RESEARCH REPORT

In brief

In brief

  • Successful digital capabilities demand a “security first” culture.
  • Companies have improved cybersecurity capabilities in the past year, but many are unprepared for growing threats.
  • To achieve cyber resilience, organizations need to create change in four areas: leadership and governance, culture, funding and metrics and monitoring.


Cybersecurity is the bedrock of tomorrow’s intelligent business. If companies are to succeed by using digital capabilities to develop superior customer knowledge, unique insights and proprietary intellectual property—the hallmarks of an intelligent business—they will need a robust cybersecurity strategy to underpin it all.

To bring about the cyber-resilient enterprise, we believe changes are necessary in four areas:

  1. Leadership and governance
  2. Organizational culture
  3. Debates about funding
  4. The way security is measured and monitored

Finding answers

CEOs need to find answers to the following four questions to drive the capabilities that will realize cyber resilience:

Do you understand what is at stake?

CEOs and boards are ramping up their engagement in cybersecurity—to a point where they are assuming accountability for the cyber risks facing the company. But, with security programs only covering 67 percent of the organization on average, most have much more to do—and their relationship with the CISO is a critical component of the right kind of engagement.

Do you put cybersecurity first?

Many companies believe that their cultures already “get it” when it comes to cybersecurity. For example, 83 percent of respondents we surveyed said they have “completely embedded cybersecurity into their cultures.” And yet, 71 percent report that cyberattacks remain “a bit of a black box.” They do not know how or when they will affect the organization. Business leaders need to decide if they are paying lip service to cybersecurity or whether it really is at the front and center of their strategy.

How much is the right amount of funding?

Companies need to be “brilliant at the basics”—that is, investing properly to resolve challenges of any magnitude, whether from intruders who want to target a particular customer, use the infrastructure, or even trumpet a cause, to attackers after the organization’s “crown jewels,” the data that is most critical to their operations and its differentiation in the market. Funding means not only getting the basics right, but also using innovation to improve cybersecurity and data protection.

Are you measuring your cybersecurity efforts for business resilience?

The metrics used in the past will not help in the future. Being “low, medium, or high” on compliance scores does not say enough about the risk to business resilience. A senior security executive for a bank told us what is needed instead: “We do not present the board project plans on encryption. We present the board with metrics on data protection for our customers. And we don’t have metrics around patching. We have metrics around maintaining the integrity of our production environments.”

ONLY 67%

of an organization is covered by its security program on average

ONLY 13%

Prioritize investing in more cybersecurity training

Becoming a resilient business

The CEOs of big organizations are making a wise pivot to the new—essential for long-term survival. But this pivot brings risks and an increased “attack surface” that could harm the critical digital assets and operations of the business. Bring together sound leadership and the right resources, and the organization’s culture begins to change. A security-first culture will constantly monitor and measure the most business-relevant elements to help the business embrace disruption safely.



About the Author

Kelly Bissell

Senior Global Managing Director – Accenture Security

MORE ON THIS TOPIC


Subscription Center
Stay in the Know with Our Newsletter Stay in the Know with Our Newsletter