Accenture Third Annual State of Cyber Resilience Report

THIRD ANNUAL STATE OF CYBER RESILIENCE

INNOVATE FOR CYBER RESILIENCE

LESSONS FROM LEADERS TO MASTER CYBERSECURITY EXECUTION CONTENTS

ABOUT THE AUTHORS ...... 3 WHY LEADERS ARE MORE SUSTAIN WHAT THEY HAVE CYBER RESILIENT ...... 16 Maintain existing investments ...... 38 SECURE INNOVATION ...... 4 Stop more attacks ...... 18 Perform better at the basics ...... 39 AT A GLANCE ...... 5 Find breaches faster ...... 20 Fix breaches faster ...... 22 MASTERING CYBERSECURITY THE STATE OF CYBER RESILIENCE ...... 7 EXECUTION ...... 40 Reduce breach impact ...... 24 WHERE ARE WE NOW? ABOUT THE RESEARCH ...... 41 WHAT MAKES LEADERS SUCCESSFUL ...... 27 Investment in innovation grows ...... 8 Our methodology ...... 43 The basics seem better ...... 9 INVEST FOR OPERATIONAL SPEED Demographics ...... 45 Progress masks hidden threats ...... 10 Prioritize moving fast ...... 28 Reporting structure...... 46 Unsustainable cost increases ...... 12 Choose turbo-charging technologies ....30 Budget authorization ...... 47 Security investments are failing ...... 14 DRIVE VALUE FROM NEW INVESTMENTS Scale more ...... 32 Train more ...... 34 Collaborate more ...... 36

KELLY BISSELL RYAN M. LASALLE PAOLO DAL CIN GLOBAL LEAD – MANAGING DIRECTOR – MANAGING DIRECTOR – ACCENTURE SECURITY ACCENTURE SECURITY ACCENTURE SECURITY

[email protected] [email protected] [email protected]

Kelly leads the Accenture Security business Ryan leads the North America practice for Paolo leads the Europe and Latin America globally. With more than 25 years of security Accenture Security. He is responsible for nurturing practice for Accenture Security. He has 20 years industry experience, Kelly specializes in breach the talented teams that bring transformative of experience leading complex projects for incident response, identity management, privacy solutions to better defend and protect our clients. Accenture clients. He is an expert in security and data protection, secure software development, Over the course of nearly two decades, He has strategy, business resilience, cyber defense and and cyber risk management. His role as the worked with Accenture clients in the commercial, offense, cloud protection, security analytics, threat Accenture Security lead spans strategic consulting, non-profit and public sectors helping them identify intelligence, application security, data protection proactive risk management and digital identity and implement emerging technology solutions and managed security services. He has authored to cyber defense, response and remediation to meet their business needs. Ryan is a Ponemon several articles on security and is a frequent services, and managed security services—across Institute Fellow and is active with the Greater speaker at security events. Paolo taught information all industries. Kelly is also affiliated to OASIS, a Washington Board of Trade. and communication technology (ICT) security at non-profit consortium that drives the development, the Universities of Udine, Modena and Milan. convergence, and adoption of open standards for Twitter: https://twitter.com/Labsguy the global information society. Twitter: https://twitter.com/Paolo_DalCin

Twitter: https://twitter.com/ckellybissell

At first glance, the basics of cybersecurity are distinct groups: the first an elite group—17 What is one key to secure innovation? Leaders improving and cyber resilience is on the rise. Our percent—that achieve significantly higher levels show us that they scale, train and collaborate latest research shows that most organizations are of performance compared to the rest. These more. So, while non-leaders measure their getting better at preventing direct cyberattacks. organizations set the bar for innovation and success by focusing on the destination— But in the shape-shifting world of cybersecurity, achieve high-performing cyber resilience. The improved cyber resilience—the leaders focus attackers have already moved on to indirect second is the group forming the vast majority of on how to get there using warp speed to detect, targets, such as vendors and other third parties our sample—74 percent—who are average mobilize and remediate. in the supply chain. It is a situation that creates performers, but far from being laggards in cyber new battlegrounds even before they have resilience. This second group has lessons to learn In the Accenture Third Annual State of Cyber mastered the fight in their own back yard. At the from our leaders while leaders, too, have further Resilience report we take a deep dive into what same time, cybersecurity cost increases are room for improvement. sets leaders apart. Based on our research among reaching unsustainable levels and, despite the 4,644 executives and backed by our knowledge

hefty price tags, security investments often fail Being innovative in security is different to any and deep industry expertise, our findings aim to to deliver. As a result, many organizations face other aspect of the business. Caution is help organizations innovate securely and build

a tipping point. necessary. After all, a fail fast approach is not an cyber resilience to help grow with confidence. option for security where attack vulnerabilities There is good news for organizations wondering could be catastrophic. Growing investments in In this cybersecurity report, we show how if they will ever move beyond simply gaining innovation illustrate organizations’ commitment organizations are coping with cybersecurity ground on the cyber attacker. Our analysis to prevention and damage limitation. And it is demands since our last analysis and explore reveals there is a group of standout organizations here that leaders excel. By focusing on the what our large sample of non-leaders can do that appear to have cracked the cybersecurity technologies that provide the greatest benefit to master cybersecurity execution and drive code for innovation. Detailed modeling of and sustaining what they have, they are finding innovation success. cybersecurity performance has identified two themselves moving fast and first in the race to cyber resilience.

