We live in a world where the line between private life and business is becoming increasingly blurred. Users often don’t differentiate between the personal and the professional in their interactions with mobile devices and cloud services. As a result, traditional security boundaries are also becoming porous. Every device, piece of equipment, or technology you use at work has the potential to become a gateway to the rest of the world—or an attack vector, a way for that outside world to get in.

In this new era, cybersecurity requires a holistic approach: one that addresses people, skills, and technology as well as processes and governance. We must ask ourselves how we can achieve cyber resilience effectively, and how we can do so in ways that actually scale well. What challenges do we face? How must we overcome them? Which approaches are useful and expedient, and which must we leave behind?

<<< Start >>>

<<< End >>>

Understanding the new reality of cybersecurity

In this brave new digital world we’ve built, security threats have become a fact of life. They’re everywhere, lurking for prey. And though it might not always feel like it, that’s a big change from just twenty years ago. The face of cybersecurity has changed—significantly.

In the past, security was always seen as just another service, something the IT department provided. They set the timers on password expiration and regulated the access to digital information, and that was pretty much everything that cybersecurity entailed. Businesses were focused on keeping the bad guys out.

Those days are long gone. Threats have become infinitely more diverse and sophisticated. Security components have multiplied. Technology has evolved in astonishing ways and businesses have grown in size, complexity, and interconnectedness, carried aloft by online innovation. And now, the wolves are always circling.

<<< Start >>>

17%

of companies achieve significantly higher levels of cybersecurity performance compared to the rest.

74%

of companies have an average cybersecurity performance compared to the rest.

 

<<< End >>>

The cyber resilience paradigm: assume something will happen and act accordingly

The sole objective of cybersecurity is no longer to keep the bad guys out but to enable businesses to continue as usual, minimizing damage and continuity risks. Beyond the need for preventative measures like the proverbial lock on the door, threat detection and response are now of the utmost importance.

The field has shifted considerably, businesses need to brace for impact and become resilient. Next to being secure, detection and quick recovery are very much part of the game, to minimize possible impact so breaches do not hinder your ability to do business nor affect your financial position.

Clearly, resilience differs from security. Resilience is about knowing something is going to happen. That is the new paradigm in security, where in the past it was about making sure nothing happens. Over time, it became clear that watertight prevention is no longer a realistic goal. Scaled detection and measured response are.

<<< Start >>>

"Cybersecurity requires a holistic approach: one that addresses people, skills, and technology as well as processes and governance."

<<< End >>>

The bigger picture: your business ecosystem

Resilience is the answer to a multifaceted question. A large part of that complexity is due to operating within an ecosystem: the business itself and all its surroundings. Every business operates in such an ecosystem, with all its extensive networking and branching. Evidently, cybersecurity had to stretch out accordingly so.

As a part of the ecosystem, you can keep an eye on what is close to home, your own business. But you can't fully control what partners, peers, and suppliers you work with do to stay secure. Every organization has to make sure that all links in the chain become resilient and operate under the same security levels. Since every chain is as strong as its weakest link, as a result cooperating on a broad scale should be part of the security measures.

Taking all the right measures is quite a complex story because it depends on what happens and if you fully understand what can happen. Currently, it still takes an organization five to six months on average to discover they have been breached. There are examples of five years even and there are companies that detect breaches within 24 hours. Narrowing that timeframe is quintessential.

<<< Start >>>

<<< End >>>

Let us assume your company takes five months to discover it has been hacked. Maybe because someone emails you about it, or a client calls you saying there is something funny in their data. Then you need to find out what happened and see if something is altered or missing. Imagine someone has been wandering around on your company’s server for five whole months! Normally, you would go back to your log files and look at your backup, but you don’t save that data for as long as that. It’s going to be a real challenge to know how to react to what happened. So, it's crucial to limit that time window.

<<< Start >>>

<<< End >>>

What does taking a holistic approach to security really mean?

Resilience as the new paradigm, cooperation on a global scale, narrowing timeframes for breaches to be discovered. There are so many factors to keep track of to become resilient as an organization. Keeping an eye on all factors to reduce risk, impact, and possible costs along with keeping optimal business performance can be quite a challenge. Obviously, there is no one-size-fits-all solution.

That is why cybersecurity requires a holistic approach addressing technology, people, and skills as well as processes and governance. This is not limited to the classic security mandate but also requires integration with enterprise risk management, strong IT asset management, change management, and incident response as well as the continuous involvement of your front-office employees.

This holistic approach to business resilience is not entirely new. And although leading companies in cybersecurity—the 17 percent of companies researched—proved investing in this approach pays off, it‘s still not common practice.

