Continuous Cyber Attacks: Engaging Business Leaders for the New Normal Executive Summary

22

Cyber-attacks can rapidly derail an enterprise’s ability to create value, and their frequency, reach and levels of sophistication continue to grow. Leaders unfamiliar with the complexities of cyber defense may fail to recognize the gaps that exist in their digital security strategies. It’s easy to do: regulators and other government bodies compel companies to focus on compliance with specific regulations, drowning out other voices that support dynamic cyber risk management approaches. However, organizations have learned that passing compliance assessments does not equal data security. Likewise, a strategy focused on acquiring the latest security products and add-on applications can quickly drain a security budget, while not appreciably improving the organization’s defensive posture.

While no organization can defend itself from all cyber-attacks the following three approaches can help bring risk to a manageable level:

Actively engage to make the business a better security “customer”

Strengthen the partnership between the business and security

Continuously exercise organizational defenses

1

2

3

3

Actively engage to make the business a better security “customer” A solid cyber defense requires that partnerships are formed among an organization’s business stakeholders, its risk management office and the security team—a relationship that asks every employee to be responsible for security. The detection and elimination of cyber threats drops precipitously if the business stakeholders fail to cooperate fully with the security team. Some typical challenges include:

• Security lacks sufficient top management access: Most companies recognize that digital security is an important agenda item, but in many cases, the Chief Information Security Officer (CISO) does not have top-level access.

• The front lines remain unengaged in security issues: Often, employees do not care enough about security to change their behavior. Articulating the importance of security and doing it in an engaging manner starts at the top.

• Ambiguity regarding who “owns” the systems under attack: Business teams are agile and entrepreneurial, creating new applications and data stores to meet customer demands. Once an attack happens, the security team needs to know who “owns” the compromised system or actions will be impeded and reduce the effectiveness of the response.

Strengthen the partnership between the business and security Leaders can align the business side’s commercial needs and the security team’s cyber defense requirements by forging an effective business and security partnership. Four elements of such a partnership are:

• Keep security on the agenda: If organizations can operate under a concept called ‘presumption of breach,’ acknowledging that a hacker will get into their networks, their perspective and alignment on the right security strategy can become laser focused.

• Recognize the complexity of the challenge: Organizations need to understand the complexity of the systems they are defending and determine where to “set the bar” regarding loss tolerance. Part of the challenge is recognizing the complexity of roles; the organization has revenue goals and other business targets, and the security team has its own set of objectives.

• Work together to identify the organization’s critical data: It often seems overwhelming to organizations since all risk can’t be mitigated—however it can become very manageable when an organization is able to pinpoint their most consequential risk in the relevant networks and provide them the greatest level of protection.

• Evolve the organizational culture to attract and retain top-tier security talent: The best companies tend to think proactively about talent pools; this involves working with universities to develop key cyber defense recruits and looking for expertise outside of normal channels.

Continuously exercise organizational defenses Business leaders should also focus on developing organizational defenses in the following ways:

• Relentlessly test defenses: Organizations leading the way in cyber defense train with a third-party “sparring partner” imbued with all of the skills and technologies (but none of the malice) that attackers bring to bear. Similar to a boxer, someone who trains exclusively with a static punching bag won’t stand a chance against a real opponent. Likewise, an enterprise focused totally on conventional static defenses will quickly fall prey to today’s increasingly aggressive digital attackers.

• Hunt inside the organization’s defenses: Assume that security is compromised and constantly look for intruders across the entire environment.

• Improve response effectiveness: As the organization spars with an elite security assessment team, going through the same tactics as the attacker would use, over time they develop ‘muscle memory.’ Organizations that spar repetitively and consistently work more effectively to minimize an event’s impact.

The intensity and seriousness of current digital attacks make cybercrimes uniquely dangerous for businesses. In this confusing new environment, many leaders wonder what they can do to make their companies more resilient. Once an enterprise takes the pulse of its cyber defense strengths and weaknesses, they should develop 100-day and 365 day plans to build the momentum needed to realize their cyber defense goals.

2

3

1

Accenture, its logo, and High Performance Delivered are trademarks of Accenture.

Copyright © 2015 AccentureAll rights reserved.

ContributorsBill Phelps Managing Director, Global Security Services bill.phelps@accenture.com Twitter: @waphelps

Ryan LaSalle Managing Director, Security Growth & Strategy Lead ryan.m.lasalle@accenture.com Twitter: @labsguy

Kevin Richards Managing Director, North America Security Practice k.richards@accenture.com Twitter: @kevin_richards

Matt Devost Co-founder and CEO of FusionX matt.devost@accenture.com Twitter: @MattDevost

Steve Culp Senior Managing Director, Accenture Finance & Risk Services steven.r.culp@accenture.com Twitter: @steve_culp

David Smith Senior Managing Director, Talent & Organization david.y.smith@accenture.com

DISCLAIMER: This document is intended for general informational purposes only and does not take into account the reader’s specific circumstances, and may not reflect the most current developments. Accenture disclaims, to the fullest extent permitted by applicable law, any and all liability for the accuracy and completeness of the information in this document and for any acts or omissions made based on such information. Accenture does not provide legal, regulatory, audit, or tax advice. Readers are responsible for obtaining such advice from their own legal counsel or other licensed professionals.

Rights to trademarks referenced herein, other than Accenture trademarks, belong to their respective owners. We disclaim proprietary interest in the marks and names of others.

About AccentureAccenture is a leading global professional services company, providing a broad range of services and solutions in strategy, consulting, digital, technology and operations. Combining unmatched experience and specialized skills across more than 40 industries and all business functions—underpinned by the world’s largest delivery network—Accenture works at the intersection of business and technology to help clients improve their performance and create sustainable value for their stakeholders. With more than 358,000 people serving clients in more than 120 countries, Accenture drives innovation to improve the way the world works and lives. Visit us at www.accenture.com.