A group of leading organizations are doing things differently Innovation investment is growing 4x 4x 3x 2x better at stopping better at finding better at fixing better at reducing Cybersecurity attacks breaches faster breaches faster breach impact basics are better

BUT... HOW DO THEY DO IT? There are hidden threats Invest for Drive value Sustain Costs are unsustainable operational from new what they speed investments have Investments are failing

Copyright © 2020 Accenture. All rights reserved. 5 The cyber-resilient business brings What is together the capabilities of cybersecurity, business continuity and enterprise cyber resilience. It applies fluid security strategies to respond quickly to threats, resilience? so it can minimize the damage and continue to operate under attack. As a result, the cyber-resilient business can introduce innovative offerings and business models securely, strengthen customer trust, and grow with confidence.

Investment The basics Progress Unsustainable Security in innovation seem better masks hidden cost increases investments grows (p.8) (p.9) threats (p.10) (p.12) are failing (p.14)

The number of Direct attacks are Indirect attacks Sixty-nine percent Failures lead to leaders spending down 11 percent over against weak links in say staying ahead gaps in protection, more than 20 percent the last year and the supply chain now of attackers is a lower detection of IT budgets on security breaches are account for 40 percent constant battle rates, longer business advanced technology down by 27 percent. of security breaches. and the cost is impact and more investments has unsustainable. customer data loss. doubled in the last three years.

Increasingly, the online world has grown complex The good news is that most organizations, on Figure 1. Percentage of leaders spending more and threatening. Many organizations are finding average, spend 10.9 percent of their IT budgets than 20 percent of their IT budgets on advanced it hard to reconcile the level of their on cybersecurity programs. Leaders spend technology investments cybersecurity innovation investments with the slightly more at 11.2 percent which is insufficient cyber resilience outcomes for their business. to account for their dramatically higher levels of Even worse, choosing the wrong strategy to performance. And their investments in advanced invest in cybersecurity technologies can cost the technologies, such as artificial intelligence, organization far more than wasted cash; it can machine learning or robotic process automation, 82% damage an organization’s brand, reputation, and are rising substantially. Today, 84 percent of future prosperity. organizations spend more than 20 percent of 41% their cybersecurity budgets on tools that use Both C-suite and security professionals should these three technologies as fundamental feel encouraged. Investment in innovation is components. The finding represents a good step increasing and managing the basics appears to up from the 67 percent being spent three years be better. But scratch below the surface and ago. The increase is even more impressive with there are hidden threats. Organizations face respect to the leaders. Three years ago, only 41 unsustainable costs, and security investments percent of leaders were spending more than 20 are often failing for the majority. With low percent of their cybersecurity budgets on detection rates and slow recovery times, it is advanced technologies. Today, that has doubled,

important to find out what the leading to 82 percent (Figure 1). organizations are doing differently to achieve cyber resilience. Now Three years ago

The suggestion that organizations are making precisely recorded. With this in mind, progress in cybersecurity is valid. In fact, more cybersecurity teams across industries and than four out of five respondents agreed that geographies deserve recognition for the DIRECT ATTACKS cybersecurity tools have advanced significantly improved levels of cybersecurity protection over over the past few years and are noticeably the past year. For example, the total number of improving their organization’s cyber resilience. cyberattacks dropped 11 percent, from 232 to 206 targeted attacks. At the same time, we have Improvements in basic security hygiene back up 11% seen a larger drop of 27 percent in the number of

this finding. Being able to accurately assess the security breaches which indicates the basics number of cyberattacks against an organization seem to be improving. On average, organizations depends on the ability of each organization to now face 22 security breaches per year SECURITY BREACHES detect them. On the other hand, security compared with 30 in the previous year. breaches are real events and likely to be more 27%

A closer look at the sources of cyberattacks Figure 2. The danger of indirect attacks reveals 40 percent of security breaches are now indirect, as threat actors target the weak links in the supply chain or business ecosystem (Figure 2). This shift is blurring the true scale of cyberthreats. 280 If we apply the same average number of security 232 breaches to indirect cyberattacks, the total 74 number—both direct and indirect—could jump 206 30 to about 280, a potential increase of 20 percent 22 over the prior year. 40% of security 138 Organizations should look beyond their four walls breaches from to protect their business ecosystems and supply 32 indirect attacks 202 chains as well. On average, cybersecurity 184 programs actively protect only about 60 percent of an organization’s business ecosystem. That is 106 an issue when 40 percent of breaches come via this route. In such an environment, few organizations have the luxury of standing still. Fully 83 percent of our respondents agreed that 2017 2018 2019 ‘Hidden’ attacks via their organizations need to think beyond securing ecosystem their enterprises and take steps to secure their ecosystems to be effective. Security breaches Prevented attacks Indirect attacks

