COVID-19 and the rapid shift to work from home practices have dramatically escalated boardroom awareness of cybersecurity risk. That’s great, because while hackers look to take advantage of the chaos and disruption of the pandemic, CISOs and CIOs are working to make sure their businesses can stay safely connected.

Fortunately, in many cases, CISOs, CIOs and directors are redefining their roles in corporate value creation and protection along the way. This certainly will pay dividends down the road, as leaders navigate today’s crash course on how quickly cybersecurity risk evolves and how critical it is to be able to anticipate and respond in real-time.

Cybersecurity is now viewed as a strategic value protector, not a cost center

As the percentage of the global economy that runs on digital continues to increase—International Data Corporation (IDC) estimates that 52 percent of global GDP will be driven by digital-transformed enterprises by 2023[1]—the need to protect business value and the digital systems that create it demands that companies continue evolving cybersecurity risk oversight and management.

As the digital stakes rise, so will the digital risks. Many hackers will continue to invest, innovate and work to outmaneuver cybersecurity defenses. Why not? To a large degree, it’s been working.

Solving the challenges with managed security

The rapid growth of managed cybersecurity services is in direct response to these issues and reflects the unique risks that exist in cybersecurity and how difficult they are to manage. There are several key drivers that corporate directors need to be aware of to understand the trend toward managed services.

The managed services value arbitrage

There’s a growing recognition that benchmarking costs for the provision of cybersecurity protection is mostly meaningless, for one simple reason. Cybersecurity isn’t a cost center. It’s insurance.

This means that the cost of cybersecurity is only meaningful in the context of the value that is being protected—which is unique to every company. Corporate boards are much better served by asking, “What’s the value of what we’re trying to protect, and how secure is it for what we’re spending?” as opposed to “What’s our cybersecurity budget?”

Unlike the trend of outsourcing a function or capability to reduce costs, the business decision to protect digital value is being driven by the need for a more effective cybersecurity outcome: It’s about value arbitrage, not cost arbitrage.

Many business leaders are also beginning to understand that cybersecurity can be much more effective and efficient if they work with a strategic partner rather than via internal capabilities.

This is true because of several factors that most businesses cannot control, no matter how hard they try.

A skills shortage that’s driving cybersecurity weakness

The latest data on the global cybersecurity skills gap shows that there will be 3.5 million unfilled cybersecurity jobs by 2021[2]. Research also indicates that the problem is the most acute for mid-market and large enterprises[3].

This makes creating, maintaining and modernizing a highly resilient cybersecurity program in real-time an ongoing challenge – if not impossible.

This is why whether it’s in manufacturing, marketing, tax, legal services, IT, or any other point of a corporate value chain, almost every company works with third-party vendors via outsourcing or managed services. The value is proven: Third parties quickly provide capabilities where organizations can’t or – frankly – prefer not to because they have better places to commit their resources.

Often outsourcing handles relatively lower-level skillsets or competencies, but now, it’s often about working with partners who specialize in cybersecurity. With cybersecurity becoming recognized as value-enhancing, this is no surprise.

Risk is dynamic. Cybersecurity must match its agility.

Hackers are organized, resourceful, patient, creative and fast. They find and hack weakness. It’s all they do.

Thus, when cybersecurity threats are uncovered, they are frequently exploited instantly. Unlike a static business process like help-desk support, the dynamic nature of cyber threats demands real-time, highly effective responses. Anything less is weak, and hackers thrive on weakness and delays. Because of this, cybersecurity defenses need to be as current and agile as the threats they are protecting against.

Every aspect of an effective cybersecurity defense, including people, processes and technology, needs to have the ability to perform in a highly dynamic risk environment. One of the keys to solving these challenges is continual innovation, which, unfortunately, is expensive and time-consuming.  

The value of a collective defense

The threat landscape for every company extends across its business ecosystem and partners. The weakest link in a business system, e.g., a small business partner, can threaten the entire system and larger partners disproportionally. The systemic nature of cyber risk is a challenging risk paradigm to understand and manage. Systemic risk is inherent – an unavoidable aspect of complex business systems that won’t go away. Hackers know this: Cybersecurity threats are often explicitly designed to exploit complex systems. 

Again, putting up a collective defense and having a rapid threat identification capability across a network is a difficult undertaking for a company to do individually. A governing body in the form of a third-party partner who can work effectively across a digital ecosystem is an emerging value driver and a growing necessity for many organizations to manage third-party cybersecurity risk.   

Cybersecurity managed services providers have proven they can fulfill this requirement within a business ecosystem. They also bring leading practices and extended risk identification capabilities across a much broader threat landscape – well beyond what an internal team could ever hope to achieve.

The growing complexity of digital business systems

Understanding and managing systemic risk across complex business systems and ecosystems is also a compounding risk that many organizations are not prepared to handle. Unfortunately, this risk is pervasive, and it can bring catastrophic failure. Many leading providers of managed services understand systemic risk in complex digital business systems and are positioned to address it.   

The ‘cost effectiveness’ equation

As digital business systems support ever-growing amounts of business value, the market for hackers grows. This in turn escalates the cost of providing cybersecurity. Using the insurance metaphor, when the value of what’s being protected goes up, so do the premiums.

Managed cybersecurity service providers can help keep ‘premiums’ down by leveraging their scale and ability to make innovative investments in new and more effective cybersecurity approaches employing artificial intelligence, behavioral analytics, automated remediation and automated threat intelligence that provides the speed and accuracy of the technology with the best thinking of human analysts. This is an extremely strong proposition in terms of controlling spending and providing protection.

Simply put, most organizations cannot match the efficiency, speed, innovation and end-to-end thoroughness of managed cybersecurity. In times of chaos and beyond, a growing number of organizations are finding it’s the right solution at the right time.

Accenture Security

Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

The reproduction and distribution of this material is forbidden without express written permission from Accenture. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this document. This document is produced by consultants at Accenture as general guidance. It is not intended to provide specific advice on your circumstances. If you require advice or further details on any matters referred to, please contact your Accenture representative.

Copyright © 2020 Accenture.

All rights reserved. Accenture and its logo are registered trademarks.

___

[1] https://www.pcmag.com/news/idc-the-digital-first-enterprise-will-be-half-of-the-economy-by-2023-are
[2] https://cybersecurityventures.com/jobs/
[3] https://www.securitymagazine.com/articles/92312-of-cybersecurity-leaders-face-skills-shortage

Robert Kress

Managing Director – Accenture Security, Global Quality and Risk Lead

Subscription Center
Subscribe to Security Blog Subscribe to Security Blog