Organizations aren’t doing enough to spread responsibility for cyber security throughout the enterprise, says consulting firm Accenture after looking at the results of a global study.
While 73 percent of the more than 1,400 C-level executives polled agreed that cyber security staff and activities need to be dispersed and executed throughout all parts of the organization, only 25 per cent of non-CISO executives said business unit leaders are accountable for cyber security today.
“Business leaders have to become resilience leaders,” Ahmed Etman, managing director for Accenture Canada’s security practices,” said after looking at the survey results. “Security today is relatively an afterthought. Security has to be included at a very early stage of making most business decisions. The other thing is security needs to be extended as a responsibility to the front line, the people that are running the business, rather than the back office security organization.”-
Security also has to be looked at as a business enabler, he added, as a capability that will allow an organization to transform digitally as well as grow business in a secure manner.
The survey questioned 1,460 executives in 16 countries – including 66 from Canada – on whether their security plans address future business needs. Half of the respondents were Chief Information Security Officer or equivalent roles, while the remaining half were CEOs or other C-suite executives.
Among the results
- Only half of the respondents said all employees receive cyber security training upon joining the organization and have regular awareness training throughout employment.
- Only 40 per cent of CISOs said establishing or expanding an insider threat program is a high priority.
- Just 40 percent of CISOs said they always confer with business-unit leaders to understand the business before proposing a security approach.
The nature of business will change in the future, Etman noted, with companies increasingly embracing not only cloud computing but also the Internet of Things, artificial intelligence/machine learning, self-directed systems and robotics. The survey showed generally respondents agree those technologies will increase cyber risk either moderately or significantly. But the responses also suggest right now organizations aren’t prepared.
For example, while 74 per cent of respondents said cloud services will raise cyber risk, only 44 per cent said that cloud technology is protected by their cybersecurity strategy. More than 70 per cent of respondents expect sharing data with strategic partners and third parties will raise risk, yet only 39 per cent said that the data exchanged is adequately protected by their current cybersecurity strategy.
At the same time some responses suggest infosec pros are making progress. Etman noted that respondents said they are reducing the rate of successful cyber attacks. “We’re seeing security professionals are winning the war,” he said. “The challenge is this is yesterday’s war. The challenge they have ahead of them is winning the war of the future in an all-intelligent, all-autonomous organization.”
Enterprises need pervasive cyber security resilience to keep up with the digital future where breaches could cripple a business, he said. Security “needs to go into product design, into business processes, needs to become second nature for employees on a daily basis. Companies should update the way they plan and execute cyber security, and embed it at the very early stage of business planning.”
Accenture says organizations should
1. Make your business leaders Resilience Leaders. Security must be in the room when strategy is being decided and options are being weighed to advise on risk mitigations.
2. Support the security leader as a trusted business enabler. New roles and skills are needed inside the organization to implement pervasive cyber resilience.
3. Make your workforce part of the solution. Companies must make clear that employees are accountable for security.
5. Think beyond your enterprise to your ecosystem. Work with these ecosystem partners to jointly protect their organizations.