Copyright © 2020 Accenture. All rights reserved. Source: Accenture Research; n=4,644 10 As we have seen earlier, as soon as one Given finite security resources, there is Lock the front breach avenue has been foiled, attackers value in a data-driven, business-focused, are quick to find other means. With the tiered-risk approach to secure the and back doors growth in indirect attacks, the spotlight enterprise ecosystem. This may mean falls on protecting third parties and introducing managed services to help other partners. But there are enormous the organization tackle the wider scope challenges in managing third-party and scale. By collaborating more cyber risks. Large volumes of data can broadly with others with the common overwhelm the teams responsible for goal of securing the enterprise and its managing compliance. The complexities ecosystem, organizations can not only of global supply chains, including the play a responsible role in helping their regulatory demands of various regions smaller partners to beat cybercrime, but or countries, add to the strain. In our also they can be sure they are not experience, many CISOs feel that the bolting the front door from attackers sizable number of vendors outstrips their while leaving the back door wide open. capacity to monitor them.

Another threat is cost increases beginning to Figure 3. Cost increases across 17 components of cybersecurity protection over the last two years reach what many respondents consider unsustainable levels. Despite rising investments in new technologies for cybersecurity programs, our research highlights many areas where the Cost increases SECURITY COMPONENTS RANKED BY BIGGEST cybersecurity technologies being purchased up to 25% COST INCREASES by this spending are failing. 1. Network security 11. Vulnerability 2. Threat detection management Looking at a broad range of 17 different 3. Security monitoring 12.OT-related security 60% components of cybersecurity protection, 60 4. Cyber risk management 13.Privileged Access Management percent of respondents reported cost increases 5. Firewalls 14.Staffing (or People) on all 17 components over the last two years. A 6. Threat intelligence 15.Remediation significant number, almost one quarter, reported 7. Application security 16.Governance, Risk, cost increases of more than 25 percent a year 8. End-point detection and Compliance across all 17 components. The three areas of Cost increases and response 17. SIEM and event cybersecurity protection with the largest more than 25% 9. Incident response 23% consoles increases in cost are network security, threat 10.Identity and access detection and security monitoring. Reflecting management these trends, 69 percent of our respondents said staying ahead of attackers is a constant battle and the cost is unsustainable (Figure 3).

Copyright © 2020 Accenture. All rights reserved. Source: Accenture Research; n=4,644 12 Cybersecurity is not an easy problem to could perform at the same level as How to help solve for any business. As our research leaders—that is, having the same shows, just when one challenge has been proportion of attacks types and the same reduce the met, another variable appears. But one of time to detect and fix responses as the areas where organizations can make a leaders—our detailed modeling indicates cost of a difference is in reducing cost—both in they could reduce the cost per attack by terms of the cybersecurity protection cost 72 percent (see About the Research, to the business and the wider economic p.44). This is a potential saving of cyberattack impact. In short, they need to be clear US$273,000 per security breach, what is at stake for average performance reducing the average cost to US$107,000. as well as measuring their existing With an average 22 incidents per year, investments. this equates a potential saving of US$6 million per year for non-leaders. Our research found that the current average cost per attack for non-leaders was US$380,000 per incident. If they

More bad news is threatening organizations’ Figure 4. Comparison of failing security investments, leaders vs. non-leaders cyber resilience in several areas and causing security investments to fail. Our research FAILING identifies serious gaps in protection, very low LEADERS (17%) NON-LEADERS (74%) detection rates, much longer business impact INVESTMENTS and customer data being exposed. Yet, our leaders are, once again, proving the exception Gaps in protection 80% of organization is actively protected 55% of organization is actively protected in many of these areas (Figure 4). With only a little more than half of their Low detection organization covered by their cybersecurity 83% of breaches found by security teams 54% of breaches found by security teams programs, non-leaders are at risk of having many rates areas unprotected. This contrasts with leaders who are able to cover 85 percent of their Longer breach 55% say all breaches had an impact 97% say all breaches had an impact organization with their cybersecurity programs. impact lasting more than 24 hours lasting more than 24 hours The difference reflects a substantial gap in protection between the two groups. Customer data 15% had more than 500k records 44% had more than 500k records exposed exposed in the last year exposed in the last year

