In brief:

  • Research shows that leadership behavior and sponsorship is vital to any transformational journey, including the one towards cyber resiliency.
  • Leaders should take the initiative to lead from the front and champion cybersecurity behaviors to avoid becoming a victim and inspire others to follow.
  • To become truly cyber resilient, organizations must install the requisite infrastructure and practices throughout their entire operating model—not just in IT.
  • Most of all, leaders must instill a resilient culture—one that makes the organization aware of the cyberthreat landscape and leaves it well-equipped to navigate it, ensuring all stakeholders are protected against nascent threats.

<<< Start >>>

<<< End >>>

We know that 60 percent of cybersecurity incidents are caused by human factors, with an average cost of $3.92 million per data breach and $4.6 million per cyberattack. Clearly, it's your people that constitute your most important line of defense against cyberthreats. Transforming their behavior is the key to achieving resiliency, and leadership is a critical aspect of building the foundation of your organization’s defense.

As part of our advocacy for European Cybersecurity Month, we're writing a three-part series that examines the pillars of building a cyber-resilient organization. This article is the first in the series.

 1) Leadership & culture: the cornerstones of cybersecurity.

2) A future-ready cybersecurity workforce.

3) Adoption of secure behaviors and accountability.

<<< Start >>>

<<< End >>>

Activating leadership to build a cyber-resilient culture

The last decade saw technology develop at a tremendous pace. While every organization has worked hard to benefit from the new affordances of our progress, each and every one of us is also vulnerable to its dynamic, shape-shifting threat landscape. In less than ten years, over $15 billion in losses have been incurred by businesses around the globe due to cyberattacks exploiting organizational leaders. The natural instinct is to think this only happens to others but the frequency of these targeted attacks is increasing exponentially, at least doubling every year, making every type and size of business a target—from Ubiquiti Inc. to Snapchat to Mattel.

While organizations focus on cybersecurity as a part of their business, hackers spend all their time scavenging for vulnerabilities and devising new and elaborate points of entry. Businesses have gone from facing cyberattacks every few months to every other week and the speed of these attacks has accelerated from requiring a few hours to a few minutes.

The expanding threat landscape and improved, cheaper technologies are leading to an increase in cyberattacks—the average number of security breaches in the last year grew by 11 percent from 130 to 145. Needless to say, these more sophisticated attacks made the average cost of cybercrime for an organization increase $1.4 million to $13.0 million.

With various appendages of an organization operating from home, the pressure on leaders to integrate these geographically and professionally splintered stakeholders into a cohesive and thorough cyber-resilient culture is increasing daily. Cyberattacks are no longer a matter of 'if' but a question of 'when', and the onus falls on leaders to unite their organization behind the right mentality, approach, and infrastructure. 

<<< Start >>>

11%

The average number of security breaches in the last year grew by 11 percent from 130 to 145.

$13M. 

In 2019, the average cost of cybercrime for an organization increase $1.4 million to $13.0 million.

<<< End >>>

As high-value targets, leaders should act first and set a clear example

Hackers expend a lot of effort to compromise business leaders since they have the greatest access to resources. In 2016, Europe’s biggest manufacturer of wires and electrical cables announced a €40 million loss due to one of its financial officers being scammed into transferring funds to the wrong bank account. This is called ‘whale phishing’, the deliberate targeting of high-ranking members in an organization.

Just like in an airplane, a leader must first fasten their own oxygen masks before helping others do the same. This involves—but is not limited to—being aware of the potential threats and equipping yourself with the necessary solutions like multi-factor authentication, hardware authentication devices, safeguarding of your networks, and reporting phishing scams.

Upon securing yourself, you must recognize that your organization’s cybersecurity hinges on the collective shoulders of every employee. It is not enough to simply share your beliefs and thoughts on the matter—you must actively display the appropriate behaviors in relation to cyber threats and empower your employees to do the same. Cybersecurity theater and performative behavior achieve nothing unless employees see leaders practice their sermons.

You must talk the talk and walk the walk, so your employees have footsteps in which to follow. Because, whether or not leaders practice the appropriate behaviors, employees will look to them to set a benchmark.

<<< Start >>>

"You must recognize that your organization’s cybersecurity hinges on the collective shoulders of every employee. Your employees need footsteps in which to follow."

<<< End >>>

Leverage leadership to build key cybersecurity infrastructure and practices

In addition to teaching your employees how to fish, in that time-honored proverbial sense, your responsibility as a leader is also to provide them with the necessary tools to efficiently perform the task. This is why it is essential to recognize that cybersecurity is not only a matter of strategy but one of governance. It requires thorough auditing of the various departments and levels in your organization to understand what cyber-activity is conducted when and where, by whom, for what purpose, and with what access rights.

