Latest thinking
|
|
Perception vs. Reality
Energy companies are evolving their cybersecurity strategies, but most companies still view cyberattacks as a "black box."
We recently surveyed 2,000 security executives at large, global enterprises and found that about one in three focused, targeted breach attempts succeeded.
In oil and gas, 60 percent of executives saw cyberattacks as a bit of a "black box."
Still, 75 percent of respondents were “confident” they were doing the right things with their security strategies, and a similar number said security is “completely embedded” in their cultures, with support from the highest-level executives.
Clearly, there’s a disconnect.
Surviving in this increasingly risky environment requires a cybersecurity “re-boot” to embrace an end-to-end approach that recognizes a spectrum of threats across the information technology (IT) and operational technology (OT) environments, minimizes exposure and identifies high-priority assets. In particular, oil and gas businesses must expand their cybersecurity strategies to include operational technology and invest in advanced analytics, incident management programs and ongoing testing focused on protecting core operations. This takes a few fundamental steps.
Define Success
To reframe their cybersecurity perspectives and establish a new definition of success, oil and gas organizations need to understand what is happening on their IT and OT networks.
Start by answering several critical questions:
- Have we identified all priority business data assets and their locations?
- Can we defend the company from a motivated adversary?
- What are the potential ramifications of a successful cyberattack in terms of environmental, health, safety and productivity?
- Do we have the tools and techniques to react and respond to a targeted attack?
- Do we know what adversaries really want and what we really want to protect?
- Where should we make our cybersecurity investments based on potential risk?
- How often do we “practice” our plan to improve our responsiveness?
- Are we using the data and other outputs from our cybersecurity strategy to improve our program over time?
We believe energy security organizations need to better align their strategies with business imperatives. While many organizations are making progress in compliance and risk management, security programs must continue to improve detection and prevention of more advanced attack scenarios.
Through investments in improved cybersecurity analytics, incident management programs, and testing for OT and IT networks, energy companies can better protect their core operations.
Make security everyone’s job
Organizations should make cybersecurity an organizational mindset—one capable of continually evolving and adapting to changing threats.
To foster a culture of cybersecurity and move closer to a state of digital trust, organizations should emphasize an adaptive, evolutionary approach to addressing all aspects of security on an ongoing basis.
This means investing in education and training for IT and OT staff alike so that they can step out of their comfort zones and collaborate across the organization.
Together, they can help devise security strategies that make sense in both business and operational contexts, while encouraging deeper engagements with enterprise leadership on a day-to-day basis. Doing so requires IT to speak the language of OT, and vice versa.
Reboot your approach
See the results of our global survey for the Energy industry, and learn what must be done.
-
Define cybersecurity success
Improve alignment of cybersecurity strategies with business imperatives, and improve ability to detect and prohibit more advanced attacks.
-
Pressure-test security capabilities
Engage "white-hat" external hackers for attack simulations to establish a realistic assessment of internal capabilities—across IT and OT environments.
-
Protect from the inside out
Prioritize protection of the organization’s key assets (including industrial control systems) and focus on the internal incursions with greatest potential impact.
-
Keep innovating
Invest in state-of-the-art programs that enable outmaneuvering adversaries, versus investing more in existing programs.
-
Make security everyone’s job
99% of breaches not detected by security team members, are found by employees. Prioritize training for all employees, including cross-training for IT and operations personnel.
-
Lead from the top
CISOs must materially engage with enterprise leadership and make the case that cybersecurity is a critical priority in protecting company value.
About the research
Accenture’s High Performance Security Report 2016 sought to get an insider’s view into how companies are dealing with cyber threats
-
15 countries
Australia, Brazil, Canada, France, Germany, Ireland, Italy, Japan, Netherlands, Norway, Singapore, Spain, UAE, United Kingdom, United States.
-
12 industries
Banking, Capital Markets, Communications, Energy (Oil & Gas), Healthcare (provider & payer), High Technology, Life Sciences, Products, Industrial Equipment, Retail, Utilities.
-
Those surveyed included
Security, IT and business executives at director level and above; 2,000 executives.
-
Survey objective
Understand extend to which companies prioritize security, how comprehensive security plans are, how resilient companies are with regard to security, and the level of spend for security.
-
Survey measures
Cybersecurity capability, across 7 domains: business alignment, strategic threat context, the extended ecosystem, governance and leadership, cyber resilience, cyber response readiness, and investment efficiency.
Authors
Jim Guinn, II
Global Managing Director, Accenture Security – Energy, Chemicals, Utilities and Mining
Get in touch