Security has risen to the top of the agenda amongst most C-suite executives and boards of directors today. Rapidly evolving security threats pose an ongoing, central challenge, as companies and governments face an increasingly sophisticated threat environment.
Accenture collaborated with the Ponemon Institute, LLC to explore the success factors of companies that demonstrated measurable improvement in security effectiveness over a period of two years. Find out how leapfrog organizations are improving their security posture and more quickly detecting security threats.
Australian and New Zealand organisations are an attractive target for cyber-crime and espionage. Our latest research shows how leading enterprises are achieving outsized results, providing a guide to all organisations seeking to ensure they are a tough nut to crack.
Cyber-security is the number one technology issue in the C-suite and Board Room. No wonder that many senior executives are asking what they can be doing to stem the tide of cyber-attacks on their firms.
Organizations are improving cyber resilience and showing they can perform better under greater pressure as the number of targeted attacks more than doubles.
THE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENTIJNSA Journal
Â
The philosophy of Enterprise Security Risk Management (ESRM) drives a risk-based approach to managing any security risks, physical or logical and holistically applies to every security process. There are globally established risk principles that are common among any developed risk management standard. This model associates the relationship of risk principles to the practice of managing security risks. The ESRM processes, when successfully and consistently adapted to a security program, will define what a progressive security program looks like, drive strategic through initiatives, build the business understanding of securityâs role to develop a budgeting strategy, and initiate board-level, risk-based reporting. The management security leader's role in ESRM is to manage risks and unthinkable harm to enterprise assets and stockholder in partnership with the business leaders whose assets are exposed to those risks management. ESRM is part of educating business leaders on the realistic of impacts. These identified risks, presenting any potential strategies to mitigate those impacts, and enacting the option chosen by the business in line with acceptable levels of business risk tolerance. The present data should be used to showcase how our service helps identify, evaluate, and mitigate risks at face value that would be detrimental to a companyâs long-term prosperity. We need to show how using our security risk management will ultimately benefit the company's work by improving policies and procedures and reducing other expenses through the use of risk principles management.
Accenture identifies seven key areas they should focus on to strengthen their safeguards against aggressors to ensure effective cyber-security for insurers.
Australian and New Zealand organisations are an attractive target for cyber-crime and espionage. Our latest research shows how leading enterprises are achieving outsized results, providing a guide to all organisations seeking to ensure they are a tough nut to crack.
Cyber-security is the number one technology issue in the C-suite and Board Room. No wonder that many senior executives are asking what they can be doing to stem the tide of cyber-attacks on their firms.
Organizations are improving cyber resilience and showing they can perform better under greater pressure as the number of targeted attacks more than doubles.
THE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENTIJNSA Journal
Â
The philosophy of Enterprise Security Risk Management (ESRM) drives a risk-based approach to managing any security risks, physical or logical and holistically applies to every security process. There are globally established risk principles that are common among any developed risk management standard. This model associates the relationship of risk principles to the practice of managing security risks. The ESRM processes, when successfully and consistently adapted to a security program, will define what a progressive security program looks like, drive strategic through initiatives, build the business understanding of securityâs role to develop a budgeting strategy, and initiate board-level, risk-based reporting. The management security leader's role in ESRM is to manage risks and unthinkable harm to enterprise assets and stockholder in partnership with the business leaders whose assets are exposed to those risks management. ESRM is part of educating business leaders on the realistic of impacts. These identified risks, presenting any potential strategies to mitigate those impacts, and enacting the option chosen by the business in line with acceptable levels of business risk tolerance. The present data should be used to showcase how our service helps identify, evaluate, and mitigate risks at face value that would be detrimental to a companyâs long-term prosperity. We need to show how using our security risk management will ultimately benefit the company's work by improving policies and procedures and reducing other expenses through the use of risk principles management.
Accenture identifies seven key areas they should focus on to strengthen their safeguards against aggressors to ensure effective cyber-security for insurers.
Ernst & Young visuals security survey 2012Advent IM Ltd
Â
Risk and Security not always aligned. Not enough non IT focus on security. Hardly surprising that organisational Information Security needs are not being met in enough organisations.
How to integrate risk into your compliance-only approachAbhishek Sood
Â
Information security policies and standards can oftentimes cause confusion and even liability within an organization.
This resource details 4 pitfalls of a compliance-only approach and offers a secure method to complying with policies and standards through a risk-integrated approach.
Uncover 4 Benefits of integrating risk into your compliance approach, including:
Reduced risk
Reduced deployment time
And 2 more
To shed light on the disruptions occurring in interpreting risks, Insights Success has enlisted âThe 10 Most Trusted ERM Solution Providers, 2018â, which are providing an innovative approach and framework in identifying risks and resolving them.
Enterprise Strategy Group: The Big Data Security Analytics Era is HereEMC
Â
This analyst report explains that organizations can no longer rely on preventive security systems, point security tools, manual processes, and hardened configurations to protect against targeted attacks. Henceforth, security management must be based on continuous monitoring and big data analysis for situational awareness and rapid decisions.
SBIC Report : Transforming Information Security: Future-Proofing ProcessesEMC
Â
This report from the Security for Business Innovation Council (SBIC), sponsored by RSA, contends that keeping pace with cyber threats requires an overhaul of information-security processes and provides actionable guidance for change.
The case of the Western Region Municipality, Abu Dhabi was presented at the CISO Asia Summit in Singapore (2014). This presentation showcases both the ADSIC Information Security Programme and how the government entities benefit from such strategic initiative in Information Security.
Ernst & Young visuals security survey 2012Advent IM Ltd
Â
Risk and Security not always aligned. Not enough non IT focus on security. Hardly surprising that organisational Information Security needs are not being met in enough organisations.
How to integrate risk into your compliance-only approachAbhishek Sood
Â
Information security policies and standards can oftentimes cause confusion and even liability within an organization.
This resource details 4 pitfalls of a compliance-only approach and offers a secure method to complying with policies and standards through a risk-integrated approach.
