Companies that tackle cyber security proactively, the so-called Leapfrog companies, are able to attain improved security effectiveness, research by Accenture and Ponemon Institute shows. According to the firms, companies wishing to improve their security effectiveness should learn from the leapfroggers that outperform non-proactive companies on strategy, technology and governance.
Global technology services and management consulting firm Accenture, together with research centre Ponemon Institute*, recently released a new report, titled ‘The Cyber Security Leap: From Laggard to Leader’. For the research, the firm surveyed 237 companies around the globe and, based on their cyber security strategy employed, divided them into two categories. The ‘Leapfrog’ companies are the ones that focus on security innovation and proactively address potential cyber security threats and ‘Static’ companies the ones that focus more on cyber security threat prevention and compliance.
Accenture’s research shows that the Leapfrog companies, which have a more proactive security stance, saw their security effectiveness score improve by 53% over a two-year period, while non-proactive companies, the Static companies, saw a slight increase of 2%. The areas in which Leapfrog companies are more effective at addressing security than Static ones are strategy, technology and governance.
Leapfrog companies establish proactive security strategies that are aligned with their business objectives and focused on innovation to achieve a strong security posture, while Static companies focus on prevention, and use regulations, not strategy, to drive their security requirements.
Of the Leapfrog companies, 70% has a company-sanctioned security strategy, compared to 55% of Static companies. The divergence is even bigger when it comes to information security, with 69% of Leapfrog companies viewing this as a business priority and 45% of Static companies. To gain access to advanced technology and experience resources, 62% of Leapfrog companies outsource core security operations, compared to 47% of Static companies.
Leapfrog companies focus on securing their network, sensitive data and the cloud, and deploy technologies that facilitate digital uptake and improve the ability to counter advanced threats to enhance the user experience and productivity. For these companies, the most important features of enabling security technologies are the options to pinpoint anomalies in network traffic, prioritise threats and provide advanced warnings.
Static companies, on the other hand, focus on ‘locking things down’, and are apprehensive when it comes to new technologies. For them, most important is to be able to control devices and limit insecure devices from accessing the system.
Strong leadership and business alignment, with the correct governance measures is needed to ‘leapfrog’ ahead in security effectiveness, Accenture argues. Both Leapfrog and Static companies recognise this and place great importance on the appointment of a Chief Information Security Officer (CISO) with enterprise responsibility.
The importance placed on security by Leapfrog companies is reflected in the role of their CISO, with 71% of Leapfrog CISOs responsible for defining the security strategy and 60% responsible for enforcing the security policies. In addition, the vast majority has a direct communication channel established with the CEO and the board. Also seen as important is the deployment of metrics for the evaluation of security operations. Within Static companies, CISOs do not have the same communications with the board and less importance is placed on the evaluation of operations. Self-reporting for compliance violations is the one governance practice in which Static companies ‘outscore’ Leapfrog companies, highlighting the difference in security approach.
Commenting on the results, Mike Salvino, Group Chief Executive of Accenture Operations, says: “Our research shows that defending your business is a dynamic, strategic activity. To protect the business, security measures must be both proactive and adaptive, allowing your customers in, but keeping threats at bay.”
Larry Ponemon, CEO of the Ponemon Institute, adds: “Companies looking to increase their security effectiveness can apply lessons learned from the Leapfrog companies to make a significant positive impact on their security. Starting with the C-suite, it’s time to champion and achieve a strong stance on security–effectively communicating with all employees. By holding everyone accountable for achieving security objectives, you will eliminate security silos within your organisation.”
* Ponemon Institute conducts independent research on privacy, data protection and information security policy.