The Accenture Security Index
August 20, 2017
August 20, 2017
It is no surprise that security is top of mind today for business leadership and governments worldwide. Over 70 percent of surveyed companies say cybersecurity is a board-level concern that their top executives support both financially and culturally. These same companies also suffered two to three focused attacks that breached security each month; attacks they confirmed could take months or even years to detect.
What exactly does an effective security strategy look like? To define high performance security objectively, Accenture developed The Accenture Security Index, which assesses performance across 33 cybersecurity capabilities, at both the industry and country level, helping business leaders understand the effectiveness of their security measures. Organizations that have a clear picture of where they stand across these capabilities can then take proper measures to substantially reduce cybersecurity threats.
Organizations are competent in only 11 of the 33 cybersecurity capabilities.
At the global level, Accenture research found that, on average, the typical organization reported it was competent or highly competent in only 11 of the 33 cybersecurity capabilities, suggesting significant room for improvement across the board. Only 9 percent managed to achieve competence in more than 25 of the 33 capabilities. Industry-level performance includes a high level of variation. Communications, Banking and High Technology respondents performed with higher levels of competence in 14 to 15 cybersecurity capabilities, compared with Life Sciences companies, which typically exhibited competence in only six capabilities. The country level also exhibits significant variation in performance. United Kingdom tops the list along with France, with higher levels of competence in 15 out of 33 cybersecurity capabilities. In contrast, Spain is at the bottom of the list, with competence in only seven out of 33 capabilities. The United States has higher levels of competence in 12 out of 33 capabilities.
Using a comprehensive model, Accenture assessed performance across 33 cybersecurity capabilities at both the industry and country level. To capture a clear, objective measure of performance, the survey defined specific criteria to characterize three levels of competence: none/ limited, average or high. For example, a rating of no or limited competence when identifying high-value assets and processes in the business means the organization fails to identify key assets and processes consistently. A high score means the company clearly identifies key assets and processes and reviews cyber impact regularly.
The following six recommendations can help to focus the improvement efforts of companies that have used to security index to assess their strengths and weaknesses: