Australian organisations are an attractive target for cyber-crime and espionage. Our latest research shows how leading enterprises are achieving outsized results, providing a guide to all organisations seeking to ensure they are a tough nut to crack.

1. The Cyber Security Leap:
From Laggard to Leader
How Australian organisations can learn from the Leapfrogs

2. 2Copyright © 2015 Accenture All rights reserved. 2Copyright © 2015 Accenture All rights reserved.
How do some organisation achieve better
security performance?
We compared organisation that were able to “leapfrog” their
security effectiveness against others that remained static.
Defining a Leapfrog organisation
Key findings
Implications
About the research

3. 3Copyright © 2015 Accenture All rights reserved. 3Copyright © 2015 Accenture All rights reserved.
Leapfrog organisation improved their security
effectiveness an average of 53% over two years
Success characteristics can be summarised across three areas
Research and analysis conducted by Accenture in Collaboration with the Ponemon Institute, LLC.
All data in this presentation taken from “The Cyber Security Leap: From Laggard to Leader, 2015
• Security is a business
priority aligned with the
enterprise’s goals
• Focus on innovation
• Outsourcing is a
component of the
security program
• Respond proactively to
major changes to the
threat landscape
• Open communications with
CEOs and corporate boards
• Establish dedicated
security budgets that have
steadily increased
• Chief Information Security
Officer (CISO) has authority
to define and manage the
security strategy
• Deploy enterprise risk
management
procedures
• Embrace new and
disruptive security
technologies as part
of the strategy
Strategy Technology Governance

4. 4Copyright © 2015 Accenture All rights reserved. 4Copyright © 2015 Accenture All rights reserved.
Leapfrog organisation improved their security
effectiveness an average of 53% over two years
Success characteristics can be summarised across three areas
• Security is a business
priority aligned with the
enterprise’s goals
• Focus on innovation
• Outsourcing is a
component of the
security program
• Respond proactively to
major changes to the
threat landscape
• Open communications with
CEOs and corporate boards
• Establish dedicated
security budgets that have
steadily increased
• Chief Information Security
Officer (CISO) has authority
to define and manage the
security strategy
Strategy Governance
• Deploy enterprise risk
management
procedures
• Embrace new and
disruptive security
technologies as part
of the strategy
Technology
Research and analysis conducted by Accenture in Collaboration with the Ponemon Institute, LLC.
All data in this presentation taken from “The Cyber Security Leap: From Laggard to Leader, 2015

5. 5Copyright © 2015 Accenture All rights reserved. 5Copyright © 2015 Accenture All rights reserved.
Leapfrog organisation improved their security
effectiveness an average of 53% over two years
Success characteristics can be summarised across three areas
• Security is a business
priority aligned with the
enterprise’s goals
• Focus on innovation
• Outsourcing is a
component of the
security program
• Respond proactively to
major changes to the
threat landscape
• Open communications with
CEOs and corporate boards
• Establish dedicated
security budgets that have
steadily increased
• Chief Information Security
Officer (CISO) has authority
to define and manage the
security strategy
• Deploy enterprise risk
management
procedures
• Embrace new and
disruptive security
technologies as part
of the strategy
Strategy Technology Governance
Research and analysis conducted by Accenture in Collaboration with the Ponemon Institute, LLC.
All data in this presentation taken from “The Cyber Security Leap: From Laggard to Leader, 2015

6. 6Copyright © 2015 Accenture All rights reserved. 6Copyright © 2015 Accenture All rights reserved.
Organisations with static security effectiveness
demonstrated different characteristics
• Operate security under a veil of stealth, secrecy and
underfunding
• Prioritise external threats
• Focus on prevention rather than quick detection or containment
• Drive security investments by compliance with regulations and
policies
• View security as diminishing employee productivity
• Believe security budgets are inadequate for meeting the
company’s security mission

7. 7Copyright © 2015 Accenture All rights reserved. 7Copyright © 2015 Accenture All rights reserved.
Leapfrog organisations value innovation as
a way to strengthen their security posture
Higher value placed on
security innovation
33%
Higher level of security
innovation change in
the past two years
45%
More security
innovation
20%

8. 8Copyright © 2015 Accenture All rights reserved. 8Copyright © 2015 Accenture All rights reserved.
Establishing a security strategy as a
business priority separates Leapfrog from
Static organisations
Security and business objectives aligned
70%
55%
69%
45%
63%
40%
Security is priority
Security strategy exists
LEAPFROG
STATIC
LEAPFROG
STATIC
LEAPFROG
STATIC

9. 9Copyright © 2015 Accenture All rights reserved. 9Copyright © 2015 Accenture All rights reserved.
Security outsourcing is often a component of
Leapfrog organisations’ strategies
Outsourcing core security operations can greatly increase
security effectiveness by providing access to advanced
technology and expert resources.
Leapfrog Static
Has strategy & does
not outsource
security operations
23%
15%
55%
32%
Has strategy &
outsources security
operations