To become truly resilient, and have a 360 degrees viewpoint on your security measures, focus on these topics to perfectly close your security circle: basic hygiene, the human skill gap, tech implementation, and a businesswise approach.

<<< Start >>>



<<< End >>>

1. Enforce basic hygiene

Surprisingly, many businesses still don’t have their basic security hygiene in order. The essentials in cybersecurity tend to be somewhat overlooked. Before investing in any cybersecurity program, every organization should look at three basic steps necessary to get the best result in guarding their systems: enforcing basic hygiene on your own premises, collaboration within the ecosystem, and continually pressure test beyond a standard annual penetration test.

To be able to make any security program work accordingly, the basics should be tightly fixed. The main ways hackers are still getting in is through the simplest of manners. Possible leaks like unpatched systems, the use of default passwords, very standard security matters that are obvious, yet easily overlooked.

With the before-mentioned growing ecosystem in mind, it is of the utmost importance to collaborate on a broad scale. Collaborate within your ecosystem, your partners, peers, or even governments.

Avoid getting punched in the face
Testing should be a continuous process to really make sure the security protocols are still up and effective. This includes intrusive testing like a periodic pressure test during which the whole system gets breached from within, or a threat hunt, with which the system is scanned to see whether it has already been hacked without detection. Even if this can be quite an intensive procedure, it minimizes risks and keeps a business focused on where and when to take action.

Intrusive and continuous testing can exclude system failure. Or like boxing champion Mike Tyson said: “Everyone thinks they have a plan until they get punched in the mouth”. A business or security officer should avoid that punch by training (testing) regularly.

<<< Start >>>

<<< End >>>

2. Bridge the skill gap

With the broadening scale on which businesses operate and the related growth of security needs, comes the need for more knowledge and skill. A potential shortage of sufficiently trained people is at hand. Automation and smart use of AI can help bridge the initial gap between old and new cybersecurity needs, but ultimately, it's human skills that really makes the difference.

Cybersecurity is no longer a trade of just tech-minded people. To really become resilient, multidisciplinary expertise is required. There is a need for technically trained people, but we also need people with a background in science, risk management, and finance. We need all these disciplines to bridge the imminent skill gap.

<<< Start >>>

<<< End >>>

Wanted: more female security officers

Security has primarily been a male-dominated profession for the last thirty years. Cybersecurity changed and the consensus is there is also a need for different perspectives to really make IT work. Next to a skill gap, the time is ripe for a new way of thinking. We are missing out on the views of the other half of the population, so we need more female security officers.  0 percent of our security team now consists of about 3 females, which is obviously not enough. For that full view, 50 percent would be better.

<<< Start >>>

<<< End >>>

Businesses need to invest in re-skilling experienced people. Not just great thinkers from an IT background, but people who can think out of the box and are interested in security. You do not have to be a technical expert to contribute to the field of security. A part of the holistic resilience solution lies in the combined expertise of security teams. Cybersecurity officers who know IT, but who also understand business and risk.

<<< Start >>>

<<< End >>>

It takes a thief to know one

In 2016, Accenture started working with iDefense, a company that collects data and threat intelligence. Intelligence on the latest virus outbreaks and intel from platforms and forums where hackers are active, to keep up with what is happening at the forefront of cyberworld’s shadow.

The right response—and this takes some courage—is to let them go and try to see if we can find out what they are doing and which information they are after. With that, a CSO can contain it, lock them in and maybe disconnect some of the crown jewels. In this way, we continually learn from that as an organization and take better measures. Organizations with advanced security apply this technique with honey pots, digital bait boxes containing low valued information. This accomplishes two things: it keeps hackers busy and you learn about their movements, so you know what you need to protect.

This also requires a completely different set of security experts. Cybersecurity needs skilled people who think outside the box from a business point of view—a totally different type of professional.

3. Be bold in implementing AI

Skilled people from all trades are not the sole solution. Technology leverages their skills. If you look at a simplified version of a detection problem: there are many potential incidents, numerous breaches, and many random events that are being reported on a daily basis—security offices have got people monitoring these reports.

But the human eye alone cannot see from all that data which events to focus on and how big the threats really are. We need technology to support those people and augment the level of security. In this case, AI would filter the data and weigh the monitored events. Then machine learning can point out breaches more specifically. With this, security officers can focus on what we do best: investigate, think creatively, and connect dots that machines maybe can’t connect.