Uncover 4 Benefits of integrating risk into your compliance approach, including:
Reduced risk
Reduced deployment time
And 2 more
To shed light on the disruptions occurring in interpreting risks, Insights Success has enlisted âThe 10 Most Trusted ERM Solution Providers, 2018â, which are providing an innovative approach and framework in identifying risks and resolving them.
Enterprise Strategy Group: The Big Data Security Analytics Era is HereEMC
Â
This analyst report explains that organizations can no longer rely on preventive security systems, point security tools, manual processes, and hardened configurations to protect against targeted attacks. Henceforth, security management must be based on continuous monitoring and big data analysis for situational awareness and rapid decisions.
SBIC Report : Transforming Information Security: Future-Proofing ProcessesEMC
Â
This report from the Security for Business Innovation Council (SBIC), sponsored by RSA, contends that keeping pace with cyber threats requires an overhaul of information-security processes and provides actionable guidance for change.
The case of the Western Region Municipality, Abu Dhabi was presented at the CISO Asia Summit in Singapore (2014). This presentation showcases both the ADSIC Information Security Programme and how the government entities benefit from such strategic initiative in Information Security.
From Cave Man to Business Man, the Evolution of the CISO to CIROPriyanka Aash
Â
The CISO is evolving to CIRO. Successful IT security leaders are transforming their skills to meet the demands for today and future needs of their organization. A CIRO understands how to prepare board presentations, information risk management, third-party risk and regulatory requirements, and how to balance those with the needs of the business. Earn your seat at the table by becoming a CIRO!
(Source: RSA USA 2016-San Francisco)
Cyber Security: Take a Security Leap Forwardaccenture
Â
High performing organizations align their security approach with the business objectives to improve security effectiveness across strategy, technology and governance.
Australian organisations are an attractive target for cyber-crime and espionage. Our latest research shows how leading enterprises are achieving outsized results, providing a guide to all organisations seeking to ensure they are a tough nut to crack.
To better understand how organizations manage the planning and securing of their digital assets, McAfee, Inc. retained Evalueserve to conduct an independent assessment of how organizations manage their security policies and processes, and what threats are perceived to pose the greatest
risk to their business. This global study of Enterprise-class organizations highlights how IT decision makers view the challenges of securing information assets in a highly regulated and increasingly complex global business environment. It is also forward-looking, revealing companiesâ IT security priorities around processes, practices and technology for 2012 and beyond.
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...Accenture Technology
Â
Business theft and fraud have morphed into significant new threats as companies battle well-funded, highly motivated digital adversaries. Cyber defense rules have clearly changed.
Executive leaders must recognize how exposed their organizations are today and take steps to establish a holistic, end-to-end security strategy capable of protecting their most valuable assets and business operations.
Learn how an integrated approach, strategic reach and measurement systems of Influencers point to a new kind of security organization and a new breed of leader. For more information on IBM Systems, visit http://ibm.co/RKEeMO.
Visit the official Scribd Channel of IBM India Smarter Computing at http://bit.ly/VwO86R to get access to more documents.
Insights from the IBM Chief Information Security Officer AssessmentIBM Security
Â
To obtain a global snapshot of security leadersâ strategies and approaches, the IBM Center for Applied Insights conducted double-blind interviews with 138 security leaders â the IT and line-of-business executives responsible for information security in their enterprises. Some of these leaders carried the title of Chief Information Security Officer (CISO), but given the diversity of organizational structures, many did not. The Center supplemented this quantitative research through in-depth conversations with 25 information security leaders.
Participation spanned a broad range of industries and seven different countries. Nearly 20 percent of the respondents lead information security in enterprises with more than 10,000 employees; 55 percent are in enterprises with 1,000 to 9,999 employees.
Assessing and Managing IT Security RisksChris Ross
Â
Data privacy and protection has become the gold standard in IT. Scale Venture Partners and Wisegate share what they learned from over 100 IT professionals questioned about the risks and technology trends driving their security programs. Read about the move towards data centric security and the need for improvement in automated security controls and metrics reporting.
State of Security Operations 2016 report of capabilities and maturity of cybe...at MicroFocus Italy ââ
Â
As businesses continue to adopt new cloud and mobile functionality rapidly, we find the
edges of the network even more blurred, and our definitions of data ownership and breach
responsibility continue to evolve. Staffing and training continue to be the foremost challenge
of the modern SOC. This is paving the way to hybrid staffing models and hybrid infrastructures
that require less in-house expertise. As a result, highly skilled security team members can then
be utilized for a more specialized hunt and analytics-focused work.
There is no question this year has been both an exciting and challenging time to be in the field
of cyber security. On one hand, it is disheartening to see the continued decline in the maturity
and effectiveness of security operations, while, on the other, I know that we are in the middle
of an exciting and transformative change in our field. You can feel it. We must go where the
data leads us, and we believe that is to widen our definition of security operations to leverage
analytics, data science, Big Data, and shared intelligence to become more effective in protecting
todayâs digital enterprise.
Digital has increased businessesâ cybersecurity risk â and yet few have elevated security to a senior leadership concern, according to our recent research. Hereâs what businesses are thinking about cybersecurity, and a framework for strengthening their security strategies.
Information Security assessment of companies in Germany, Austria and Switzerland, February 2015.
Every day critical security incidents show the drastic extent of "successful" cyber attacks for organizations in terms of monetary and material loss. With increasing use of digital technologies and the growing spread of mobile and IoT cyber security is becoming a key factor for companiesâ successful digital transformation. To analyze current challenges, trends and maturity of companies state of information security, Capgemini Consulting DACH conducted a survey in Germany, Austria and Switzerland. The 2014 Information Security Benchmarking Study shows that information security is insufficiently embedded in most companiesâ business strategy and operations to effectively safeguard organizations against current cyber threats.
https://www.de.capgemini-consulting.com/resources/information-security-benchmarking
For Corporate Boards, a Cyber Security Top 10David X Martin
Â
Corporate boards of directors have a fiduciary duty to understand and oversee cyber security. For most effective oversight, boards should approach cyber security from a good management-practices perspective rather than a technical perspective.