10. 10Copyright © 2015 Accenture All rights reserved. 10Copyright © 2015 Accenture All rights reserved.
Leapfrog organisations proactively use
advanced technologies to secure their network
and cloud environments
LeapfrogStatic (Rankings on a 10 point scale, 1 = low; 10 = high)
Secure (encrypt)
data stored in
cloud environments
7.186.00
Establish security
protocols over
big data
6.334.94
Pinpoints
anomalies in
network traffic
8.557.45
Provide advance
warning about
threats and
attackers
8.277.56

11. 11Copyright © 2015 Accenture All rights reserved. 11Copyright © 2015 Accenture All rights reserved.
Leapfrog organisations focus more on securing
network, sensitive data and the cloud; Static
organisations focus more on locking things down.
Control insecure
mobile devices
including BYOD
7.167.76
Limit insecure
devices from
accessing
security systems
6.037.18
LeapfrogStatic (Rankings on a 10 point scale, 1 = low; 10 = high)

12. 12Copyright © 2015 Accenture All rights reserved. 12Copyright © 2015 Accenture All rights reserved.
Establishing strong governance and controls
supports Leapfrog security effectiveness
Important governance components include dedicated budget,
use of benchmarks and metrics and regular communications
with board of directors.
Metrics to
evaluate
security
operations
20%
26%
Enterprise risk
management
procedures
35%
Regular
reporting to the
board of
directors
34%
Benchmark
Security
operations

13. 13Copyright © 2015 Accenture All rights reserved. 13Copyright © 2015 Accenture All rights reserved.
The CISO role in Leapfrog organisations reflects
the importance placed on security
While both types of organisations have a CISO,
the level of responsibility is notably different.
CISO defines
security strategy
and initiatives
Leapfrog 71%
Static 60%
CISO directly
reports to a
senior executive
71%
58%
CISO is accountable
for budgets or
discretionary spending
65%
55%

14. 14Copyright © 2015 Accenture All rights reserved. 14Copyright © 2015 Accenture All rights reserved.
Security effectiveness can be notably improved
over a short period of time, by applying lessons
learned from three priority areas
Strategy Technology Governance

15. 15Copyright © 2015 Accenture All rights reserved. 15Copyright © 2015 Accenture All rights reserved.
Suggestions for developing or improving
your security strategy
• Establish a security strategy that encourages innovation, has
dedicated budget and programs, a strong eco-system and a clear
vision for how innovation gets on-boarded into production.
• Develop the ability to adapt quickly
and proactively to the changing threat landscape
• Help the organisation embrace digital disruption
• Align security and organisational priorities
• Treat security as a business priority

16. 16Copyright © 2015 Accenture All rights reserved. 16Copyright © 2015 Accenture All rights reserved.
Suggested areas for technology focus
• Seek out technology and capabilities
that enhance the user experience
and productivity
• Balance prevention, detection and
response better—lessen the focus
on prevention
• Better exploit data within the
organisation to gain an advantage in
detection and response times—move
toward security intelligence

17. 17Copyright © 2015 Accenture All rights reserved. 17Copyright © 2015 Accenture All rights reserved.
Governance measures to improve performance
• Foster a working relationship between
CISO and the board to take effective
action; educate and collaborate to
articulate and prioritise business risk
• Use benchmarks and metrics to
continually assess the strategy and
evolve the organisation’s posture
• Outsource security operations as
appropriate for best use of available
expert resources
• Eliminate fire-fighting and use
resources effectively

18. 18Copyright © 2015 Accenture All rights reserved. 18Copyright © 2015 Accenture All rights reserved.
Organisations studied represent various
industries and sizes across Australia, NA, Europe,
Middle East and Asia Pacific
16%
14%
14%
10%
8%
9%
6%
6%
5%
5%
4%
4% 9%
11%
28%
24%
18%
11%
Less than
1,000
1,000 to
5,000
5,001 to
10,000
10,001 to
25,000
25,000 to
75,000
More than
75,000Financial
services
Industries represented Organisation size
Public
sector
Services
Retail
Energy and
utilities
Industrial
Health &
pharmaceutical
Consumer
Technology
and software
Transportation
Other
Hospitality
Education and research, 1%
Communications, 1%

19. 19Copyright © 2015 Accenture All rights reserved. 19Copyright © 2015 Accenture All rights reserved.
For more information:
- Visit accenture.com.au/security
- Contact Accenture APAC Security Lead, Jean-Marie Abi-Ghanem:
j.abi-ghanem@accenture.com
19Copyright © 2015 Accenture All rights reserved.