If your company is like most, security has risen to the top of the agenda amongst C-suite executives and boards of directors. Rapidly evolving security threats pose an ongoing, central challenge, as companies and governments face an increasingly sophisticated threat environment. Large global organizations with industry presence and value may be of special interest for adversaries, whether they be individuals, organized crime or nation states. Forrester predicts that at least 60 percent of enterprises will discover a breach in 2015, but says the actual number of breached entities will be much higher–80 percent or more.
Accenture, in collaboration with the Ponemon Institute LLC, conducted a study to identify the success factors of companies that demonstrated a dramatic increase in security conditions during the past two years — the “leapfrogs” — to see what helped them move from laggard to leader. The study unearthed six trends:
1. Security innovation is valued
Leapfrog companies have made significant increases to their level of security innovation, seeking out new approaches to emerging problems.
Leapfrog companies are more likely to have an officially sanctioned security strategy, and this strategy is more likely to be the main driver to their organization’s security
2. Leapfrog organizations are proactive in addressing major changes to the threat landscape
They recognize that persistent attacks should change the company’s approach to IT security and adapt their security posture in response to threats. Different security threats continue to emerge—the research evaluated the level of impact those threats had on the organizations’ security ecosystem and how the organizations responded.
3. The CISO is important and influential
Both Leapfrog and Static organizations have a CISO; the important differences lie in how that role is viewed and executed. Across all organizations studied, the CISO has hiring/firing authority, holds responsibility for enforcing security policies and has authority over budget and investment decisions. Within Leapfrog organizations, the CISO is more likely to directly report to a senior executive, set the security mission by defining strategy and initiatives, and have a
direct channel to the CEO in the event of a serious security incident.
4. Leapfrog companies excel in governance
Both groups of companies identified the importance of appointing a CISO for the organization, recruiting expert IT security personnel and background checks for all privileged users as critical to achieving a strong security posture. However, the Leapfrog companies believe disaster recovery and business continuity management practices are important. Static companies, on the other hand, are more likely to cite clearly defined IT security policies and standard operating procedures (SOP) than Leapfrog companies.
5. Certain technologies separate the two groups
Leapfrog companies exceed Static companies in viewing the following features of security technologies as very important: pinpointing anomalies in network traffic; prioritizing threats, vulnerabilities and attacks; curtailing unauthorized sharing of sensitive or confidential data; and enabling adaptive perimeter controls. In contrast, Static companies exceed Leapfrog companies in believing the following are more important features of security technologies: controlling insecure mobile devices including BYOD, limiting access for insecure devices and enabling efficient backup functionality.
6. Security budgets in Leapfrog companies include funding for innovations in information technologies
Leapfrog companies are more likely to have a dedicated budget for its security programs and have allocated more money toward security over the past few years (Figure 8). They also have a fund dedicated to innovations in information technologies. These companies are more positive about having enough funding to meet their mission and objectives.
To estimate the security posture of organizations, we used the Security Effectiveness Score (SES) as part of the survey process. The SES was developed by The Ponemon Institute in its annual encryption trends survey to define the security effectiveness of responding organizations. We define an organization’s security effectiveness as being able to achieve the right balance between efficiency and effectiveness across a wide variety of security issues and technologies. The SES is derived from the rating of 48 security features or practices. This method has been validated by more than 60 independent studies conducted since June 2005. The SES provides a range of +2 (most favorable) to -2 (least favorable). A result for a given organization greater than zero is viewed as net favorable, which means the organization’s investment in people and technology is both effective in achieving its security mission and efficient. Hence, they are not squandering resources and are still being effective in achieving their security goals. A negative SES has the opposite meaning.
For this research, we evaluated hundreds of companies that were previously benchmarked so that changes in the organizations’ SES scores could be measured and evaluated. Based on that
analysis, we divided the sample into the following groups:
Leapfrog sample: 110 companies that experienced a 25 percent or greater increase in their SES over a two-year period. The average increase in SES for these companies was 53 percent.
Static sample: 137 companies that experienced no more than a 5 percent net change in their SES over a two-year period, with an average change of 2 percent. This sample was matched to the Leapfrog sample based on industry, size and global footprint.