According to a recent survey of C-level executives by Accenture Strategy, 63 percent of respondents said their companies experience cyberattacks at least once a week. The kicker is that the majority of these executives are just talking about it, without taking the full corrective measures they need to take to give them the best shot at preventing those attacks.
In an email interview, Brian Walker, managing director of Accenture Technology Strategy, said it’s more likely a matter of when, not if, your company will experience a cyberattack. “And, while 88 percent of these executives believe their cyber defense strategy is robust, understood and fully functional, their answers to other questions we asked tell us that, by and large, there is much more they can do to better position themselves to withstand an attack or catastrophic failure,” Walker said.
Being resilient is about acknowledging the reality that they’re almost certainly not doing everything they can, he said. “It also is about taking the steps that enable a company to quickly respond when the inevitable occurs,” he added. Walker highlighted four steps that warrant particular attention:
Companies need to become fault-tolerant. That is to say, they need to be able to adjust quickly to disruption and minimize the impact of a disruption on customers, supply chains, or internal operations when they inevitably occur.
Companies need to know where their information and operational technology systems are vulnerable. Running inward-directed attacks and creating intentional failures to test their systems can help companies understand where they are vulnerable so they know where to focus their efforts. This is particularly important today, as companies operate in complex ecosystems of partners and service providers that give them the reach and capabilities they need. Consequently, they rely on the processes, technology and people of partners, suppliers and others they do business with—all of which are out of their control. To manage such an interconnected enterprise, companies need to be able to evaluate the strengths and weaknesses of each element to understand how resilient their system is. While executives can assess and shore up security across their enterprise, they also need to look further and consider the impact of breaches from every member of their network. Their ultimate goal is to be able to move quickly to maintain operations, address the outage and bounce back from any damage they incur.
Companies need to build an agile organization that can quickly respond to situations and seize marketplace opportunities. Achieving this objective is about making difficult choices, irrespective of the organization. With scarce resources, companies need to strike the right balance between spending to protect the enterprise and spending to enable innovation and growth. Making these decisions requires a detailed understanding of the quantified value and quantified risk. Forty-nine percent of those we surveyed agreed that there is room to improve in this area.
Companies need to remember that resilience is not just the responsibility of the CIO. Strong CEOs focus on harmonizing an entire organization’s portfolio of capabilities, from their physical assets through the ecosystem and on to their people. To create resilience across the business, the CEO should work hand-in-hand with the CIO and other business leaders to set the tone for the company’s push/pull investment decisions to enable and protect the company. And, the CEO should advance the importance of business continuity with the executive leadership team, including their board of directors. After a breach, the discussion with leadership should be about how the plan is working, not what the plan is.
“The bottom line is that resilience actions speak louder than words,” Walker said. “With the right set of capabilities in place, managing cyber risk becomes an essential aspect of maintaining the rhythm of the business.”
A contributing writer on IT management and career topics with IT Business Edge since 2009, Don Tennant began his technology journalism career in 1990 in Hong Kong, where he served as editor of the Hong Kong edition of Computerworld. After returning to the U.S. in 2000, he became Editor in Chief of the U.S. edition of Computerworld, and later assumed the editorial directorship of Computerworld and InfoWorld. Don was presented with the 2007 Timothy White Award for Editorial Integrity by American Business Media, and he is a recipient of the Jesse H. Neal National Business Journalism Award for editorial excellence in news coverage. Follow him on Twitter @dontennant.