With holistic interdepartmental collaboration and a Security Operations Center (SOC) equipped with the knowledge of the threats to your business and industry, the burden of responsibility can be shouldered evenly across the organization; instilling the knowledge, the practices, and the accountability needed to bolster your cyber-resiliency.

<<< Start >>>

<<< End >>>

Prioritize cyber resiliency as a cultural cornerstone

In the words of Peter Drucker, ‘Culture eats strategy for breakfast’, and in order to avoid becoming the cybercriminals’ next meal, cybersecurity needs to be on the map as a core organizational value. Every culture is a representation of the values it holds dearest and no amount of training can provide your organization with the protection of an objective-based value system.

As a leader and as an organization, you mustn't see cybersecurity as the line of defense against organizational mistakes but as a protection for all your stakeholders’ livelihoods, resources, time, and data. Especially in an increasingly digital space, organizations’ interactions with their customers are increasing and the responsibility of respecting that relationship should be shared by every employee alike.

This can be facilitated by opening a dialogue within the organization so that employees understand that, especially under the existing economic stress from COVID-19, losses incurred from cyberattacks have an adverse effect on every employee, client, the client of a client, and customer. By championing this conversation, leaders can address and eliminate the potential hurdles employees would perceive in practicing more cyber-secure behaviors and increase the salience of the issue in their daily activities. Especially regarding phishing activities, small mistakes are generally the most expensive and cannot be avoided without a mature cybersecurity culture. By embedding cybersecurity as a shared value, employees are more likely to keep it in mind while performing daily tasks.

<<< Start >>>

<<< End >>>

Available cybersecurity options for leaders

There are several avenues available to leaders in this area. Leaders at pioneering tech companies crack codes as part of their ongoing cybersecurity process, while others at more traditional large companies make it common practice to test their teams’ responses to simulated phishing emails.

Of course, initiatives like these routinely expose gaps in security, which paradoxically might cause leaders to shy away from what they perceive to be a black mark against their performance. While understandable at first glance, such instincts are deeply counterproductive, much in the same way as avoiding doctors for fear of sickness could result in even greater damage to one’s health.

Imagine a cybersecurity culture that grants your organization greater awareness of cyber threats by design and increases your innate ability to anticipate problems. Wouldn’t building such a culture be your first priority on the road toward cyber resiliency?

<<< Start >>>

<<< End >>>

A leading Resources company established a network of leaders from each business group during a large-scale cybersecurity transformation program. This created accountabilities, a diverse group of champions, and a forum where leaders could celebrate both successes and failures, allowing them to learn precious lessons from past mistakes. In addition, these leaders encouraged their employees to not only report actual incidents but also near misses. This meant that the mindset of resiliency behaviors was constantly reinforced and ensured that valuable insights gained from observing the whole picture would help to better identify future threats.

<<< Start >>>

<<< End >>>

Other effective tactics include nudging, influencer-based change management, or gamified campaigns to promote safe experimentation with novel security methods. Regardless of which tactics best fit your organization, your leadership must embody the culture so that your employees have someone to emulate.

By championing security as a cultural value, activated leaders can shape the organizational approach across the board, from practicing appropriate behavior to fulfilling their duty to their clients, consumers, and colleagues. And for many businesses, these values are nothing new. Resources and healthcare companies have spent decades consolidating their safety foundation as essential for business, while financial services having been building their walls and vaults from the very beginning.

With more areas of our lives finding second homes online, we need a strong, comprehensive, and properly implemented cybersecurity vision in a broader range of organizations. It will not just do well for your business and your people—it will do good for our entire digital economy.

<<< Start >>>

4x 

Leaders in cyber resilience are 4x better at stopping cyberattacks and 4x better at finding breaches faster than non-leaders. 

<<< End >>>

If you enjoyed reading about activating leaders, you might like to further your knowledge with the next articles in the coming weeks discussing a future-ready cybersecurity workforce and adoption of secure behaviors and accountability.

<<< Start >>>

<<< End >>>

The authors wish to give special thanks to Emma Sprogel, Laura Candiani, and Vincent van Dijk who helped a lot in making this article as well as to Helen Schedeler and Maurits van Heusden who initiated this series. They also want to thank Aysegul Budak, Channon Tian, Jasper van Gelderen and Lisa Kuo for their contribution.

Michael Teichmann

Managing Director – Security Services for energy, chemicals, natural resources, and utility industries.


Jan-Joost Oostenbrink

Change & Project Manager – Accenture Strategy & Consulting, Resources industry


Margriet Westerink

Managing Director – Accenture, Talent & Organization, Human Potential, the Netherlands


Bernard Oosterloo

Senior Manager – Accenture Security, Financial Services, the Netherlands

Subscription Center
Subscribe to Accenture Insights Subscribe to Accenture Insights