Similar to The Cyber Security Leap: From Laggard to Leader (20)
Open Insurance - Unlocking Ecosystem Opportunities For Tomorrowâs Insurance I...Accenture Insurance
Â
For early adopters, open insurance offers new revenue streams, increased customer engagement and continued market relevance.
Learn more: https://www.accenture.com/us-en/insights/insurance/open-insurance
Accenture's report explains how natural language processing and machine learning makes extracting valuable insights from unstructured data fast. Read more. https://www.accenture.com/us-en/insights/digital/unlocking-value-unstructured-data
Open Insurance - Unlocking Ecosystem Opportunities For Tomorrowâs Insurance I...Accenture Insurance
Â
For early adopters, open insurance offers new revenue streams, increased customer engagement and continued market relevance.
Learn more: https://www.accenture.com/us-en/insights/insurance/open-insurance
Accenture's report explains how creating effortless experiences are so simple and easy with our data-driven strategy framework to drive growth. Read more.
Whole-brain leadership prepares C-suites for the digital challenges ahead, ensuring seamless growth and high-value problem solving capabilities. Read more.
Wise Pivot is a strategy fit for the digital age that can help companies pursue new growth opportunities. Read more on how to choose your pivot wisely.
Wise Pivot is a strategy fit for the digital age that can help companies pursue new growth opportunities. Read more on how to choose your pivot wisely.
Accenture's Applied Customer Engagement (ACE) is a proven approach to re-thinking and revitalizing contact center operations for the digital era. Read more.
ALIP customers Get MoreâŚmore product launches, more out-of-the-box functionality and efficiency, more personalized digital capabilities, more delivery âknow howâ. Read more.
Way Beyond Marketing - The Rise of the Hyper-Relevant CMOAccenture Insurance
Â
Accenture's CMO Survey unveils some important insights on the role of the new CMO and how the role is changing in the digital age. Read more: https://www.accenture.com/us-en/insights/consulting/cmo
Improving profitability for small businessBen Wann
Â
In this comprehensive presentation, we will explore strategies and practical tips for enhancing profitability in small businesses. Tailored to meet the unique challenges faced by small enterprises, this session covers various aspects that directly impact the bottom line. Attendees will learn how to optimize operational efficiency, manage expenses, and increase revenue through innovative marketing and customer engagement techniques.
LA HUG - Video Testimonials with Chynna Morgan - June 2024Lital Barkan
Â
Have you ever heard that user-generated content or video testimonials can take your brand to the next level? We will explore how you can effectively use video testimonials to leverage and boost your sales, content strategy, and increase your CRM data.đ¤Ż
We will dig deeper into:
1. How to capture video testimonials that convert from your audience đĽ
2. How to leverage your testimonials to boost your sales đ˛
3. How you can capture more CRM data to understand your audience better through video testimonials. đ
Building Your Employer Brand with Social MediaLuanWise
Â
Presented at The Global HR Summit, 6th June 2024
In this keynote, Luan Wise will provide invaluable insights to elevate your employer brand on social media platforms including LinkedIn, Facebook, Instagram, X (formerly Twitter) and TikTok. You'll learn how compelling content can authentically showcase your company culture, values, and employee experiences to support your talent acquisition and retention objectives. Additionally, you'll understand the power of employee advocacy to amplify reach and engagement â helping to position your organization as an employer of choice in today's competitive talent landscape.
Buy Verified PayPal Account | Buy Google 5 Star Reviewsusawebmarket
Â
Buy Verified PayPal Account
Looking to buy verified PayPal accounts? Discover 7 expert tips for safely purchasing a verified PayPal account in 2024. Ensure security and reliability for your transactions.
PayPal Services Features-
đ˘ Email Access
đ˘ Bank Added
đ˘ Card Verified
đ˘ Full SSN Provided
đ˘ Phone Number Access
đ˘ Driving License Copy
đ˘ Fasted Delivery
Client Satisfaction is Our First priority. Our services is very appropriate to buy. We assume that the first-rate way to purchase our offerings is to order on the website. If you have any worry in our cooperation usually You can order us on Skype or Telegram.
24/7 Hours Reply/Please Contact
usawebmarketEmail: support@usawebmarket.com
Skype: usawebmarket
Telegram: @usawebmarket
WhatsApp: +1âŞ(218) 203-5951âŹ
USA WEB MARKET is the Best Verified PayPal, Payoneer, Cash App, Skrill, Neteller, Stripe Account and SEO, SMM Service provider.100%Satisfection granted.100% replacement Granted.
Putting the SPARK into Virtual Training.pptxCynthia Clay
Â
This 60-minute webinar, sponsored by Adobe, was delivered for the Training Mag Network. It explored the five elements of SPARK: Storytelling, Purpose, Action, Relationships, and Kudos. Knowing how to tell a well-structured story is key to building long-term memory. Stating a clear purpose that doesn't take away from the discovery learning process is critical. Ensuring that people move from theory to practical application is imperative. Creating strong social learning is the key to commitment and engagement. Validating and affirming participants' comments is the way to create a positive learning environment.
Discover the innovative and creative projects that highlight my journey throu...dylandmeas
Â
Discover the innovative and creative projects that highlight my journey through Full Sail University. Below, youâll find a collection of my work showcasing my skills and expertise in digital marketing, event planning, and media production.
3.0 Project 2_ Developing My Brand Identity Kit.pptxtanyjahb
Â
A personal brand exploration presentation summarizes an individual's unique qualities and goals, covering strengths, values, passions, and target audience. It helps individuals understand what makes them stand out, their desired image, and how they aim to achieve it.
3. 3
Introduction
If your company is like most, security has risen to the top of the agenda amongst C-suite
executives and boards of directors. Rapidly evolving security threats pose an ongoing, central
challenge, as companies and governments face an increasingly sophisticated threat environment.
