NEW YORK, July 29, 2015 – As companies embark on new digital business strategies, nearly two-thirds (63 percent) of C-suite executives report that their companies experience significant cyberattacks daily or weekly; however, only 25 percent of them said their organization always incorporates measures into the design of their company’s technology and operating models to make them more resilient, according to a new Accenture (NYSE:ACN) survey.
The Accenture paper, Business resilience in the face of cyber risk, also reported that in response to the situation, 88 percent of the more than 900 executives surveyed believe their cyber defense strategy is robust, understood and fully functional. Nearly as many (86 percent) measure their organization’s resilience to determine what improvements are needed.
However, only nine percent of executives said their company proactively runs inward-directed attacks and intentional failures to test their systems on a continuous basis. About half (53 percent) of those surveyed said their company has a continuity plan that they refresh as needed. Just 49 percent map and prioritize security, operational and failure scenarios and even fewer (45 percent) have produced threat models to existing and planned business operations to enable rapid responses to an attack or system failure. Only 38 percent of the executives said their companies had thoroughly documented the relationships between their technology and operational assets to identify resilience risks and dependencies in their organization.
“Given the prevalence of cyberattacks on today’s companies and government organizations, the only question for most is when a cyberattack will occur, not if it will occur,” said Brian Walker, managing director, Accenture Technology Strategy. “While savvy executives know where their weak spots are, and work across the C-suite to prepare accordingly, testing systems, planning for various scenarios, and producing response and continuity plans that guide quick actions when a breach occurs, the data clearly shows that companies by and large have more work to do.”
According to the report, successful enterprises recognize that responsibility for resilience and agility does not just fall to the CIO, chief information security officer (CISO) or chief risk officer. On average, the research found that companies have two executives in the C-suite who are responsible for continuously monitoring and improving their business resilience. Nineteen percent of the represented companies had a “dedicated resilience officer.”
“To enable and protect the company, CEOs should work closely with their CIO, CISO and others across their leadership team as well as their board of directors, to make decisions about investments, and advance their business continuity efforts,” said Walker. “They cannot prevent an attack or failure, but they can mitigate the damage it can cause by taking steps to make their business more resilient, agile and fault-tolerant.”
To that end, the report suggests that companies:
- Create a digital ecosystem that enables them to team with other enterprises, augment their digital capabilities and access innovative technologies that reside outside the enterprise to strengthen their organization’s security posture and effectiveness;
- Manage digitally to deliver multi-speed business and IT capabilities in real-time by simplifying the IT architecture and addressing the business’s evolving digital requirements in a dynamic environment; and
- Institutionalize resilience by making it part of the operating model, ingrained from the outset into objectives, strategies, processes, technologies and organizational culture including fostering open communication with boards on governance practices and enterprise risk management.
To complete the research, 959 c-suite executives, predominantly chief executive officers (CEOs), chief information officers (CIOs), chief technology officers (CTOs) and chief operating officers (COOs), were surveyed via phone and online. They work across the following industries: banking; insurance; capital markets; energy; utilities; retail; telecommunications; high technology; consumer goods and services; automotive; industrial equipment, infrastructure and transportation; pharmaceuticals; life sciences and biotech; health insurance; and healthcare providers. Data was collected between April and June 2015. Read the report at www.accenture.com/BusinessResilience.