Organizations with strong alignment between their security and business teams are less likely to experience breaches, data shows, and the attacks that do succeed have overall lower costs and less severe damage.
Accenture's "State of Cybersecurity Resilience 2021" report reveals insights from a survey of 4,744 global respondents asked about the state of security. Most CISOs (85%) agree or strongly agree that security strategy is developed with business objectives, like growth and market share, in mind. Nearly as many (81%) believe staying ahead of attackers is "a constant battle" with unsustainable cost — a big jump from the 69% who said the same in Accenture's 2020 survey.
This could partly be explained by the increase in cybercrime. There were, on average, 270 attacks per company throughout 2021, a 31% increase from the year prior. Successful breaches of an organization through its supply chain increased from 44% in 2020 to 61% this year.
Security investments are also up. The budgets of more than 80% of respondents increased over the past year. IT security budgets now make up to 15% of IT spending, 5 percentage points more than last year. The spending seems to encourage optimism — 70% of respondents believe their business is actively protected by their program, compared with 60% in 2020.
But, as many CISOs know, technology alone won't solve all their security problems.
"Increased spending does not exactly convey better performance," says Ryan LaSalle, leader of Accenture Security's North America practice. "Just because you're increasing your budget, if you're spending on the wrong things, you're not going to increase your effectiveness. … It's not about how much you spend but what you spend it on."
Breaking Business Boundaries
Increased attacks aside, another reason organizations face an ongoing battle with cybercrime is their poor alignment with the business. This is evident in the transition to cloud: Over the next three to five years, more than two-thirds of workloads will move into the cloud, with about one-third of organizations moving at least 75% into the cloud across most regions in the world.
Despite respondents' belief that cloud applications and operations are more secure than those hosted on-premises, 32% say security is not part of the cloud discussion from the start and their organization is trying to catch up. Security is usually consulted after a decision has been made.
"CISOs are smarter than ever around what they can get from the cloud providers in terms of native security controls," says LaSalle, who notes he expected the 32% to be higher. "They're working really, really hard to close the gap between the security policy architecture they have for the legacy business and extending these policies into their cloud providers."
For security leaders, the biggest gap exists between what they feel comfortable with and what they need to be secure faster. Many organizations transitioning to a multicloud approach are looking to third-party cloud security tools to manage their security across multiple cloud providers. Trying to stitch together and manage native controls from cloud providers is "really hard," LaSalle adds.
Four Levels of Resilience: Where Do You Stand?
Researchers identified four levels of resilience: The Vulnerable do not align security with business strategy and have immature security operations; Cyber Risk Takers prioritize business growth and accept higher cyber-risk, Business Blockers prioritize cybersecurity over alignment with business strategy; Cyber Champions strike a balance between security and the business.
The latter two groups find breaches faster: Business Blockers detect 50% of breaches in less than a day and Cyber Champions find 55%, compared with Cyber Risk Takers (11%) and the Vulnerable (15%). The two groups that find breaches faster also fix them faster, and they both report a higher percentage of breaches with no impact, researchers report.
While Business Blockers have better numbers in terms of security, LaSalle points out the risks of putting security ahead at the expense of business innovation, using the cloud as an example.
"If you can't enable the move to the cloud quickly and securely, then you're stopping the pace of business growth," he explains. "You're stopping the ability to adapt and survive to the benefit of blocking attackers, but at the expense of the business actually capturing the value it needs in the market."
The answer, he says, lies in greater collaboration between the business and security teams. The Cyber Champions, which were seen most in the insurance, telecom, high tech, and retail industries, had more accountability for security at the highest levels of the organization.
"They had a lot more accountability — direct accountability to the top of the house, meaning the CEO and board have more direct accountability to security," LaSalle says. "Also, the business unit leaders had more accountability for security." As a result, their performance was dramatically better: They had lower cost and lower impact to the business; they found things and remediated them faster.