Large global organizations with industry presence and value may be of special interest for
adversaries, whether they be individuals, organized crime or nation states. Forrester predicts that
at least 60 percent of enterprises will discover a breach in 2015, but says the actual number of
breached entities will be much higherâ80 percent or more.1
How can organizations become more
effective in meeting increasing security
challenges? How can organizations more
quickly detect security threats, malicious
attacks and data breaches? For those
looking to improve their overall security
posture and establish programs that can
help improve their ability to detect and
respond to various security threats, the
time to evaluate strategy and capabilities
is now.
Accenture, in collaboration with the
Ponemon Institute LLC, conducted a study
to identify the success factors of companies
that demonstrated at least 25 percent
improvement in Security Effectiveness
Scoring over a period of two years, and an
average gain of 53 percent, the Leapfrogs.
The study encompassed 237 organizations,
divided into those who had significantly
increased their security performance and
those who remained static. The research
identified important differences in how the
two groups addressed security strategy,
innovation, technology and governance.
For example, characteristics of effective
security strategies include alignment with
business objectives and accountability
throughout the organization. Leapfrog
organizations recognize the need for
innovation to strengthen their security
position and keep pace with evolving
needs. The use of enabling and advanced
technologies helps the Leapfrog companies
take a proactive stance to protect their
networks and data. Governance measures
such as metrics, benchmarking, risk
management procedures and ongoing
communications with the C-suite and
board of directors reflect the importance
that the Leapfrog organizations place on
their security policies and programs.
4. 4
Key study findings
In examining the characteristics of Leapfrog and Static companies, key themes emerged:
THEME 1
Innovation and strategy
separate Leapfrog from
Static companies
THEME 2
Leapfrog organizations
respond to changes in the
threat landscape
THEME 3
CISO is a strategic role
THEME 4
Importance of controls and
governance practices
THEME 5
Security technologies that
support Leapfrog companies
THEME 6
Leapfrog companies
invest in security
Ready to leapfrog?
Security is a top business priority for Leapfrog companies, and itâs aligned with the
organizationâs strategic goals. This is evidenced by a focus on innovation to achieve a strong
security posture, open communication with the CEO and corporate boards on security incidents,
and deployment of enterprise risk management procedures.
Leapfrog companies embrace new and
disruptive security technologies as part
of their strategy, and are proactive in
responding to major changes in the threat
landscape. CISO has the authority to
define and manage the companyâs security
strategy. Finally, budget and spending levels
for security and security innovation steadily
increased for these companies over the past
two years.
For Static companies, however, security
operates under a veil of stealth, secrecy
and underfunding. Security efforts focus on
prevention and prioritizing external threats.
Security programs are driven by compliance
with regulations and policies, and security
is viewed as a trade-off with employee
productivity. CISOs of Static companies
describe their budgets as inadequate for
meeting the companyâs security mission.
5. Figure 1. Perceptions about the state of security innovation
Items scored using 10-point scales
7.2
7.7
8.1
6.0
5.3
6.1
What is your organizationâs level of security
innovation today?
From 1 = low to 10 = high
Static Leapfrog
How has your organizationâs level of security
innovation changed over the past 24 months?
1 = no change to 10 = rapid change
What is the relative importance of security
innovation to achieving a strong security posture?
From 1 = not important to 10 = very important
Figure 2. Strategy characteristics where Leapfrog companies excel
Percent âyesâ response
54%
51%Threat intelligence is shared
55%
48%Security function utilizes risk
management techniques
57%
45%Security leaders have clearly deďŹned lines
of responsibility and authority
57%
40%Physical and logical security are integrated
61%
44%Business needs sometimes trump
security requirements
62%
47%Core security operations are outsourced
63%
40%Security objectives are aligned with
business objectives
64%
53%Accountability for security is pushed
down to the employee and supervisor level
68%
42%Company has experienced marked changes
in security management
69%
45%Information security is a business priority
70%
55%Company has an officially sanctioned
security strategy
Static Leapfrog
60%
53%Security incidents are reported to the
CEO and board
63%
53%Employees are made fully aware of
security requirements
5
THEME 1
Innovation and strategy: separating the leapfrogs
from the laggards
Security innovation is valued
by Leapfrog companies
Leapfrog companies have made significant
increases to their level of security
innovation, seeking out new approaches
to emerging problems. In trying to address
whatâs to come, Leapfrog organizations
work to develop the next generation of
solutions, collaborating with groups such
as universities, research and development
organizations, venture capitalists or
start-ups to shape their technology
landscape. In contrast to Static companies,
Leapfrog companies are more likely to
place significant importance on security
innovation in order to achieve a strong
security posture (Figure 1).
Leapfrog companies are more likely to have
an officially sanctioned security strategy,
and this strategy is more likely to be the
main driver to their organizationâs security
program. There are multiple security
strategy characteristics where Leapfrog
companies excel over Static companies
(Figure 2).
A sound security strategy is clearly a
priority for Leapfrog organizations, and
the results show that many (68 percent)
have significantly changed their approach
to security management in recent years.
Changes could include creating a new CISO
role, allocating dedicated security budget
or significantly expanding the security
team. Leapfrog companies are more likely
to consider information security a business
priority and align their security objectives
with business objectives. They view security
as an enabler to achieving business
objectives, and are able to adapt if security
hinders their objectives in exceptional
situations (âBusiness needs sometimes
trump security requirementsâ).
6. Figure 3. Characteristics of Static organizations
Percent âyesâ response
27%
45%
35%
39%
47%
41%
41%
46%
53%
55%
55%
61%
Security requirements are perceived as diminishing employee productivity
Globalization inďŹuences local security requirements
Security efforts emphasize compliance with regulations and policies
Security efforts mainly focus on prevention
Security efforts prioritize external threats
Security operations operate under stealth and secrecy
Static Leapfrog
6
Security incidents that happen within
Leapfrog companies are more likely to
be reported to the CEO and board of
directors. The Leapfrog companies use risk
management techniques to determine their
security strategy and integrate physical and
logical security systems. Responsibilities
and authority pertaining to security are
clearly defined. Employees are not only
made aware of security requirements, but
held accountable for following security
processes.
