Organizations seldom prioritize cybersecurity over business outcomes

55% of large companies are not effectively stopping cyberattacks, finding and fixing breaches quickly, or reducing the impact of breaches, according to a research study from Accenture.

Based on a survey of more than 4,700 executives globally, the study explores the extent to which organizations prioritize security, the effectiveness of current security efforts, and how their security investments are performing.

Not focusing enough on effectively stopping cyberattacks

The study also reveals that 81% believe that “staying ahead of attackers is a constant battle and the cost is unsustainable” — an increase from 69% in last year’s survey. At the same time, while 82% of survey respondents increased their cybersecurity spending this past year, the number of successful breaches — which include unauthorized access to data, applications, services, networks or devices — jumped 31% over the previous year, to 270 per company, on average.

“From run-of-the-mill cybercriminals to sophisticated nation-state actors, cyber adversaries are getting more resourceful at finding new ways to carry out their attacks,” said Kelly Bissell, who leads Accenture Security globally.

“Our analysis reveals that organizations too often focus solely on business outcomes at the expense of cybersecurity, creating greater risk. While getting the balance right isn’t easy, those who have a clear view of the threat landscape and a strong alignment on business priorities and outcomes achieve greater levels of cyber resilience.”

The report highlights the need to extend cybersecurity efforts beyond a company’s own walls to its entire ecosystem, noting that indirect attacks — i.e., successful breaches to an organization through the supply chain — continue to grow. For instance, despite 67% of organizations believing that their ecosystem is secure, indirect attacks accounted for 61% of all cyberattacks this past year, up from 44% the prior year.

Cyber resilience champions

Additionally, the research identified a small group of companies that not only excel at cyber resilience, but also align with the business strategy to achieve better business outcomes and return on cybersecurity investments. Compared with other organizations, these “Cyber Champions” are far more likely to:

• strike a balance between cybersecurity and business objectives
• report to the CEO and board of directors and demonstrate a far closer relationship with the business and CFO
• consult often with CEOs and CFOs when developing their organization’s cybersecurity strategy
• protect their organization from loss of data
• embed security into their cloud initiatives, and
• measure the maturity of their cybersecurity program at least annually.

“Spending more on cybersecurity without being closely aligned to the business doesn’t make your organization safer,” said Jacky Fox, group technology officer at Accenture Security.

“When it comes to managing cyber risks, organizations can’t afford to lean one way or the other. To achieve sustained and measurable cyber resilience, chief information security officers need to move away from security-focused silos so they can collaborate with the right executives in their organization to gain a 360-degree view of the business risks and priorities.”