As cyber attacks continue to proliferate prioritising where to focus resources to adequately protect your company is a challenge.
Most companies continue to focus a majority of their resources on external security issues. But this external focus can potentially compromise the ability to address high-impact internal threats.
A recent Accenture survey of the banking industry, for example, found 48% of banking respondents indicated internal breaches have the greatest cybersecurity impact, but 52% also say they lack confidence in their organisation’s abilities to monitor internally for breach activities – whether those are careless mistakes, failure to follow proper procedures or the result of malicious intent.
Creating a strong culture of cybersecurity is critical for cybersecurity in any company, and that culture needs to extend from the newest hires all the way up to the C-suite.
Training and communications have an important role to play, but culture change is really about changing behaviours. Employees and executives should use digital technologies with a full understanding of what security means to their job and everything that they do. Security is not just an IT problem. It is a company problem, and even a people problem.
Meanwhile, as the cybersecurity issue moves into the boardroom, those heading up security within organisations need to step outside their comfort zones of compliance audits and cyber technology to engage with enterprise leadership on a day to day basis.
For security teams, this requires change too, necessitating that they speak the language of business to make their case as a critical pillar in the battle to protect and extend company value.
When it comes to mitigating threats, Accenture recommends developing more holistic capabilities via a two-pronged attack. On the one hand companies need to do a cybersecurity maturity assessment – providing a realistic assessment of capabilities to protect against high-impact threats both internal and external – and on the other, an attack simulation which pressure tests company defences.
Each of these activities on their own provides valuable insights into an organisations security program but when performed in parallel, the assessment results are seen in the context of a successful attack and it becomes much easier to prioritise and to demonstrate to leadership where funding should be applied.
Making the right investments
In order to stay ahead of potential attackers, companies need to innovate – something that may require redirecting resources to new strategies and programs, rather than investing more in current programs.
Organisations seeking to identify opportunities to invest in cybersecurity innovation should look in particular at seven key domains as a focus on these domains can improve a company’s cybersecurity capabilities and strengthen its resilience to cyber attacks.
1. Business alignment assesses cybersecurity incident scenarios to better understand those that could materially affect the business.
2. Governance and leadership involves focusing on cybersecurity accountability, nurturing a security-minded culture, monitoring cybersecurity performance, developing incentives for employees and creating a cybersecurity chain of command.
3. Strategic threat context drives organisations to explore cybersecurity threats as a means of aligning the security program with the business strategy.
4. Cyber resilience is the company’s ability to deliver operational excellence in the face of disruptive cyber adversaries.
5. Cyber response readiness means having a robust response plan, strong cyber incident communications, tested plans for protection and recovery of key assets, effective cyber incident escalation paths and the ability to obtain solid stakeholder involvement across all business functions.
6. The extended ecosystem should be ready to cooperate during crisis management, develop third-party cybersecurity clauses and agreements and focus on regulatory compliance
7. Investment efficiency strives to drive financial understanding concerning investments across cybersecurity domains and the allocation of funding and resources.
While focusing on these areas can improve cybersecurity capabilities and resilience to attacks, it does require continuous and systematic security investments.
Article by Justin Gray, country managing director, Accenture New Zealand.