Many Leapfrog companies outsource core
security operations, which can significantly
increase their security effectiveness
without requiring extensive investments in
technology or expert resources. Outsourcing
can introduce risk, so itâs critical to evaluate
what can be outsourced and then select
the right managed services companyâwith
this approach, Leapfrog organizations have
been able to mature their security functions
rapidly.
While Leapfrog and Static organizations
rank almost equally in sharing threat
intelligence, the other characteristics
listed in Figure 2 demonstrate that simply
exchanging information is not enough for
effective security. Security intelligence is
important. However, organizations need
to be able to ingest it in order to respond
appropriately.
In contrast to the Leapfrog characteristics,
Static companies are more likely to operate
their security policies under stealth and
secrecy, and view security as diminishing
to employee productivity. There are key
security program characteristics that
dominate Static organizations (Figure 3).
Static organizations believe that
regulations, rather than strategy, drive
the organizationâs security requirements.
Security efforts focus on external threats,
and are more likely to emphasize prevention
rather than detection or containment.
These types of characteristics do not
support companies making significant
improvements in the effectiveness of their
security posture.
7. 7
Figure 4. Impact of emerging threats on the security ecosystem
Items scored using a 10-point scale from 1 = low to 10 = high impact on security ecosystem
8.6
7.8
5.6
5.5Denial of service
6.1
6.3
Web-based attacks
6.4
5.8Insecure mobile devices
6.5
6.1SQL injection
6.5
6.0Unauthorized cloud access
6.8
5.4Social engineering
7.5
6.7Malicious insiders
7.9
6.7
Phishing
8.3
7.3Malware
Advanced persistent threats
Static Leapfrog
7
THEME 2
Leapfrog organizations respond to changes in the threat landscape
Leapfrog organizations are
proactive in addressing
major changes to the threat
landscape
They recognize that persistent attacks
should change the companyâs approach to
IT security and adapt their security posture
in response to threats. Different security
threats continue to emergeâthe research
evaluated the level of impact those
threats had on the organizationsâ security
ecosystem and how the organizations
responded (Figure 4).
The biggest changes to security strategy
in Leapfrog organizations were made in
response to advanced persistent threats
(APTs) and malware. In comparison to
Static companies, Leapfrog companies also
made more significant changes in response
to phishing, malicious insiders and social
engineering. Examples of the changes
implemented by Leapfrog companies
include specialized training and awareness
activities to help employees recognize
phishing emails and the implementation of
sophisticated monitoring tools to identify
suspicious employee behaviors.
Static companies appear to be less
proactive in changing their security strategy
when new and emerging developments
occur.
8. Figure 5. The CISO role in Leapfrog and Static organizations
49%
51%
53%
60%
65%
71%
71%
49%
42%
55%
58%
64%
58%
60%
CISO has the ďŹnal word in security technology
investments
CISO has a direct channel to CEO in the event
of a serious security incident
CISO has direct inďŹuence and authority over all
security expenditures
CISO is responsible for enforcing security policies
CISO has direct authority over the hiring and
ďŹring of security personnel
CISO directly reports to a senior executive and is
no more than three steps below the CEO
CISO is responsible for deďŹning security strategy
and initiatives
Static Leapfrog
8
THEME 3
CISO is a strategic role
Both Leapfrog and Static organizations
have a CISO; the important differences lie
in how that role is viewed and executed.
Across all organizations studied, the
CISO has hiring/firing authority, holds
responsibility for enforcing security
policies and has authority over budget and
investment decisions.
Within Leapfrog organizations, however, the
CISO is more likely to directly report to a
senior executive, set the security mission by
defining strategy and initiatives, and have a
direct channel to the CEO in the event of a
serious security incident.
Since both Leapfrog and Static
organizations have CISOs, the existence of
that role within an organization is not a
determining factor in security effectiveness.
What matter are factors that reflect the
strategic value of the CISOâincluding
the ability to define security strategy and
programs, and the relationship between the
CISO, the CEO and the board of directors.
In Static organizations, that relationship
is filtered through several levels of
operational management, muting the true
picture of operational risk needed to guide
the business.
9. 9
Leapfrog companies excel
in governance
Both groups of companies identified
the importance of appointing a CISO
for the organization, recruiting expert
IT security personnel and background
checks for all privileged users as critical
to achieving a strong security posture.
However, the Leapfrog companies believe
disaster recovery and business continuity
management practices are important. Static
companies, on the other hand, are more
likely to cite clearly defined IT security
policies and standard operating procedures
(SOP) than Leapfrog companies.
The governance practices of Leapfrog and
Static companies vary significantly by
attribute (Figure 6). Leapfrog companies are
more likely to have advanced governance
practicesâranging from regular reports
on the state of security to the board, to
deployment of enterprise risk management
procedures. They are more likely to adopt
metrics for evaluating security operations,
benchmarking of security operations
against peers or reference groups, and
conduct post-mortem reviews of security
compromises and data breach incidents.
Static companies are more likely to create
a self-reporting process for compliance
violations, which can be less effective.
Strong governance and controls lead to
established security policies, clearly defined
responsibilities and accountability. A good
security posture is achieved when decisions
follow structured policies, helping the
organizationâs risk remain at acceptable
levels.
