Copyright 2018 - Clinical Commissioning Groups Association

Cybersecurity - the business challenge of our age - Accenture Security

Take any week in any year and you can bet there'll be a report of a cybersecurity breach somewhere.


There's no getting away from it, the more organisations embrace digital technologies and business models, the more tempting targets they make for those that want to profit from or disrupt them. The health sector is no different, as evidenced by the WannaCry attack experienced across the NHS last year.


But the mere fact that they are targets does not explain why so many attacks are successful - and successful they are - in a recent Accenture research report the organisations we spoke to claimed to suffer two or three successful security breaches every month.


Solving the cybersecurity challenge is one of the most important business challenges of our age - if not the most important. Chief Information Security Officers (CISO) are, of course, aware of this, and organisations are spending vast sums on beefing up their security defences.


In fact, spending on cybersecurity is predicted to top $1 trillion for the five-year period from 2017 to 2021. So why, despite all this investment, are cybercriminals so successful?


What are we doing wrong and how can this be addressed?

In answering these critical questions, there are two essential problems that are stopping organisations from responding more effectively to the security threat.


The two barriers to better security

The first problem is one of leadership. Despite the fact that some 70% of executives now believe cybersecurity is a boardroom issue, in reality, far too few executives on the ground are actively engaged in the security strategies of their organisations. The real challenge here is for organisations to go beyond CEO and board support to practical engagement.


The second problem involves the CISO: the critical player in any organisation's cyber response. All too often, CISOs simply do not have full control of all elements of their organisation's security capabilities - indeed, in most organisations CISOs are only in direct control of between a third and a half of the security capability. The result is that even when a CISO knows what needs fixing, they often lack the authority and control to make the necessary changes.


A subset of this problem is the proliferation of IT systems in organisations, which is adding unnecessary complexity. We've found that the average CISO has to corral more than 55 different point solutions, most of which are neither integrated nor connected. In effect, they're being asked to plug the cracks in a dam with band aids - and the dam's threatening to burst at any moment.


Building a cyber-committed business

The first step to winning the war against cybercriminals requires organisations to take three key actions:

  1. Put in place cyber-committed CEOs and boards that are engaged with how cybersecurity impacts the business, how it affects risk, and how it created opportunities
  2. Empower CISOs and give them complete authority over the enterprise security apparatus
  3. Replace piecemeal security tools with a consolidated and holistic solution


Why do we need a consolidated approach?

Looking at the first of these considerations, modern business leadership needs to be 100% committed to their business' cybersecurity strategy. Today's cybersecurity market is highly fragmented; characterised by a wide range of companies offering point solutions to specific security challenges. Organisations are buying more and more of these tools in the mistaken belief that they are improving their security.


Point solutions are great for securing applications at an enterprise level, but they can't protect against all potential threats: they can only ever guard against the threats they were designed to combat.


Ultimately, point solutions offer a piecemeal approach that simply can't cope with the huge number of serious attacks companies now endure. At Accenture, we believe that consolidation holds the answer.


Outcomes-focused, high-performance security

A holistic approach to security strategy requires executives to think differently. Most importantly, executives must start focusing security around business objectives; protecting the business model, for example, or delivering specific health outcomes. Business leaders need to understand higher levels of security performance and what they can do to ensure they've taken the proper steps to secure the organisation. This is a measurable, outcomes-driven approach to high-performance security that will enable organisations to drive growth while protecting the organisation, partner ecosystems and customers.


Defining high-performance security is no easy task. Measuring successful security outcomes, such as a reduction in breaches or fraud, is simple enough, but defining high-performance objectively requires a much broader view of capabilities.


Benchmarking security performance

Measurement is key to this approach. If you want an effective cybersecurity strategy, you need to understand the performance of the security measures you have in place. This isn’t easy - defining high performance objectively requires a broad view of capabilities.


We’ve developed an index which does just that. We assessed performance across 33 cybersecurity capabilities to help benchmark the existing security strategy. 


The range of the capabilities we assess is much broader and business-focused than typical audits, and spans seven domains: business alignment; cyber response readiness; strategic threat context; resilience readiness; investment efficiency; governance and leadership; and extended ecosystems.


To ensure we captured a clear and objective measure of performance we outlined three levels of competence - “no or limited,” “average,” and “high” - defined what these mean against each of the 33 criteria. To build business confidence and drive secure growth, organisations like yours can use the index to identify areas of poor performance and use that information as the basis of a new approach.


Improving cybersecurity in six steps

When preparing the index, we spoke to 2,000 executives about their current performance and found most could only report levels of confidence in 11 out of the 33 areas we identified. Organisations need to take immediate action to enhance their security strategies. Here are six recommendations for how organisations can go about doing just that:


  1. Define cybersecurity success - First, improve the alignment of the cybersecurity strategy with business goals. This involves reframing cybersecurity perceptions around business impact; using enabling patient outcomes as a key metric.
  2. Pressure-test capabilities - Don't just hope for the best: Engage in simulations to assess how well capabilities can withstand a sustained and targeted attack; employing the services of "white-hat" hackers if appropriate.
  3. Protect from the inside-out - Prioritise investment in securing the most strategic business assets, the 'crown jewels', where the effect of a security breach would be most harmful. Focus on stopping the internal incursions that really matter.
  4. Keep innovating - Invest in flexible, dynamic programmes that allow continuous innovation and stay ahead of potential hackers.
  5. Involve the whole business - Security should be everyone's job. Prioritise training to ensure staff are aware of threats and can act as a first line of defence. Our own research into cyber security trends found that one in five workers (19 percent) are not sure they would be able to identify a phishing email and this rises to a third on social media (32 percent).
  6. Lead from the top - Ensure that CISOs have a voice in the boardroom and are able to help coordinate a top-down approach to security that highlights its role in protecting corporate value.


Embrace these steps and you will find you are able to better secure the business and position it to thrive, even in the face of today's complex threat landscape.



Content provided by Rick Hemsley, Managing Director at Accenture Security. For more information about Accenture Security please visit or email This email address is being protected from spambots. You need JavaScript enabled to view it..

f t g m