Cyber security concerns continue to evolve rapidly, with new threats emerging every day. Cyber actors range widely from individuals, hacktivists and activists, to criminal groups, nation states, and terrorists. Although these cyber threats each have their own motives and intentions, they share in a common tactic to exploit trust in a target – whether human or computer.
Globally, Forrester research predicted that at least 60 per cent of organisations would discover a security breach in 2015, the reality was likely much higher. In Australia, corporations and public organisations face unrelenting and growing risks from the internet and the networking of computing systems. According to the latest Threat Report from the Australian Cyber Security Centre (ACSC), in response, organisations must move now to implement cyber security measures to make Australia a harder target.
Learning from the success of government agencies and companies achieving high levels of security is an important step towards reforming cyber security defence mechanisms. In the private sector, the scale and scope of recent breaches mean cyber security continues to be a primary concern for C-Suite executives and board members. According to statistics from The Ponemon Institute, the leading concerns include loss of reputation, brand value and marketplace image. Beyond reputational damage, the financial impact and cost of a cyber-security breach can be significant, averaging approximately AUD$900,000 and often taking more than 31 days to contain.
Despite awareness being high and strategies to mitigate cyber security breaches having been widely implemented in the past, the level of preparedness and the resulting success differs drastically between organisations. According to a recent report by Accenture and The Ponemon Institute, there’s a clear and significant difference between those that have been successful in making major improvements to their security effectiveness (“Leapfrogs”) and organisations that, while addressing cyber security, have not made adequate improvements (“Statics”). Specifically, progressive organisations leapfrogging their way to securitisation have decreased the perceived likelihood of substantial disruptions by 36 per cent over a two-year period. Meanwhile, organisations that have remained static experienced an increase in the likelihood of disruptions by 5 per cent across the same time frame.
To stay ahead in the current high-risk and transformative environment, organisations need to learn from the Leapfrogs and become more adaptive and agile. Importantly, organisations need to be more effective and diligent in addressing security; not only within their technology practices and policies but also across the strategy and governance of the organisation. In examining the differences between Leapfrogs and Statics, key learnings can be implemented to help mitigate cyber security threats and make a tangible difference to organisations’ security posture.
- Security innovation and strategy
Public sector agencies and private companies successfully leapfrogging away from cyber security threats have sought new approaches to emerging problems through the use of security innovation. In acknowledging and working to address what’s to come, Leapfrog organisations are developing next generation solutions by collaborating with a wide range of groups such as universities, research and development companies, venture capitalists or start-ups to shape their technology landscape. This focus is also supported by the implementation of an officially sanctioned security strategy that goes beyond the conventional focus on external threats, to include an emphasis on detection and containment.
- Advanced techniques for identification and response
As different security threats continue to emerge and advanced persistent threats (APTs) and malware evolve, Leapfrog organisations are proactive in addressing major changes to the threat landscape. Specialised training programs and awareness activities, as well as monitoring tools, are among the techniques being implemented to identify and respond to the shifting environment. These activities can be helpful in allowing employees to recognise phishing emails and to help identify suspicious employee behaviours.
- The changing role of Chief Information Security Officer (CISO)
Across all organisations, CISOs are traditionally entrusted to enforce security policies and authorise budget and investment decisions. Within Leapfrog organisations, the CISO is more likely to directly report to a senior executive, set the security mission by defining strategy and initiatives, and have a direct channel to the CEO in the event of a serious security incident – emphasising their strategic value. In Static organisations, the relationship is filtered through several levels of operational management, muting the true picture of operational risk needed to guide the business.
- Governance practices and controls
Advanced governance practices, ranging from regular reports on the state of security to the deployment of enterprise risk management procedures, are recognised as the defining attributes of internal Leapfrog governance practices. These organisations are more likely to adopt metrics for evaluating security operations, benchmark security operations against peers or reference groups, and conduct post-mortem reviews of security compromises and data breach incidents. Static organisations should move away from self-reporting processes for compliance violations and one-size-fits-all standard operating procedures (SOP).
- Network and the cloud security
Pinpointing anomalies in network traffic, curtailing unauthorised sharing of sensitive or confidential data, enabling adaptive perimeter controls and prioritising threats, vulnerabilities and attacks are all pivotal features of security technologies. To engage with these features, Leapfrog organisations across private and public industries are engaging with new and disruptive technologies, placing more focus on securing the network and the cloud, as opposed to focusing on individual devices.
When considering the security budget of organisations, it is important to separate a dedicated budget managed by the CISO. In accordance with the increased level of risk over the past few years, Leapfrog organisations have demonstrated a consistent budgetary increase, ensuring adequate funding levels are maintained and constantly evaluated. Moving forward, it is also important to highlight a need to set aside a portion of the security budget dedicated to innovation in information technologies. This allows organisations to stay ahead of threats and maximise new developments in security technology in real-time.
Industry leaders are increasingly confronted with modern day cyber security threats. To continue to achieve high performance, organisations should take an active stance and address the evolving threat landscape. With a clear security strategy in place, a focus on innovation, internal governance and accountability, disruptive technologies and investment allocation, the role of the CISO will increase the defence line in this increasingly challenging environment. The difference could be 31 days of lost business at a cost of AUD$900,000.
Jean-Marie Abi-Ghanem is Accenture’s Asia Pacific Security Practice Lead.