Copyright © 2020 Accenture. All rights reserved. Source: Accenture Research; n=4,644 14 Building cyber resilience takes teamwork. clearly is an area where non-leaders could Employees, third-party suppliers, alliance improve their performance significantly. partners, law enforcement agencies and even competitors all have their parts to play. However, Despite suffering from more frequent attempts the first line of defense in an organization is the to access customer records, only 15 percent of cybersecurity team. On average, our research leaders have had more than 500,000 customer shows the security teams of non-leaders discover records exposed through cyberattacks in the last 54 percent of cybersecurity breaches, while the 12 months. But 44 percent of non-leaders admit security teams of leaders were able to find 83 that more than 500,000 customer records were percent. This level of detection enables leaders exposed across all security breaches in the last to respond quickly and start to fix security year. The result is that 19 percent of non-leaders breaches sooner to reduce overall damage. faced regulatory actions in the last 12 months compared with only 13 percent of leaders. A failure to fully exploit advanced technology Another outcome of this finding is that 19 investments is also having an impact in terms of percent of non-leaders faced financial penalties remediation. More than half of all security compared with only 9 percent of leaders. With breaches (55 percent) for leaders had a business potential fines in excess of US$100 million for impact lasting more than 24 hours. For non- violations of general data protection regulations leaders, the figure was 93 percent. Reducing the (GDPR), regulatory fines may match, or even impact on the organization to less than one day exceed, the overall cost of cybercrime for an is a tough challenge, even for leaders, but this organization.

Stop more Find breaches Fix breaches Reduce breach attacks (p.18) faster (p.20) faster (p.22) impact (p.24) 4x 4x 3x 2x Leaders have nearly Leaders have a fourfold Leaders have nearly Leaders have a twofold a fourfold advantage advantage in detection a threefold advantage advantage in containing in stopping targeted speed. in speed of remediation. damage impact. cyberattacks.

Detailed modeling and statistical analysis of Figure 5. The defining characteristics of leaders in cybersecurity performance cybersecurity performance (see our methodology in “About the research” p.17) has identified a group of leaders that achieve CHARACTERISTICS LEADERS (17%) NON-LEADERS (74%) significantly higher levels of performance compared with the non-leaders. The statistical Stop more analysis revealed that leaders were characterized 1 in 27 attacks breach security 1 in 8 attacks breach security as among the highest performers in at least three attacks of the following four categories: stop more attacks, find breaches faster, fix breaches faster Find breaches 88% detect breaches in less than one day 22% detect breaches in less than one day and reduce breach impact (Figure 5). faster Even the leaders have room for improvement. Our modeling revealed that leaders were among Fix breaches 96% fix breaches in 15 days or less 36% fix breaches in 15 days or less the highest performers in three of the four faster categories. Clearly, they should look to understand any aspect of their approach that Reduce falls outside the highest levels of performance 58% of breaches have no impact 24% of breaches have no impact and aim to improve those areas, just as non- breach impact leaders are required to do.

Calculating the total number of attacks against Figure 6. Average number of security breaches and targeted cyberattacks an organization depends on a number of for leaders and non-leaders factors—not least of which is the ability of security teams to detect them. Against this is the fact that security breaches are real incidents and more likely to be recorded accurately. 239 Keeping this in mind, leaders seem able to Leaders identify a higher number of direct attacks against them—an average of 239 cyberattacks compared with 166 for non-leaders—while having a much 9 higher success rate in defending against them. These organizations see only nine security breaches per year compared with an average of 22 per year for non-leaders (Figure 6). The Non-leaders 166 reduced number of security breaches compared with the total number of cyberattacks means leaders have nearly a fourfold advantage when 22 dealing with security breaches.

Average cyberattacks Average security breaches

Copyright © 2020 Accenture. All rights reserved. Source: Accenture Research; n=4,644 18 Leaders TAKE ACTION The performance target for non-leaders is to reduce the number of cyberattacks that have nearly result in a security breach from 1-in-8 to a fourfold 1-in-27 or better. When attempting to reduce the number advantage of security breaches, leaders say they benefit most from using the following three cybersecurity technologies: in stopping Next-Generation Firewall (NGF); Security Orchestration Automation and targeted Response (SOAR) and Privileged Access Management (PAM). See page 26 for more cyberattacks on the specific technologies that benefit leaders.

Time is critical when it comes to detecting a Figure 7. Average time to detect a security breach security breach, and leaders have distinct advantages, with 88 percent able to detect a security breach in less than one day on average (Figure 7). The remaining 12 percent said they 88% were able to detect security breaches in seven days or less.

Only 22 percent of non-leaders can detect 61% security breaches with similar speed, while most (78 percent), take up to seven days or more.

22% 12% 15% 2% 0%

Less than one day 1–7 days 1–4 weeks More than one month

Leaders Non-leaders

Copyright © 2020 Accenture. All rights reserved. Source: Accenture Research; n=4,644 20 Leaders have TAKE ACTION The performance target for non-leaders is to reduce the average detection rate for a fourfold a security breach from up to seven days advantage or more to less than one day. When attempting to find security in detection breaches faster, leaders say they benefit most from using the following three cybersecurity technologies: Artificial speed Intelligence (AI), Security Orchestration Automation and Response (SOAR) and Next-Generation Firewall (NGF). See page 26 for more on the specific technologies that benefit leaders.