Figure 6. Governance practices of Leapfrog and Static companies
Items scored using a 10-point scale from 1 = not important to 10 = very important
6.5
4.8
3.3
4.5Creation of a self-reporting process for
compliance violations
4.7
3.5Benchmarking of security operations against
peer or reference group
7.8
6.5Deployment of metrics for evaluating security
operations
7.2
5.7Deployment of enterprise risk management
procedures
Regularly scheduled reporting on the state of
security to the board
Panel A: Maximum Differences
Static Leapfrog
Panel B: Minimum Differences
4.9
3.9Post-mortem review of security compromises
and data breach incidents
6.1
5.4Creation of a cross-functional committee to
oversee security governance practices
5.9
6.1Creation of an officially sanctioned security
program office
5.7
5.6Establish communication protocols from the
CISO to other C-level executives
8.5
8.5Appointment of a security leader (CISO) with
enterprise responsibility
Static Leapfrog
THEME 4
Importance of controls and governance practices
10. 10
Certain technologies separate
Leapfrog and Static companies
Leapfrog companies exceed Static
companies in viewing the following features
of security technologies as very important:
pinpointing anomalies in network traffic;
prioritizing threats, vulnerabilities and
attacks; curtailing unauthorized sharing of
sensitive or confidential data; and enabling
adaptive perimeter controls (Figure 7). In
contrast, Static companies exceed Leapfrog
companies in believing the following
are more important features of security
technologies: controlling insecure mobile
devices including BYOD, limiting access
for insecure devices and enabling efficient
backup functionality.
Leapfrog companies demonstrate higher
engagement with new and disruptive
technologies; they also focus more on
securing the network and the cloud, as
opposed to focusing on individual devices.
Static companies tend to focus on locking
things down, which can prevent business
growth. Within Leapfrog companies,
business strategy is used to inform security
strategy.
Figure 7. Features of enabling security technologies for Leapfrog and Static companies
Items scored using a 10-point scale from 1 = not important to 10 = very important
Panel A: Static Exceeds Leapfrog
6.30
6.70Enable efficient backup functionality
7.16
7.76Control insecure mobile devices including
BYOD
6.03
7.18Limit insecure devices from accessing
security systems
6.17Control endpoints and mobile connections
6.09
Static Leapfrog
Panel B: Leapfrog Exceeds Static
7.50
7.12
Enable adaptive perimeter controls
8.44
7.91
Prioritize threats, vulnerabilities and attacks
7.13
6.48Provide intelligence about the threat
landscape
8.27
7.56Provide advance warning about threats and
attackers
8.55
7.45
Pinpoint anomalies in network traffic
8.13
7.01Curtail unauthorized sharing of sensitive or
conďŹdential data
7.18
6.00Secure (encrypt) data stored in cloud
environments
6.33
4.94Establish security protocols over big data
Static Leapfrog
THEME 5
Security technologies that support Leapfrog companies
11. 11
Security budgets in Leapfrog
companies include funding
for innovations in information
technologies
Leapfrog companies are more likely to
have a dedicated budget for its security
programs and have allocated more money
toward security over the past few years
(Figure 8). They also have a fund dedicated
to innovations in information technologies.
These companies are more positive about
having enough funding to meet their
mission and objectives.
In contrast to Leapfrog companies, Static
companies are less likely to have a dedicated
budget for their security programs, have
more budget resources allocated to
prevention than detection activities and
are also less likely to spend on strategic
initiatives.
Figure 8. Security budget considerations for Leapfrog and Static companies
51%
40%
35%
27%The security budget includes earmarks for
strategic initiatives
36%
21%The company has dedicated funds for
security innovations
43%
40%Investments in security technologies are
systematically evaluated for effectiveness
44%
31%The present funding level is adequate for
meeting mission and objectives
Budget resources are allocated by risk level
57%
44%The budget level has increased over the
past few years
65%
55%The CISO is accountable for budgets or
discretionary spending
81%
64%The security program has a dedicated
budget
Static Leapfrog
THEME 6
Leapfrog companies invest in security
12. 12
Benchmark interviews with participating
companies allowed us to compile a
subjective probability estimate of a material
data breach involving the loss or theft of
10,000 or more records. Leapfrog companies
experienced a negative percentage change,
which means the likelihood of material data
breaches has decreased over time (Figure 9).
In contrast, Static companies experienced a
positive percentage change, indicating that
the perceived likelihood of material data
breaches has slightly increased over time.
Similar to the above analysis, our
benchmarking process allowed us to
compile a subjective probability estimate
for the theft or exfiltration of high-
value information. Leapfrog companies
experienced a reduction in the likelihood
of exfiltration of intellectual property
over time (Figure 10). In contrast, Static
companies experienced a positive
percentage change, indicating that the
perceived exfiltration risk has increased
over time.
Figure 9. Net change in the probability of a significant disruption
FY 2012 FY 2013 FY 2014 % Net Change
25.0%
21.7%
24.6%23.9%
15.1%
25.3%
5.7%
-49.4%
Leapfrog Static
Research predictions
Figure 10. Net change in the probability of high-value information theft
FY 2012 FY 2013 FY 2014 % Net Change
17.8% 18.5%18.7%
11.6%
21.2%
12.5%
-46.4%
Leapfrog Static
18.6%
13. 13
Figure 11. Net change in the probability of a material data breach
FY 2012 FY 2013 FY 2014 % Net Change
16.5% 18.3%20.9%
14.3%
22.0%
5.1%
-36.1%
Leapfrog Static
20.6%
We also compiled subjective probability
estimates that Leapfrog and Static
companies would experience a substantial
cyber attack that could disrupt business
operations or IT infrastructure (Figure
11). Here again, Leapfrog companies
experienced a negative percentage change,
which means the perceived likelihood of
substantial disruptions has decreased over
time. Static companies experienced an
increase over time.
14. 14
Conclusion
The scale and scope of recent breaches have made security top of mind for the C-suite and
boards of directors around the globe. Cyber security posture and cyber defense capabilities
are at the forefront of business resilience and brand trust. Lost reputation is the number one
consequence experienced by companies, with 52 percent of companies saying loss of reputation,
brand value and marketplace image were the biggest impacts of a data breach.2
Costs relating to
security breaches are also extensive. The average time to contain a cyber attack is 31 days, with
an average cost of $639,462 during that period.3
Traditional monitoring defenses are
inadequate. Organizations must use
advanced techniques to identify and
contextualize threats. Studying and
implementing the practices exhibited
by Leapfrog organizations can provide
an approach to help improve security
effectiveness, within a relatively short time
frame.
