Wide disparity found between cyber resilience perceptions, realities in organizations
While nearly every recent study has found that senior-level executives take seriously the threats posed to their organizations by hackers, a new survey from management consulting and technology services firm Accenture reveals that C-suite perceptions about the strength of their company's cybersecurity posture may not line up with reality.
According to the survey, “Business resilience in the face of cyber risk,” 88 percent of the more than 900 executives (primarily CEOs, CIOs, CTOs and COOs) polled believe their cyber defense strategy is robust, understood and fully functional. However, only nine percent of executives said their company proactively and continually test the resiliency of their network using such methods as inward-directed attacks and intentional failures.
Despite the fact that nearly two-thirds (63 percent) of executives said their companies experience significant cyber-attacks on a daily or weekly basis, only 25 percent reported that their organization always incorporates measures into the design of their company’s technology and operating models to make them more resilient.
Brian Walker, managing director, Accenture Technology Strategy, said one of the goals of the research, at a macro level, was to find out how organizations thought they were doing in terms of their resilience and ability to respond in the aftermath of a cyber-attack and then contrast that with how they were actually prepared.
“The takeaway was the perception, at the (C-suite) level, was pretty disconnected from probably the reality in the trenches of their operations,” said Walker. “You have to dismiss the notion that the executives will want to believe that things are more positive than perhaps they are for political reasons or whatever else...the reality is, the disconnect was so stark, so significant, that we think it tells us is that the understanding of the reality of dealing in a cyber world that works at the speed of light hasn’t really sunk in yet in the populations we’ve studied. We think there is an opportunity here for increasing CIO and CTO alignment and especially alignment with the board in terms of how they really understand, prepare and defend from a cyber onslaught.”
Walker said an explanation for this disconnect may lie in the fact that many of these CIOs and CTOs — some of whom have 25 to 30 years of experience under their belt — are skilled in solving problems associated with previous eras of technology.
“When you run and maintain your own applications, data centers and so on, you have disaster recovery and business continuity plans, but this focus around cyber threats and cyber resilience has really emerged in the last five to seven years,” added Walker. “Five to seven years out of a career of 20 or 30 years means that many of the executives running organizations haven’t necessarily run these shops in this current environment — exposed to outsiders that can come in and touch your systems. Things like inward testing didn’t exist when they were in their formative years, so they are having to learn or adapt to a very different reality, and, in many cases, it appears that it hasn’t really sunk in yet.”
More than half (53 percent) of those surveyed said their business has a continuity plan in place to deal with a cyber-attack against their systems, and that they refresh them as needed. Only 49 percent said they map and prioritize security, operational and failure scenarios; and just 45 percent have produced threat models to existing and planned business operations to enable rapid responses to an attack or system failure.
Walker said what it means to have a continuity plan has also changed dramatically in recent years, which may explain why some may be behind the curve when it comes to updating them to account for cyber threats.
“Historically, at the CEO and board level, continuity was designed for catastrophic loss of a facility. For example, if you lose headquarters, you have to have a business continuity plan so you can go and operate somewhere else,” he explained. “If a tornado hits downtown Tulsa, you have to be able to move your executives and your team to some other location to operate. What we are finding is the mindset of, ‘We’re prepared for the catastrophic loss of a building, but we’re not prepared for migration from one virtual location to another quickly.’ That’s the same root cause of not really understanding the speed of light threat.”
Overall, Walker said the findings of the survey reveal two salient points about the resiliency of organizations to cyber-attacks: first, in terms of defensive activities, most of the population set examined have done a “reasonable” job of understanding and protecting themselves to the greatest extent possible. However, Walker said organizational resilience in the aftermath of an attack is not necessarily well-understood as an objective for the board or executive team.
Based on the results of the survey, Accenture developed three recommendations for managing a more cyber resilient organization which include:
- Creating a digital ecosystem that enables companies to team with other enterprises, augment their digital capabilities and access innovative technologies that reside outside the enterprise to strengthen their organization’s security posture and effectiveness;
- Manage digitally to deliver multi-speed business and IT capabilities in real-time by simplifying the IT architecture and addressing the business’s evolving digital requirements in a dynamic environment; and
- Institutionalize resilience by making it part of the operating model, ingrained from the outset into objectives, strategies, processes, technologies and organizational culture including fostering open communication with boards on governance practices and enterprise risk management.
“Effectively, this is an asymmetrical battle," said Walker. "The bad guy only has to be right once and we have to be right every single time. The reality is we have to be prepared if something does happen."