Maintaining business continuity and rapid Figure 8. Average time taken to remediate a security breach recovery speeds are other important aspects of cybersecurity resilience where leaders have clear advantages. Fully 96 percent of them plug 96% security breaches in 15 days or less on average (Figure 8). This majority response compares with only 36 percent of non-leaders able to remediate security breaches in the same amount of time. This means 64 percent take 16 to 30 days or more to remediate a security breach, on average. 36% 34% 26%

4% 0% 3% 1%

15 days or less 16–30 days 31–60 days 61–90 days More than 90 days

Leaders Non-leaders

Copyright © 2020 Accenture. All rights reserved. Source: Accenture Research; n=4,644 22 Leaders TAKE ACTION The performance target for non- leaders is to reduce the average time to have nearly remediate a security breach from up to a a threefold month or more to 15 days or less. Leaders, when finding security breaches advantage faster, say they benefit most from using the following three cybersecurity technologies: Security Orchestration in speed Automation and Response (SOAR), Artificial Intelligence (AI) and Next- of remediation Generation Firewall (NGF). See page 26 for more on the specific technologies that benefit leaders.

Speed of recovery is essential in minimizing the Figure 9. Security breaches by level of impact damage of a security breach and the level of impact on the organization is another important performance factor. Leaders stated that 83 percent of all security breaches resulted in either no impact or a minor impact (Figure 9). And when you look at the remaining security breaches, 10 percent are moderate impact and 6 percent are significant. In terms of timing, this translates to a 58% moderate security breach every 13 months, on average, and a significant breach every 22 months or so, on average. 27% In comparison, non-leaders have lower 24% 26% 23% levels of performance, with 50 percent of One incident security breaches delivering a moderate 25% in 13 months One incident or significant impact. in 22 months

No impact Minor Moderate Significant No material effect, breach Short-term business impact, Moderate exposure Very high profile, severe and notification required, but limited breach notification to business by breach long-term impact on organization’s little or no damage and financial exposure notification process or business (or mission) by massive public image impact notification process, lost sensitive information, public image impact Leaders Non-leaders

Copyright © 2020 Accenture. All rights reserved. Source: Accenture Research; n=4,644 24 Leaders have TAKE ACTION The performance target for non-leaders is to ensure at least three out of five security a twofold breaches have no impact or only a minor impact. advantage in When trying to limit the impact of security breaches, leaders say they benefit most from containing using the following three cybersecurity technologies: Artificial Intelligence (AI), Next- Generation Firewall (NGF) and Security damage impact Orchestration Automation and Response (SOAR). See page 26 for more on the specific technologies that benefit leaders.

Copyright © 2020 Accenture. All rights reserved. 25 Leaders know which technologies help to achieve a broader level of cybersecurity success. Non-leaders should consider refocusing their investment priorities toward the technologies which bring benefits that Filling the help to fill in some of the performance gaps and achieve a broader level of cybersecurity success. gaps in Technology benefits SOAR AI NGF RBA RPA PAM cybersecurity Fewer successful attacks #2 #1 #4 #3 performance Reduced breach impact #3 #1 #2 #4 More precise incident detection #1 #2 #3 #4

Reduced inherent risk/Shrink the attack surface #1 #3 #2 #4

Cost reduction #1 #2 #3 #4

Consistent quality of response #2 #1 #4 #3

AI Artificial Intelligence RBA Risk-Based Authentication (Machine Learning/Natural Language Processing) RPA Robotic Process Automation NGF Next-Generation Firewall SOAR Security, Orchestration, Automation, Response PAM Privileged Access Management

Invest for Drive value Sustain operational from new what they speed (p.28) investments (p.32) have (p.38)

Leaders prioritize moving Leaders scale more, train Leaders place more fast and choose turbo- more and collaborate more emphasis on maintaining charging technologies to to increase the value from existing investments help them get there. innovative technology. and perform better at the basics of cybersecurity.

In the current environment of rising costs Where leaders value their speed of detection, and growing third-party threats, security response and recovery, the top three measures investments must work more effectively and of cybersecurity success among non-leaders TAKE ACTION efficiently than ever to prove their worth. So, concern the outcomes they want to achieve: what do leaders do differently to become more cyber operational technology (OT) resiliency; Non-leaders should resilient? We found they invest for operational repetition (the portion of breaches that come consider refocusing their speed, drive value from new investments from repeated attempts of the same type); and and sustain what they have. cyber IT resiliency. priorities to measure While non-leaders focus on measuring their and improve their speed cyber resilience, leaders focus their speed of of detection, response travel toward this final destination. The top three and recovery. They measures of cybersecurity success for leaders emphasize speed. We found that leaders prize should emulate the how quickly they can detect a security breach, way leaders measure how quickly they can mobilize their response and how quickly they can get operations back their cybersecurity to normal (Figure 10). Beyond these priorities, performance to achieve leaders also measure the success of their greater levels of cyber resiliency—how many systems were stopped and for how long—and precision—improving resilience. the accuracy of finding cyber incidents.