Are you ready to more tightly align a strong
security strategy with your organizationâs
business goals? Starting with the C-suite,
itâs time to champion and achieve a strong
security postureâeffectively communicating
with all employees. By holding everyone
accountable for achieving security
objectives, you will eliminate security silos
within your organization.
Embracing innovative solutions will keep
increasingly sophisticated and stealthy
cyber criminals from attacking your
company. For example, big data analytics
and shared threat intelligence can increase
the organizationâs effectiveness in stopping
cyber attacks.
Leverage advanced technologies and
innovation to proactively develop security
capabilities that enhance the user
experience and productivity. Balance
efforts across prevention, detection
and response. Companies should
actively invest in security intelligence
technologies to improve threat
identification and enable cyber defense,
while also streamlining the IT security
infrastructure to avoid redundancy and
complexity.
As part of establishing better governance
and controls, CISOs should foster a strong
working relationship with their boards
and create greater visibility into business
processes. They need to educate and
collaborate to successfully articulate
and prioritize business risk, including
insider-related risks. The strategy should
be continually assessed to evolve with the
organizationâs posture and get the best
use out of resources.
In conclusion, Leapfrog companies are
taking an active stance. The questions for
leaders are: How well is your organization
positioned to actively defend your business?
What will your company do to expand and
innovateâwith the confidence of knowing
your security investment is an enabler of
strategic growth?
Hop in the driverâs seat and consider the
recommended measures outlined from the
research. You can leapfrog your companyâs
security position, align your business goals
and proactively make your move to address
the changing threat landscape to achieve
high performance.
15. 15
Research methodology
This research looks to identify the main factors contributing to an organizationâs improved security
postureâor leapfrogging from a level of low to high performance in its security ecosystem.
To estimate the security posture of
organizations, we used the Security
Effectiveness Score (SES) as part of the
survey process.4
The SES was developed by
Ponemon Institute in its annual encryption
trends survey to define the security
effectiveness of responding organizations.
We define an organizationâs security
effectiveness as being able to achieve
the right balance between efficiency and
effectiveness across a wide variety of
security issues and technologies.
The SES is derived from the rating of 48
security features or practices. This method
has been validated by more than 60
independent studies conducted since June
2005. The SES provides a range of +2 (most
favorable) to -2 (least favorable). A result
for a given organization greater than zero
is viewed as net favorable, which means
the organizationâs investment in people and
technology is both effective in achieving its
security mission and efficient. Hence, they
are not squandering resources and are still
being effective in achieving their security
goals. A negative SES has the opposite
meaning.
For this research, we evaluated hundreds
of companies that were previously
benchmarked so that changes in the
organizationsâ SES scores could be
measured and evaluated. Based on that
analysis, we divided the sample into the
following groups:
Leapfrog sample: 110 companies that
experienced a 25 percent or greater
increase in their SES over a two-year
period. The average increase in SES for
these companies was 53 percent.
Benchmark characteristics
Benchmark samples
110 137110 137
Current SES
110 1370.678 0.396
Net Change
110 1370.286 0.008
Percentage Net Change
110 13753% 2%
Baseline SES
110 1370.392 0.388 %
StaticLeapfrog
Static sample: 137 companies that
experienced no more than a 5 percent net
change in their SES over a two-year period,
with an average change of 2 percent.
This sample was matched to the Leapfrog
sample based on industry, size and global
footprint.
In this report we describe the differences
between these companies in an effort to
understand how companies can advance
from laggard to leader. The factors
addressed in this research encompass
strategy, technology and governance.
16. 16
Figure 12. Distribution of the Leapfrog and Static samples by industry segment
1%
1%
Communications
1%
1%
Education & research
4%
3%
Hospitality
4%
3%
Other
5%
4%Transportation
5%
4%Technology & software
5%
6%
Consumer
6%
6%
Health & pharmaceutical
8%
9%
Industrial
8%
8%
Energy & utilities
10%
10%
Retail
14%
14%
Services
14%
13%
Public sector
15%
17%
Financial services
Static (n=137) Leapfrog (n=110)
We interviewed senior-level IT and IT
security practitioners from the 247
companies identified in the SES analysis to
determine how these organizations were
responding to security requirements and
related challenges. From those interviews,
common characteristics for each type of
company emerged.
A total of 247 companies participated in
this study. All companies were previously
benchmarked and cataloged in Ponemon
Instituteâs proprietary database consisting
of 1,208 companies (at the time of this
research). Our first step was to identify
companies that experienced a 25 percent or
greater increase in their SES over a two-
year period. This resulted in 110 Leapfrog
companies.
Our second step was to select a second
independent sample that did not experience
an increase in SES over two years. The
sample was then matched to the Leapfrog
sample based on industry, headcount and
global footprint. This resulted in 137 Static
companies.
The industry of benchmarked organizations
for Leapfrog and Static was well distributed.
As can be seen, financial services, public
sector (government), services and retail
organizations represent the four largest
segments (Figure 12).
17. 17
Figure 13. Distribution of the Leapfrog and Static samples by employee headcount
As can be seen, the majority of companies
in both Leapfrog and Static samples are
larger-sized organizations with 5,000
or more full-time equivalent employees
(Figure 13).
Data collection methods did not include
actual tests of each companyâs security
posture, but instead relied upon self-
assessment and survey. The benchmark
instrument required knowledgeable
individuals within each company to rate
security-related characteristics using
objective questions with fixed-formatted
scales.
To keep the benchmarking process to a
manageable size, we carefully limited items
to only those activities considered crucial
to the measurement of IT or cyber security
characteristics. Based upon discussions
with learned experts, the final set of items
included a fixed set of cost activities. Upon
collection of the benchmark information,
each instrument was reexamined carefully
for consistency and completeness.
