Only 17% of global organizations are considered cyber resilience “leaders”

New Accenture study says organizations need to think beyond securing just their own enterprises and take better steps to secure their vendor ecosystems.

Only 17% of organizations are performing as “leaders” when it comes to cybersecurity, according to a new report by Accenture Security.

More about cybersecurity

The firm’s third State of Cyber Resilience survey defines leaders as high performers in at least three of four categories: stopping cyber attacks, finding breaches faster, fixing breaches faster, and reducing breach impact.

“The most surprising finding for us was just how much better the leaders in cyber resilience are doing versus the rest of the pack,” observed Ryan LaSalle, North America lead for Accenture Security. “We found that organizations with leading cybersecurity capabilities are nearly four times more effective than other companies at stopping cyber attacks and finding breaches faster.”

While the basics of cybersecurity are improving and most organizations are getting better at preventing direct cyberattacks, LaSalle said, their research shows that attackers have already moved their entry points to weaker targets. These include vendors and other third parties in a company’s supply chain, and indirect attacks against these weak links in the supply chain account for 40% of security breaches, he said.

SEE: Brute force and dictionary attacks: A cheat sheet (free PDF) (TechRepublic)

“For many businesses, this opens new battlegrounds even before an organization has mastered the fight in its own backyard,” LaSalle said. The challenge for CISOs is finding a balance between the right security investments and scaling and sustaining them across the entire business ecosystem, he said.

In fact, 69% of respondents said staying ahead of attackers is a constant battle and the cost is unsustainable, according to the Accenture report.

“But if investments in technology don’t hit the mark when it comes to defending against cyberattacks, C-suite executives are not only jeopardizing their operations and finances but their brands and reputations as well,” LaSalle noted.

Characteristics of cyber resilient leaders vs. non leaders

The key differences between leaders and non-leaders identified in the report:

Leaders focused more of their budget allocations on sustaining what they already have, whereas the non-leaders place significantly more emphasis on piloting and scaling new capabilities.
Leaders were nearly three times less likely to have had more than 500,000 customer records exposed through cyberattacks in the last 12 months (15% vs. 44%).
Leaders were more than three times as likely to provide users of security tools with required training for those tools (30% vs. 9%).

The study also found that more than four in five respondents (83%) believe that organizations need to think beyond securing just their own enterprises and take better steps to secure their vendor ecosystems.

Additionally, while cybersecurity programs designed to protect data and other key assets are only actively protecting about 60% of an organization’s ecosystem (which includes vendors and other business partners), 40% of breaches come through this route, he said

“There’s a deliberate process involved on the path to becoming more cyber resilient in 2020,” LaSalle said. CISOs and other security executives should focus on these main areas to become more cyber resilient:

Invest in speed-enabling technologies. Leaders in the Accenture study focus on technologies that provide the greatest benefit in achieving cybersecurity success. In particular, artificial intelligence and Security Orchestration, Automation, and Response (SOAR) technologies form the backbone of leaders’ investment strategies, he said. Leaders also know which technologies help to achieve a broader level of cybersecurity success by filling gaps in performance.
Drive value from investments. Leaders in our study scale investments more often (over half of security tools tested end up fully deployed across the organization), and as a result, their security teams are more effective and are able to protect more key assets. Leaders also train more, which makes them faster at discovering and fixing breaches and protecting more key assets, and they collaborate more, which helps them to protect more key assets and improve regulatory alignment–increasingly important with the growth in personal privacy legislation and the potential fines this poses.
Maintain existing investments. Leaders proved to focus more of their budget allocations on sustaining what they already have. They perform better at the basics: Only 15% of leaders have had more than 500,000 records exposed in the last year, compared to 44% of non-leaders.

To better keep pace with the leaders in the report, CISOs and security executives should push management to formulate security investment plans that align with company strategy and its value chain, LaSalle said. They should go beyond technological investment and also reevaluate their security training programs and ensure that the company is investing in its people, he advised.

The study polled more than 4,600 enterprise security practitioners globally in companies with revenues of $1 billion or more.