at director level and above; 2,000 executives.

  • Survey objective

    Understand extend to which companies prioritize security, how comprehensive security plans are, how resilient companies are with regard to security, and the level of spend for security.

  • Survey measures

    Cybersecurity capability, across 7 domains: business alignment, strategic threat context, the extended ecosystem, governance and leadership, cyber resilience, cyber response readiness, and investment efficiency.


Jim Guinn, II

Jim Guinn, II

Global Managing Director, Accenture Security – Energy, Chemicals, Utilities and Mining

Get in touch
Luis Luque

Luis Luque

Managing Director, Accenture Security – Global ICS Practice

Get in touch