For purposes of complete confidentiality,
the benchmark instrument did not capture
any company-specific information. Subject
materials contained no tracking codes or
other methods that could link responses to
participating companies.
10%
8%
Less than
1,000
1,000 to
5,000
5,001 to
10,000
10,001 to
25,000
25,001 to
75,000
More than
75,000
8%
9%
28%
12%
27%
25%
23%
17%
18%
11%
10%
Leapfrog (n=110) Static (n=137)
18. 18
Figure 14. Net change in SES over two years for Leapfrog and Static samples
SES Index is a continuous value between -2 and +2.
Validation of the SES for
the Leapfrog and Static
matched samples
The average SES index values were used to
define and bifurcate two matched samples
(Figure 14). It clearly shows the Leapfrog
sample as significantly improving its SES
(two-year net change at 0.286), while
the Static sample shows only a nominal
increase (two-year net change at 0.008).
This study utilizes a confidential and
proprietary benchmark method that has
been successfully deployed in earlier
research. However, there are inherent
limitations with this benchmark research
that need to be carefully considered before
drawing conclusions from findings.
⢠Non-statistical results: Our study draws
upon a representative, non-statistical
sample of organizations. Statistical
inferences, margins of error and
confidence intervals cannot be applied
to this data given that our sampling
methods are not scientific.
⢠Non-response: The current findings are
based on two matched samples defined
by net change in SES index values over
two years. This benchmarking process did
not include tests for non-response. Hence,
it is always possible companies that did
not participate are substantially different
in terms of underlying security posture.
⢠Sampling-frame bias: Our sampling
frame is a proprietary benchmark
database created and maintained by
Ponemon Institute for more than a
decade. We acknowledge that the quality
of empirical results is influenced by the
degree to which the sampling frame
is representative of the population of
companies being studied. Further, it is
our belief that the current sampling
frame is biased toward larger-sized
organizations with more mature IT
security programs.
⢠Company-specific information: The
benchmark information is sensitive and
confidential. Thus, the current instrument
does not capture company-identifying
information. It also allows individuals
to use categorical response variables to
disclose demographic information about
the company and industry category.
⢠Unmeasured factors: To keep the
interview script concise and focused,
we decided to omit other important
variables from our analyses. The extent
to which omitted variables might explain
benchmark results cannot be determined.
⢠Extrapolated cost results: The quality
of benchmark research is based on
the integrity of confidential responses
provided by respondents in participating
companies. While certain checks and
balances can be incorporated into the
benchmark process, there is always the
possibility that respondents did not
provide accurate responses.
Baseline SES in FY 2012
0.392 0.388
Current SES in FY 2014
0.678
0.396
Net change
0.286
0.008
Leapfrog Static
20. For more information
Bill Phelps
Managing Director
Global Security Practice Lead
bill.phelps@accenture.com
Ryan LaSalle
Managing Director
Security Strategy Lead
ryan.m.lasalle@accenture.com
Lisa OâConnor
Managing Director
Security R&D Lead
Accenture Technology Labs
lisa.oconnor@accenture.com
Research Lead
Dr. Malek Ben Salem
Security Research and Development
Accenture Technology Labs
malek.ben.salem@accenture.com
About Ponemon Institute LLC
Ponemon Institute is dedicated to
independent research and education that
advances responsible information and
privacy management practices within
business and government. Our mission is
to conduct high quality, empirical studies
on critical issues affecting the management
and security of sensitive information about
people and organizations.
As a member of the Council of American
Survey Research Organizations (CASRO),
we uphold strict data confidentiality,
privacy and ethical research standards.
We do not collect any personally
identifiable information from individuals
(or company identifiable information in
our business research). Furthermore, we
have strict quality standards to ensure
that subjects are not asked extraneous,
irrelevant or improper questions. For more
information, visit www.ponemon.org.
About Accenture
Technology Labs
Accenture Technology Labs, the dedicated
technology research and development
(R&D) organization within Accenture, has
been turning technology innovation into
business results for more than 20 years.
Our R&D team explores new and emerging
technologies to create a vision of how
technology will shape the future and shape
the next wave of cutting-edge business
solutions.
Working closely with Accentureâs
global network of specialists, Accenture
Technology Labs helps clients innovate to
achieve high performance. The labs are
located in Silicon Valley, California; Sophia
Antipolis, France; Arlington, Virginia;
Beijing, China and Bangalore, India.
For more information, please visit
www.accenture.com/technologylabs.
About Accenture
Accenture is a global management
consulting, technology services and
outsourcing company, with more than
336,000 people serving clients in more
than 120 countries. Combining unparalleled
experience, comprehensive capabilities
across all industries and business functions,
and extensive research on the worldâs
most successful companies, Accenture
collaborates with clients to help them
become high-performance businesses and
governments. The company generated net
revenues of US$30.0 billion for the fiscal
year ended Aug. 31, 2014. Its home page is
www.accenture.com.
Copyright Š 2015 Accenture
All rights reserved.
Accenture, its logo, and
High Performance Delivered
are trademarks of Accenture.
This document makes descriptive reference to
trademarks that may be owned by others. The use
of such trademarks herein is not an assertion of
ownership of such trademarks by Accenture and is
not intended to represent or imply the existence of
an association between Accenture and the lawful
owners of such trademarks.
1
Forrester Research, Inc., âPredictions 2015: Security Budgets
will Increase, as will Breach Costs, Fines and Lawsuits,â
November 12, 2014. (https://www.forrester.com/Predictions+
2015+Security+Budgets+Will+Increase+As+Will+Breach+C
osts+Fines+And+Lawsuits/quickscan/-/E-res117864)
2
â2014: A Year of Data Breachesâ (Sponsored by Identity
Finder), Ponemon Institute: January 2015
3
2014 Global Report on the Cost of Cyber Crime, Ponemon
Institute: October 2014
4
The Security Effectiveness Score is a proprietary tool
developed by Ponemon Institute. For more information,
please contact Ponemon Institute at research@ponemon.org.