Implemented correctly, innovative technologies like AI augment the human eye and its judgment.
And automating response is an essential tool in solving problems faster. Measured investments in innovations such as applied intelligence and possible automation help strengthen the people, raising the bars on security threats even further and close part of the current skill gap.

No security officer nor any business will ever be fully infallible, but technological innovation levitates security levels, further minimizes risks, and is therefore of real importance in the whole of business resilience.

DevSecOps

Within your business’ ecosystem, technological investments are essential too. Especially in the SME market, where many companies have several layers of small suppliers often operating in a cloud-based environment. Whereas big companies can at least dictate some standards, smaller companies often do not have that opportunity or the right resources. Within that cloud-based supply chain, the potential risk is imminent.

DevOps are common practice in cloud systems. Meant to keep up speed, agility, and breaking down boundaries between development and operations. But that speed is also making things difficult for working with traditional security approaches. Before anything goes live, it has to be thoroughly tested. That often gets in the way of the process.

Security requirements can actually be built in at the start to trail the process and enable automated testing at the heart of the DevOps cycle. Develop, test continuously on the fly, and deploy. Investing in DevSecOps can secure smaller cloud services as a reliable and integral part of business resilience.

<<< Start >>>

<<< End >>>

4. Keep an eye on the business

Looking closely at security and designing businesses’ security programs, does not stop at putting people in place, implementing technology, and reducing risk. It is connected to the value chain of the business. Data and assets are where the business can be at risk and where threats can be detected. That is a total shift from what security used to be. Traditional IT people are very well skilled, but it is business people who understand value chains in the business. And that is what needs protection.

Keeping an eye on the business and its assets is a large part of becoming resilient: what do we need to protect and what to protect it from. Translating that into measures, technological or process-related—who is allowed to do what—and therefore also people related, is where the key in true business resilience lies.

Doing business is also about taking risks. From a cybersecurity point of view, businesses need to focus on how to stay in a secure shape, how to prevent potential loss, and how to qualify that, more so than putting up defenses and a possible return on investment. Not being prepared as an organization causes vulnerability.

What happens to respected peers or competitors is a crucial part of that. An infrastructure in which information about detected breaches, possible risk, and resources can be shared—without being worried about sensitive data—can contribute largely to cyber resilience, even on a global scale. You need trust.

<<< Start >>>

<<< End >>>

Accenture is a strategic partner of the World Economic Forum's (WEF) Centre of Cybersecurity. An initiative for close cooperation on a global scale. The WEF brings together companies from all over the world and governments from all over the world, regardless of ideology. There is representation from China together with big companies from Saudi Arabia, the United States, Canada, and Europe. Together they address security issues, discuss cybersecurity measures, and look at opportunities to take combined action. Cooperating closely with the World Economic Forum brings security resilience further. 

<<< Start >>>

<<< End >>>

Mindset toward the future

Active support from C-level management is required to embed cybersecurity into the culture of your organization: it is no longer a problem of IT or the security department, everyone in a company and its ecosystem has a role in the security chain. Awareness and know-how are crucial last elements.

Behavioral changes are difficult because one tends to look short term, and that is a psychological challenge in security. Businesses need to progress, so we overestimate benefits and underestimate negatives. For human progress that is a good thing, but not for security. That is why a holistic approach is essential because it covers all dimensions.

Holistic business resilience

Cybersecurity requires a holistic approach, one that not only addresses technology, people, and skills, but processes and governance as well. This vision is not limited to the classic security mandate—it requires integration with enterprise risk management, strong IT asset management, empowered change management, and a robust approach to incident response as well as the continuous involvement of front-office employees.

Some businesses have already succeeded in adopting this holistic cyber resilience posture, and the results are encouraging. A successful implementation enables businesses to detect breaches and stop attacks up to four times faster, while also helping them fix breaches faster and more effectively. In addition, their ability to reduce the impact of breaches and other cybersecurity risks can increase by a factor of two or more

While these numbers are impressive, many businesses have yet to embrace the novel approach to cybersecurity that our rapidly expanding digital world demands. To date, only 17 percent of business leaders have committed to changing their security mandate, investing in new solutions, and updating and upgrading their cybersecurity standards, teams, and infrastructure. It’s more important than ever that the remaining 83 percent seriously considers this approach.

In a threat landscape that is constantly shifting and becoming more diverse, holistic cyber resilience is the only effective way to protect your assets and the continuity of your business.

What can you do to improve your organization’s cyber resilience? Get in touch with us to find out.

Michael Teichmann

Managing Director – Security Services for energy, chemicals, natural resources, and utility industries.

Subscription Center
Subscribe to Accenture Insights Subscribe to Accenture Insights