Building a culture of cyber security
A changing world of cyber threats leads Accenture to evolve and mature its defenses to fortify the company’s security posture
Before 2010, threats of ransomware and malicious malware seldom, if ever, made the news headlines. But as more and more information moved to the cloud and digital technologies expanded, so did the frequency and sophistication of such cyber attacks. This shift prompted organizations and individuals to do more to protect the information they stored and transferred within these infrastructures.
Within Accenture, a small team was tasked with formulating a response, strengthening and expanding our security defenses beyond technical systems, tools and controls by restructuring our security approach to meet Information Security Management System (ISMS) standards. Such standards looked to manage cyber security with a focus on people, processes and technologies, and served to establish the framework to protect Accenture’s global and increasingly mobile workforce.
Further, the team also undertook a formal assessment process in 2011, designed to create a comprehensive Information Security Risk Profile for the company. This move helped identify and prioritize security risks, as well as the actions necessary to prevent and protect against them. These transformative steps led Accenture to formally create the company’s information security organization.
Now with over 50,000 physical and virtual servers operating our business and supporting our clients, the Information Security organization is more than 800 people strong across the globe. The team’s expertise spans technical architecture and security operations, governance and risk management, acquisition integration, threat response and intelligence, compliance and behavior change.
“To protect the data we are entrusted with, our Information Security organization continues to adapt and optimize its risk resilience, addressing current cyber threats while preparing for new issues tomorrow might bring.”
Our Information Security organization was developed around a strategy focused on building a resilient buffer against evolving threats and risks facing Accenture and our clients. This strategy also fosters a mindset within Accenture where everyone takes accountability for putting security first. A further aspect of the strategy is the establishment of several distinct areas and an extensive governance network led by the Chief Information Security Officer.
This network of accountability plays a critical and necessary role in maintaining Accenture’s security posture. The Information Security organization, which operates 24/7/365, can quickly respond to and address attacks, threat intelligence, system patching, vulnerabilities and workstation remediation. With Accenture’s increasing organic and inorganic growth, the areas of assessing acquisition security environments, employee security training and protecting our client data have become even more significant in the day to day activity of our organization.
As our Information Security organization has matured, cross-functional teams have been put in place to monitor and provide oversight to the security practices across a wider swath of Accenture’s business. Now, cross-collaborative groups like the Policy & Advisory Committee, Security Steering Committee and Accenture Information Security Leads meet and communicate regularly to ensure good security standings company-wide, or that concerns are raised and escalated promptly.
Given an environment of aggressively growing cyber threats, Accenture’s risk tolerance has changed. In response, the industrialized processes of our Information Security organization continue to prove value, most visibly through the overall culture of shared accountability that has developed across the company. Through our team’s fine-tuned programs and processes, every Accenture employee understands they each play a role in keeping Accenture and its clients secure.
One tangible way this understanding has manifested is in employee participation in the award-winning Information Security Advocates program. This program engages each person in bite-sized, “gamified” security training exercises each quarter. Learning experiences on topics like social engineering, credential theft and working remotely are modified and refreshed regularly as new threat realities are identified. This training—a lot of which is voluntary—has shown that with each completion employees are much less likely to be involved in a security incident. And, on average, 99% of all employees become Information Security Advocates each year.
Another valuable capability from the evolution of Information Security is the ISO-certified Client Data Protection (CDP) program. This program provides Accenture client engagement teams with a standardized approach to managing risk through a set of security processes, controls and metrics. A CDP plan is developed for each client project and provides end-to-end security risk management measures covering physical, application, infrastructure and data security.
A further valuable outcome is detailed reporting. Key security performance indicators (KPIs) from across the business are captured and fed into a comprehensive Security Posture Scorecard (SPS). The contents are used to report out to the highest levels of Accenture leadership weekly, and to the Board of Directors twice a year. The dozen-plus KPIs include measures such as vulnerabilities, out-of-compliance servers, and misconfigured networked devices. In reviewing the SPS, Information Security teams have a very near real-time view of the global security posture. This view gives them the ability to take corrective actions more proactively and plan strategically.
Our Information Security organization’s continuous flexibility through a constant state of change and our ability to reinforce a security mindset across a global workforce, demonstrates one Accenture that protects client and Accenture information.
“Protecting our services and data are an absolute top priority and a cornerstone of our client relationships.”
99% of all Accenture people are Information Security Advocates.
~1M workstations, servers, wireless access points and mobile devices secured.
+2K client projects with active CDP plans.
Maintains certification for data-privacy standards.
Awarded, and maintains, the highest Gold-level certification for Accenture-managed cloud infrastructure.
Accenture ranks top among its peers in maintaining a strong defense against threats, as reported by the leading cyber security rating vendors in each risk category.