Figure 10. Top three ways leaders measure the success of their cybersecurity program

1. Cyber detection speed 58% (how long it takes to detect an incident) 41%

2. Cyber recovery/restoration time 53% (how long it takes to restore normal activity) 39%

3. Cyber response time 52% (how long it takes to identify and mobilize) 41%

Leaders Non-leaders

We analyzed six advanced technologies to detection, speed of recovery and speed of understand which ones provided the greatest response. They have also ranked the same range contribution toward achieving each of the of technologies according to the benefits they TAKE ACTION measures of cybersecurity success for leaders derive from using them to achieve other (Figure 11). Analysis of the technologies that measures of cybersecurity success—like fewer Non-leaders should benefit leaders helps to focus investment successful attacks, reduced breach impact and consider refocusing their resources on the areas of greatest value. Artificial cost reduction (see p.26). The result of these Intelligence (AI) and Security Orchestration findings creates a useful heatmap of which investment priorities Automation and Response (SOAR) technologies security technologies help the most in achieving toward the technologies form the backbone of leaders’ investment a range of beneficial outcomes for cybersecurity strategies. As we can see from Figure 11, Leaders success to guide security technology which benefit the have ranked the technologies that their investments. ways leaders measure companies align with and provide the greatest their cybersecurity benefit in helping them achieve their main measures of cybersecurity success—speed of performance: faster detection, faster response, and shorter recovery times.

Figure 11. Security technologies ranked by leaders’ priorities in achieving cybersecurity success

Leaders’ priorities SOAR AI NGF RBA RPA PAM

Faster incident detection #2 #1 #3 #4

Faster incident response #1 #1 #4 #3

Shorter recovery times #1 #2 #3 #4

The rate at which organizations scale investments Protect more key assets across their business has a significant impact on The ability to scale is an important factor in the their ability to defend against attacks. The leaders TAKE ACTION reach of security programs. The cybersecurity best at scaling technologies—defined as 50 percent programs for the best at scaling actively protect or more tools moving from pilot to full-scale Non-leaders should three-quarters of all key assets in the deployment—perform four times better than their organization. The rest cover only one-half of their consider scaling fast, like counterparts (Figure 12). For the leaders best at key assets. It is little surprise that 86 percent of scaling, only 5 percent of cyberattacks resulted in the leaders, to realize how leaders agreed new cybersecurity tools are a security breach. For the non-leaders, 21 percent increasing the reach of cybersecurity coverage effective investments in of cyberattacks resulted in a security breach. for their organizations. new security technologies

Better security team detection can be in improving security team detection Security teams are also more effective for organizations who scale more of their technology rates and protecting more investments. For those best at scaling, security key assets—but only when teams discovered almost three-quarters of they are fully deployed cybersecurity attacks against their organizations compared with only one-half of all cyberattacks across the enterprise. for their counterparts.

Figure 12. The percentage of the security tools piloted then scaled and used throughout the enterprise

60% 50% or more scaled 48%

29% 25–49% scaled 40%

11% 0–24% scaled 12%

Leaders Non-leaders

Training is another area where most organizations Protect more key assets can make significant improvements. When asked about security tools adopted by their organization Introducing new tools means that training is TAKE ACTION that require training, 30 percent of leaders essential to get the best out of them. For the provided training for more than three-quarters of best at training, 85 percent of their organization Non-leaders should is actively protected by their cybersecurity users when it was needed, versus just 9 percent consider training more, of non-leaders (Figure 13). For the best at training, program. The rest protect only 56 percent of only 6 percent of cybersecurity attacks resulted their organization through their cybersecurity like the leaders, to make in a security breach compared with an average of program. security tools more 11 percent for the rest. Clearly, there is room for leaders and non-leaders to improve their effective. They could performance by training more. benefit from better Faster at discovering and fixing breaches protection of more key The speed with which organizations find security assets along with faster breaches is faster for those who provide higher discovery and remediation levels of training. The best at training found 52 of breaches. percent of security breaches in less than 24 hours, compared with only 32 percent for the rest. How long it takes to remediate a security breach is also an aspect of better training. For the leaders in training, 65 percent of all security breaches are remediated within 15 days.

Figure 13. The percentage of users who receive training when needed for new security tools adopted by an organization

30% More than 75% 9%

33% 51%–75% 31%

32% 25%–50% 53%

5% Less than 25% 8%

Leaders Non-leaders

When asked about the importance of Threat intelligence plays a key role in ways to collaboration, 79 percent of respondents agreed collaborate for leaders. Leaders focus more on collaborations with other organizations, knowledge sharing with partners and sharing TAKE ACTION government bodies and the wider security threat information among the security ecosystem community will be one of the essential weapons in their top five ways of collaborating with Non-leaders should organizations will need to combat cyberattacks partners (Figure 14). consider collaborating in the future. The organizations best at collaborating—the ones using more than five more, like the leaders. methods to bring together strategic partners, They could realize a better security community, cybersecurity consortiums, and an internal task force to increase return on technology understanding of cybersecurity threats—are two investments with a times better at defending against attacks than better containment of others. Organizations that collaborate more have a breach ratio of 6 percent against an average business impact and of 13 percent for the rest. greater protection for key assets and the extended ecosystem.

