Cyber-attacks can rapidly derail an enterprise’s ability to create value, and their frequency, reach and levels of sophistication continue to grow. While no organization can defend itself from all cyber-attacks the following three approaches can help bring risk to a manageable level.

1. Continuous Cyber Attacks:
Engaging Business Leaders
for the New Normal
Executive Summary

2. 22
Cyber-attacks can rapidly derail an enterprise’s ability
to create value, and their frequency, reach and levels of
sophistication continue to grow. Leaders unfamiliar with the
complexities of cyber defense may fail to recognize the gaps that exist in their
digital security strategies. It’s easy to do: regulators and other government bodies
compel companies to focus on compliance with specific regulations, drowning
out other voices that support dynamic cyber risk management approaches.
However, organizations have learned that passing compliance assessments does
not equal data security. Likewise, a strategy focused on acquiring the latest
security products and add-on applications can quickly drain a security budget,
while not appreciably improving the organization’s defensive posture.
While no organization can defend itself from all cyber-attacks the
following three approaches can help bring risk to a manageable level:
Actively engage to make the business a better security “customer”
Strengthen the partnership between the business and security
Continuously exercise organizational defenses
1
2
3

3. 3
Actively engage to make
the business a better security
“customer”
A solid cyber defense requires that partnerships are formed
among an organization’s business stakeholders, its risk
management office and the security team—a relationship
that asks every employee to be responsible for security. The
detection and elimination of cyber threats drops precipitously
if the business stakeholders fail to cooperate fully with the
security team. Some typical challenges include:
• Security lacks sufficient top management access:
Most companies recognize that digital security is an
important agenda item, but in many cases, the Chief
Information Security Officer (CISO) does not have
top-level access.
• The front lines remain unengaged in security issues:
Often, employees do not care enough about security
to change their behavior. Articulating the importance
of security and doing it in an engaging manner starts
at the top.
• Ambiguity regarding who “owns” the systems under
attack: Business teams are agile and entrepreneurial,
creating new applications and data stores to meet
customer demands. Once an attack happens, the security
team needs to know who “owns” the compromised system
or actions will be impeded and reduce the effectiveness
of the response.
Strengthen the partnership
between the business and security
Leaders can align the business side’s commercial needs
and the security team’s cyber defense requirements by
forging an effective business and security partnership.
Four elements of such a partnership are:
• Keep security on the agenda: If organizations can
operate under a concept called ‘presumption of breach,’
acknowledging that a hacker will get into their networks,
their perspective and alignment on the right security
strategy can become laser focused.
• Recognize the complexity of the challenge:
Organizations need to understand the complexity of the
systems they are defending and determine where to “set
the bar” regarding loss tolerance. Part of the challenge
is recognizing the complexity of roles; the organization
has revenue goals and other business targets, and the
security team has its own set of objectives.
• Work together to identify the organization’s critical
data: It often seems overwhelming to organizations since
all risk can’t be mitigated—however it can become very
manageable when an organization is able to pinpoint
their most consequential risk in the relevant networks and
provide them the greatest level of protection.
• Evolve the organizational culture to attract and
retain top-tier security talent: The best companies
tend to think proactively about talent pools; this involves
working with universities to develop key cyber defense
recruits and looking for expertise outside of normal
channels.
Continuously exercise
organizational defenses
Business leaders should also focus on developing
organizational defenses in the following ways:
• Relentlessly test defenses: Organizations leading the
way in cyber defense train with a third-party “sparring
partner” imbued with all of the skills and technologies
(but none of the malice) that attackers bring to bear.
Similar to a boxer, someone who trains exclusively with
a static punching bag won’t stand a chance against a
real opponent. Likewise, an enterprise focused totally
on conventional static defenses will quickly fall prey to
today’s increasingly aggressive digital attackers.
• Hunt inside the organization’s defenses: Assume that
security is compromised and constantly look for intruders
across the entire environment.
• Improve response effectiveness: As the organization
spars with an elite security assessment team, going
through the same tactics as the attacker would use, over
time they develop ‘muscle memory.’ Organizations that
spar repetitively and consistently work more effectively
to minimize an event’s impact.
The intensity and seriousness of current digital attacks
make cybercrimes uniquely dangerous for businesses. In
this confusing new environment, many leaders wonder
what they can do to make their companies more resilient.
Once an enterprise takes the pulse of its cyber defense
strengths and weaknesses, they should develop 100-day
and 365 day plans to build the momentum needed to
realize their cyber defense goals.
2
3
1

4. Accenture, its logo, and High Performance
Delivered are trademarks of Accenture.
Copyright © 2015 Accenture
All rights reserved.
Contributors
Bill Phelps
Managing Director, Global Security Services
bill.phelps@accenture.com
Twitter: @waphelps
Ryan LaSalle
Managing Director, Security Growth & Strategy Lead
ryan.m.lasalle@accenture.com
Twitter: @labsguy
Kevin Richards
Managing Director, North America Security Practice
k.richards@accenture.com
Twitter: @kevin_richards
Matt Devost
Co-founder and CEO of FusionX
matt.devost@accenture.com
Twitter: @MattDevost
Steve Culp
Senior Managing Director, Accenture Finance & Risk Services
steven.r.culp@accenture.com
Twitter: @steve_culp
David Smith
Senior Managing Director, Talent & Organization
david.y.smith@accenture.com
DISCLAIMER: This document is intended for general informational
purposes only and does not take into account the reader’s specific
circumstances, and may not reflect the most current developments.
Accenture disclaims, to the fullest extent permitted by applicable
law, any and all liability for the accuracy and completeness of the
information in this document and for any acts
or omissions made based on such information. Accenture does not
provide legal, regulatory, audit, or tax advice. Readers are responsible
for obtaining such advice from their own legal counsel or other
licensed professionals.
Rights to trademarks referenced herein, other than Accenture
trademarks, belong to their respective owners. We disclaim
proprietary interest in the marks and names of others.
About Accenture
Accenture is a leading global professional services
company, providing a broad range of services and solutions
in strategy, consulting, digital, technology and operations.
Combining unmatched experience and specialized
skills across more than 40 industries and all business
functions—underpinned by the world’s largest delivery
network—Accenture works at the intersection of business
and technology to help clients improve their performance
and create sustainable value for their stakeholders. With
more than 358,000 people serving clients in more than 120
countries, Accenture drives innovation to improve the way
the world works and lives. Visit us at www.accenture.com.