The security difference: how successful companies put security first

Accenture report indicates correlation between cyber security and growth

Research conducted by the Ponemon Institute for services supplier Accenture has indicated a high correlation between companies with a proactive approach to security and the achievement of security goals.

It identified what it calls "leapfrog companies" - organisations focused on innovation and growth - compared to "static companies", which are more hierarchical and traditionally organised.

It found that successful companies simply take cyber security more seriously, have more in-depth security strategies and policies, employ a dedicated chief information security officer (CISO), and are more likely to report security incidents to the CEO and board of directors.

"Leapfrog companies are more likely to have an officially sanctioned security strategy, and this strategy is more likely to be the main driver to their organisation's security programme... [they] use risk management techniques to determine their security strategy and integrate physical and logical security systems," claims the report.

It continues: "Responsibilities and authority pertaining to security are clearly defined. Employees are not only made aware of security requirements, but held accountable for following security processes."

In contrast, so-called static companies tend to rely on regulations rather than strategy to drive their security requirements. "Security efforts focus on external threats, and are more likely to emphasize prevention rather than detection or containment. These types of characteristics do not support companies making significant improvements in the effectiveness of their security posture."

For companies falling behind, Accenture recommends starting by creating a dedicated CISO role with genuine authority, allocating a dedicated security budget and expanding the security team to ensure that there are minimal gaps in corporate cyber-security defences.

"Leapfrog companies are more likely to consider information security a business priority and align their security objectives with business objectives. They view security as an enabler to achieving business objectives, and are able to adapt if security hinders their objectives in exceptional situations ('business needs sometimes trump security requirements')," advises the report.