Figure 14. Main ways that organizations that are best at collaborating work with partners

Collaborate with strategic partners to 57% share knowledge of threats 47%

Collaborate with strategic partners to 57% test our cybersecurity resilience 46%

Maintain an internal cybersecurity 56% committee/task force 46%

Share threat information among the 53% security community within industry 45%

Contribute to creating 43% cybersecurity standards for industry 43%

Leaders Non-leaders

Despite recent improvements in the basics of They focus more of their budget allocations on cyber resilience—with security breaches down sustaining what they already have compared with 27 percent in the last 12 months—non-leaders still non-leaders who place more emphasis on piloting TAKE ACTION have a long way to go if they are to match the and scaling new capabilities (Figure 15). In fact, cybersecurity performance of leaders. Leaders non-leaders tend to spread their spending evenly Non-leaders should understand the need to be brilliant at the basics. across all three of these activities. consider placing more emphasis on sustaining what they already have to Figure 15. Budget allocation by leaders enable them to perform better at the basics just % Scanning, piloting, trialing as the leaders do. They 29% new capabilities (in a lab or pilot) should also try to move more quickly from piloting % Scaling new capabilities 32% new capabilities to scaling them across the % Sustaining what you already have 39% enterprise.

Leaders

Security breaches most often happen when leaders—it is clear they are significantly better at organizations fail at fundamental aspects of their the basics of cybersecurity protection. Now, protection practices. Which is a challenge when more than ever, it is vital for organizations to TAKE ACTION the highest proportion of cyberattacks against make sure the basics of data-centric security are leaders— 35 percent— target customer records in place. It is not only the right thing to do, but Non-leaders should (Figure 16). Yet with only 15 percent of leaders also critical if organizations are serious about consider placing more having more than 500,000 records exposed in protecting their customer data and protecting the last year— compared with 44 percent of non- their most important assets.1 emphasis on the basics of cybersecurity Figure 16. The primary target of cybersecurity attacks against leaders by putting steps in place to fortify their data- 35% centric security and Customer records 30% better protect their most Infrastructure (eg, industrial control 28% important assets. systems-ICS attacks) 30%

Stealing/extracting valuable IP or 24% espionage-related 29%

Leaders Non-leaders Source: Accenture Research; n=4,644 Copyright © 2020 Accenture. All rights reserved. 1 www.accenture.com/us-en/insight-data-achieving-centric-security-2017 39 MASTERING CYBERSECURITY EXECUTION

A core group of leaders has shown that cyber in advanced technologies has doubled in the resilience is achievable and can be reproduced. last three years. The combined result is a new By investing for operational speed, driving value level of confidence from leaders in their ability Test your own from these investments, and sustaining what to extract more value from these investments— cybersecurity they have, they are well on the way to mastering and by doing so, exceed the performance cybersecurity execution. levels of the non-leaders. leadership Leaders often take a more considered With two out of five cyberattacks now indirect, Ask your Accenture contact if you would approach to their use of advanced organizations must look beyond their own like to undertake the Accenture Security technologies by choosing those which help four walls to their broader ecosystems. They Diagnostic to benchmark your deliver the speed of detection and response should become masters of cybersecurity organization’s cybersecurity program they need to reduce the impact of execution by stopping more attacks, finding and capabilities against those of your peers cyberattacks. And once they do decide to fixing breaches faster and reducing breach in a personalized report. invest, they scale fast—the number of leaders impact. In this way, they can not only realize spending more than one-fifth of their budget security innovation success, but also achieve greater cyber resilience.

In a continuation of our study started in 2017, Accenture Security surveyed 4,644 executives to understand the extent to which organizations prioritize security, how comprehensive their STOP MORE FIND BREACHES security plans are, and how their security 1 ATTACKS 2 FASTER investments are performing. The executives represent organizations with annual revenues of The ratio of security breaches The percentage of the group US$1 billion or more from 24 industries and 16 over attempted attacks that detect a breach in less countries across North and South America, Europe and Asia Pacific. received by each group. than one day. The first step of our approach was to determine the characteristics of high-performance cybersecurity. We developed a list of dimensions that set leaders apart and which help leaders have a positive impact on reducing the overall cost of cybercrime. Our analysis determined leaders as FIX BREACHES LOWER BREACH those companies that exhibit high-performance 3 FASTER 4 IMPACT in at least three of these dimensions:

Stop more attacks The percentage of the group The percentage of no impact Find breaches faster that fix a breach in less than and minor impact attacks Fix breaches faster 15 days. received by each group. Lower breach impact

We then conducted a series of “what if” Figure 17. A formula to assess the cost of cybercrime experiments to explore the return on investment of improving these cybersecurity practices. We created a formula to assess the cost of cybercrime for a company: the average cost per attack, multiplied by the total number of attacks. Cost of The average cost per attack was the total of the Average cost Total number cybercrime for daily cost of an attack by damage type, by the per attack of attacks days to detect and fix an attack of this damage a company type, by the proportion of attacks for this damage type. The total number of attacks 4 consisted of the security breach ratio by the total Daily cost of an attack Days to detect Proportion of Successful Total attempted breaches. of damage and fix an attack attacks of breach ratio attempted type i of damage type i damage type i breaches The average cost per attack was the total of i = 1 the daily cost of an attack by damage type, by the days to detect and fix an attack of this Cost of an attack of damage type i damage type, by the proportion of attacks for this damage type. The total number of attacks consisted of the security breach ratio by the total attempted breaches (Figure 17).

