A new report from Accenture has classified organisations' cyber resilience in four categories, with 'Cyber Champions' leading the way.
The State of Cybersecurity Resilience 2021 report, which is based on feedback from 4,744 organisations worldwide, examines the state of cybersecurity and how they balance business strategy with cyber resilience.
Globally, 81% of respondents say that the cost of staying ahead of attackers is unsustainable, up from 69% the previous year. In addition, more than 80% say their security budgets have increased in the last year, now accounting for up to 15% of IT spend.
Additionally, respondents report a 32% rise in the number of successful cyber attacks. Supply chain attacks have had a notable impact this year - 61% say they have been breached through this attack vector, up from 44% the previous year.
In Australia, the research finds that Australian organisations actually spend even less than the global average of their IT budgets on security. Most concerningly, it took a global average of 22% of businesses less than one day to detect and respond to a successful breach, compared to only 8% of Australian organisations. The time it took the majority of Australian businesses (66%) to detect a successful breach was between 1-7 days.
Accenture ANZ cybersecurity lead Mark Sayer comments, "As organisations are waking up to the reality of how dependent they are on technology, they are realising that cybersecurity has become a material risk and is now a whole-of-business responsibility. The rapid adoption of new and emerging technologies, while providing businesses with immense opportunities to scale and innovate, is also creating new opportunities for cybercriminals to profit.
"In saying that, is not realistic or sustainable for organisations to continue increasing their spend on security, especially if it isn't aligned to the business or actually making the organisation safer. As the cyber security landscape becomes increasingly complex, we need to think differently and more creatively about how we sustain the security of our technology platforms. As a start, chief information security officers need to look beyond their security-focused silo and collaborate closely with the right executives in their organisation to gain a 360-degree view of the business risks and priorities, and ensure that key security controls and investment priorities are aligned."
The report also presents a 'cyber quadrant', which categorises organisations into four types based on the relationship between their cyber resilience and business strategy alignment. These types include Cyber Champions, Business Blockers, Cyber Risk Takers, and The Vulnerable.
Cyber Champions: Organisations in this quadrant can balance cyber resilience and business objectives, aligning to business strategy. They are best at protecting key assets.
They may have more business unit leads who are responsible for cybersecurity than organisations in the other three quadrants, and they also have an extra edge - around 4% of Cyber Champions lose more than 500,000 data records.
They may also block 8% more breaches than their counterparts within the Business Blocker quadrant, and they block 36% more breaches than Cyber Risk Takers.
Business Blockers: These organisations prioritise cyber resilience over business strategy alignment. This is sometimes seen as an 'impediment' to business objectives, and organisations in this quadrant do not have 'Cyber Champions'.
Twenty-five percent of Business Blockers are likely to encounter an attack that results in a breach. While they still experience fewer breaches than Cyber Risk Takers and the Vulnerable, they are twice as likely to experience a high-profile, severe, or long term impact on their business in the event of a significant attack.
Organisations in this quadrant also have the highest proportion (32%) of CISOs that have the ability to approve budgets compared to other quadrants, meaning they may increase focus more on security than business strategy. 21% of Cyber Champions, 21% of Cyber Risk Takers, and 16% of The Vulnerable also have CISOs who can approve budgets.
Cyber Risk Takers: Business growth is a priority, so they accept higher cyber risk and are most aligned with their business strategy. Their priorities include business growth, cost reduction, customer satisfaction, development, exploring new markets, market share, time to market, and user experience.
According to the report, 53% of Cyber Risk Takers experienced an attack that led to a breach, and 23% of these attacks resulted in significant damage.
The report notes that while Cyber Risk Takers have a high security budget, that doesn't necessarily mean they have more cyber resilience.
The Vulnerable: These organisations often have immature cybersecurity operations, secure the bare minimum, and security is not aligned with business strategy.
The report states that there are three key steps organisations can take to become a Cyber Champion:
1. Give CISOs a seat at the top table: By drawing on the experience and insights of the wider leadership team, CISOs can gain a broader perspective that serves the whole business well.
2. Be threat-centric and business-aligned: Security leaders must closely align with the business as partners in driving down risk. This alignment helps to embed security into business priorities.
3. Get the most out of secure cloud: Organisations should seize the opportunity to reset their security posture earlier and more effectively to the cloud like Cyber Champions do.