Trending Oversight Topics
Governance Surveys
Center for Inclusive Governance
How to Make Your Organization a ‘Cyber Champion’
11/10/2021
Cybersecurity is not getting easier. In our latest State of Cybersecurity Resilience survey, 4,744 information security executives shared their approaches to cyber resilience, and the majority (81%) said staying ahead of attackers “is a constant battle and the cost is unsustainable.” This issue has only gotten more challenging after almost two years of remote work and a 32 percent increase over 2020 in successful cyberattacks.
As a custodian of the business, you’re already working with the rest of your board to balance cybersecurity demands with business strategy. Through our research, we discovered what makes organizations “cyber champions”—those that experience the fewest significant attacks, have a speedier response to detection and remediation, are better able to protect themselves from loss of data, and who work to align cybersecurity with the business strategy. These organizations, which represent 5 percent of the survey sample, excel at striking the right balance between cyber resilience and achieving business outcomes, a vital task that should be driven by the CEO and supported by the board.
Based on our findings, boards can encourage their organizations to become cyber champions by doing three key things differently:
First, invite the chief information security officer (CISO) to sit at the table. Seventy percent of cyber champion organizations have CISOs that report to the CEO and board. Importantly, they also demonstrate a close relationship with the chief financial officer (CFO)—cyber champion CISOs report to the CFO on cybersecurity seven times more often than other respondents. These organizations’ CISOs also get up close and personal with the CEO and chief financial officer to develop the cybersecurity strategy.
Cyber champions’ CISOs also have more autonomy when it comes to cybersecurity budgeting—not many require the CEO and board to authorize it. (Also of note: among all respondents, the percentage of boards authorizing cybersecurity budgets increased from 8 percent in 2020 to 14 percent this year.)
More CISOs are reporting to the board—growing from 19 percent in 2020 to 23 percent in 2021. Even if your CISO is already reporting to the board, though, you can also encourage them to move away from security-focused silos and draw on the experience of your larger leadership team to serve the whole business well.
Second, be threat-centric and business-aligned. Keeping attackers out of your environment relies on security leaders partnering closely with the business to reduce risk. This helps to embed security into your business priorities.
By measuring and monitoring risk profiles—as 90 percent of cyber champions do annually—and making that data available to leadership, CISOs can be in lockstep with the board and better line up with the business, according to 88 percent of our security respondents.
As a board member, you’re in the best position to influence the organization to become a cyber champion. You have visibility into everything and can act as the mediator between the business and the CISO. This is a pivotal moment for boards and the C-suite for the rest of the business, especially CISOs, to see things from your perspective.
Third, get the most out of the secure cloud. Many business leaders still worry about lost or compromised data in the cloud. Recent Accenture research named security and compliance risk as a top pain point in cloud adoption. With an accelerated shift toward using the cloud, it is important that leaders understand its value.
By encouraging CISOs to seize the opportunity to reset their organizations’ security posture earlier and more effectively—like our cyber champions do—the C-suite can rest assured that its overarching strategy won’t come unstuck further down the line or result in having to do costly work all over again.
A CISO from a multinational mining, metals, and petroleum company interviewed by Accenture separately said, “So much depends on whether an organization sees security as an enabler, rather than just [something] defending [against] bad outcomes.”
Cyber champions know that all too well. That’s why they align closely with the business and step out of the ordinary into the domain of the cyber resilient.
Bob Kress is a managing director at Accenture Security where he is the co-chief operating officer and the global lead for quality and risk. He is responsible for identifying, assessing and managing risk for all Accenture Security business, and managing the quality of security services delivered to clients. Kress is also responsible for Accenture Security offerings to boards of directors, and is the Midwest region security lead.