How to get cyber security right is now the big question facing executive leadership and security teams alike. The security posture of a company is now just as important to the CEO as it is to the CISO, especially if that company handles data and is rolling out digital initiatives, which in the digital economy, is the vast majority.
According to Kelly Bissell, the global senior managing director of Accenture Security, 93% of companies are now “internet companies,” meaning they work in digital and online spheres.
“The problem,” he said, “is that the internet was not designed with security mind. This is the challenge companies face in getting cyber security right and is what Accenture Security, and others, are focused on helping solve.”
Below, Bissell — who is speaking at Information Age’s Women in IT Summit in New York later this year at the Grand Hyatt Hotel and is nominated for Male Ally at Women in IT Awards New York — helps Information Age dissect how organisations can get cyber security right, while explaining the importance of security by industry.
The role of Accenture Security
Made up of approximately 7,000 people around the world, Accenture Security helps organisations be more secure in the digital world, working with industries ranging from the public sector to banking, retail and oil and gas.
Cyber security best practice: Definition, diversity, training, responsibility and technology
Security by industry
The aim of cyber security is to protect an organisation’s most critical assets from online threats.
However, the type of data that needs protecting, the supply chain and the internal environments of different industries varies wildly. That’s why Accenture Security focuses on security by industry.
Bissell gave the example of oil and gas. “Our lead in this space will help our clients in the oil and gas industry secure everything from the oil rig, to the refinery plant, the trading system that happens when they trade energy on the market and the petrol pump,” he explained.
Referring to another industry, “we have another team that will focus on the pharmaceutical industry and how they do joint ventures, everything from drug research, clinical trials, drug manufacturing and distribution,” he continued.
The point is that if “we look at an oil and gas company, or a pharmaceutical company, the cyber risk is very different. And we might use similar tools from different vendors, but the risks, regulations, the laws and how the companies operate are very different from each other,” Bissell added.
What industries are most at risk of cyber attacks?
With advent of autonomous driving on the horizon and the explosion of connected cars, the automotive industry is at a greater risk than other industries.
“But, ultimately, there is no industry that is immune to cyber security issues,” advised Bissell.
Moving from a reactive to a proactive state of security
Organisations can no longer take a fully defensive or reactive approach to security, because the damage will have been done. Instead, organisations must be proactive.
In an organisation that has this attitude to cyber security, “the security lead must know their business inside and out, across the whole value chain of the company, from the rig to the petrol pump.
“They have to understand where the crown jewels [critical data] are across their company, who the bad guys are, what are they after and why — they need to understand the attacker much better than they have historically,” explained Bissell.
Only then, according to Accenture Security’s global senior managing director, can organisations put proactive controls in place that can protect those “crown jewels” and effectively detect when something is not right.
Moving from a reactive to a proactive state of security starts with knowing the business, identifying the critical assets and then building in the necessary protective and detective controls.
“The organisations that succeed in this partner with other players in the marketplace [vendors and consultancies], because no business is big enough to solve this problem on their own,” added Bissell.
A change in attitude to security
Regulations, like the GDPR and the CCPA have caused companies to wake up and take data protection seriously.
To meet these increasingly stringent compliance requirements, organisations can’t take a compliance checkbox approach. Instead, a holistic, all-encompassing cyber security and data protection strategy is needed with a leader at the helm.
According to a recent survey from Accenture, an organisation is more secure when it gets a few things right. They achieve significantly better results from their cyber security technology investments and are better able to stop more attacks, find breaches faster, fix breaches faster and reduce breach impact.
How to get cyber security right: advanced technology and diversity
Bissell suggested in addition to the above, there are two more ways organisation’s can get cyber security right.
1. Advanced technologies
He said: “Using advanced technologies across the enterprise is critical. The bad guys are using technologies like AI and businesses must incorporate better technologies across their enterprise to gain an advantage over the attacker.”
2. Diversity
“It cannot be understated what an enormous advantage it is to have a diverse workforce in security. A diverse workforce will always be more likely to solve complex problems through creative innovation,” concluded Bissell.
For more information about the Women in IT Summit and Awards, click here.