Note: all variables come from our survey comprising data for 4,644 organizations. We assume variables in grey to remain constant. Damage type includes attacks that are: Copyright © 2020 Accenture. All rights reserved. (1) Significant, (2) Moderate, (3) Minor and (4) No impact. 43 ABOUT THE RESEARCH Our methodology

Our modeling simulations estimate the value Figure 18. Cost reduction per attack if non-leaders perform as leaders to non-leaders of improving cybersecurity performance to the level of a leader could reduce the cost per incident by 72 percent. This equates to US$273,000 potential savings on average (Figure 18). $380,000 –72% = –US$ 273,000

Average cost per attack for non-leader companies* $107,000 -61% -11%

As is Same proportion Same time to To be of attacks by detect fix damage type

Australia Netherlands Brazil Norway Canada Portugal France Singapore 3RD Germany Spain US$1B+ Ireland United Kingdom ANNUAL Italy United States Revenues 16 Japan RESEARCH STUDY Countries Kingdom of Saudi Arabia

Aerospace Health Pharma Automotive Provider Retail Banking Health Payer Telecom Biotech High Tech Travel Capital Industrial Software Markets Insurance US Federal Chemicals Life Sciences Utilities Consumer Media 24 Goods MedTech 4644 Industries Energy Metals & Security executives Mining

The reporting structure, the influence of the Figure 19. Direct reports for research respondents C-suite and Board and who manages the budget have always been important considerations in any cybersecurity program. Our 4,644 executives highlighted that: The CEO and executive team continue to expand CEO/Executive Committee 33% their governance of cybersecurity programs but 41% there is a drift away from board involvement in Chief Information Officer 22% terms of reporting. Reporting to the CEO is up by 17% 8 percentage points, while Board reporting is Board of Directors 30% down by 12 percent. Direct reports to the CIO are 18% down about 5 percent year-on-year with a general Chief Technology Officer 4% drift to the CTO of about 10 percent over the 12% same period (Figure 19). Chief Risk Officer 3% 4% Chief Finance Officer 3% 3% Chief Operating Officer 2% 2%

The impact of budget approval continues to Figure 20. Cybersecurity budget authorization for research respondents vary. The CEOs/Executive team’s influence is steady, nudging down just a few points from last year’s findings. The Board, however, is at 32% around one-third of the level of participation in CEO/Executive Committee 26% budget approval compared with last year. To 9% compensate for this, CISO, CFO and CIO budget CISO/Chief Security Officer 16% authorization is up by 5 to 10 points each over the year. While CEOs and the executive committee Board of Directors 27% 8% continue to be actively involved in cybersecurity governance; for many, this suggests budget Chief Financial Officer 12% 21% approvals seem to be moving toward more of a business-as-usual activity (Figure 20). Chief Information Officer 6% 13% Chief Operating Officer 11% 5% Chief Risk Officer 1% 5% Functional leadership 1% 3% Chief Data Officer 0% 3%

Last yLast yeearar All-Now Copyright © 2020 Accenture. All rights reserved. Source: Accenture Research; n=4,644 47 About Accenture About Accenture Security About Accenture Research Accenture is a leading global professional Accenture Security helps organizations build Accenture Research shapes trends and creates services company, providing a broad range of resilience from the inside out, so they can data driven insights about the most pressing services and solutions in strategy, consulting, confidently focus on innovation and growth. issues global organizations face. Combining the digital, technology and operations. Combining Leveraging its global network of cybersecurity power of innovative research techniques with a unmatched experience and specialized skills labs, deep industry understanding across client deep understanding of our clients’ industries, across more than 40 industries and all business value chains and services that span the security our team of 300 researchers and analysts functions—underpinned by the world’s largest lifecycle, Accenture protects organization’s spans 20 countries and publishes hundreds of delivery network— Accenture works at the valuable assets, end-to-end. With services that reports, articles and points of view every year. intersection of business and technology to help include strategy and risk management, cyber Our thought-provoking research—supported by clients improve their performance and create defense, digital identity, application security proprietary data and partnerships with leading sustainable value for their stakeholders. With and managed security, Accenture enables organizations, such as MIT and Harvard—guides approximately 505,000 people serving clients businesses around the world to defend against our innovations and allows us to transform in more than 120 countries, Accenture drives known sophisticated threats, and the unknown. theories and fresh ideas into real-world innovation to improve the way the world works Follow us @AccentureSecure on Twitter solutions for our clients. For more information, and lives. Visit us at www.accenture.com. or visit the Accenture Security blog. visit www.accenture.com/research.

Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this cybersecurity report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates.