How to make your organization a Cyber Champion
December 16, 2021
Cybersecurity is not getting easier. In our latest State of Cybersecurity Resilience survey, 4,744 information security executives shared their approaches to cyber resilience, and the majority (81%) said staying ahead of attackers “is a constant battle and the cost is unsustainable.” This issue has only gotten more challenging after almost two years of remote work and a 32 percent increase over 2020 in successful cyberattacks.
As a custodian of the business, you’re already working with the rest of your board to balance cybersecurity demands with business strategy. Through our research, we discovered what makes organizations “cyber champions”—those that experience the fewest significant attacks, have a speedier response to detection and remediation, are better able to protect themselves from loss of data, and who work to align cybersecurity with the business strategy. These organizations, which represent 5 percent of the survey sample, excel at striking the right balance between cyber resilience and achieving business outcomes, a vital task that should be driven by the CEO and supported by the board.
Based on our findings, boards can encourage their organizations to become cyber champions by doing three key things differently:
First, invite the chief information security officer (CISO) to sit at the table. Seventy percent of cyber champion organizations have CISOs that report to the CEO and board. Importantly, they also demonstrate a close relationship with the chief financial officer (CFO)—cyber champion CISOs report to the CFO on cybersecurity seven times more often than other respondents. These organizations’ CISOs also get up close and personal with the CEO and chief financial officer to develop the cybersecurity strategy.
Cyber champions’ CISOs also have more autonomy when it comes to cybersecurity budgeting—not many require the CEO and board to authorize it (Also of note: among all respondents, the percentage of boards authorizing cybersecurity budgets increased from 8 percent in 2020 to 14 percent this year).
More CISOs are reporting to the board—growing from 19 percent in 2020 to 23 percent in 2021. Even if your CISO is already reporting to the board, though, you can also encourage them to move away from security-focused silos and draw on the experience of your larger leadership team to serve the whole business well.
<<< Start >>>
<<< End >>>
Second, be threat-centric and business-aligned. Keeping attackers out of your environment relies on security leaders partnering closely with the business to reduce risk. This helps to embed security into your business priorities.
By measuring and monitoring risk profiles—as 90 percent of cyber champions do annually—and making that data available to leadership, CISOs can be in lockstep with the board and better line up with the business, according to 88 percent of our security respondents.
As a board member, you’re in the best position to influence the organization to become a cyber champion. You have visibility into everything and can act as the mediator between the business and the CISO. This is a pivotal moment for boards and the C-suite for the rest of the business, especially CISOs, to see things from your perspective.
Third, get the most out of the secure cloud. Many business leaders still worry about lost or compromised data in the cloud. Recent Accenture research named security and compliance risk as a top pain point in cloud adoption. With an accelerated shift toward using the cloud, it is important that leaders understand its value.
By encouraging CISOs to seize the opportunity to reset their organizations’ security posture earlier and more effectively—like our cyber champions do—the C-suite can rest assured that its overarching strategy won’t come unstuck further down the line or result in having to do costly work all over again.
A CISO from a multinational mining, metals, and petroleum company interviewed by Accenture separately said, “So much depends on whether an organization sees security as an enabler, rather than just [something] defending [against] bad outcomes.”
Cyber champions know that all too well. That’s why they align closely with the business and step out of the ordinary into the domain of the cyber resilient.
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this article is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.
Copyright © 2021 Accenture. All rights reserved.