Leaders show path to affordable cyber resilience without increasing their spending

Nearly one third of federal cybersecurity executives surveyed in a recent global survey indicated that they employ a series of best practices to bolster cyber resilience in their agencies – and they do so without increasing their spending.

These federal executives said their cyber resilience measures have improved how they stop attacks, find and fix breaches and reduce the impact of intrusions, according to Accenture’s Third Annual State of Cyber Resilience report.

In the research, we surveyed 4,644 security executives from 24 industries in 16 countries, including 100 federal cyber experts. Using a detailed model of cybersecurity performance, the report classified 28 percent of federal executives as leaders, compared to just 17 percent of the remaining respondents.

What else sets leaders in our survey apart, though, is their ability to use cyber technologies that evolve with these threats without breaking the bank. According to our analysis, a cyberattack costs non-leaders an average of $380,000 to defend and remediate. For leaders, that amount is shaved down to $107,000, on average.

The survey paints a promising picture for security executives, yet work remains. As diligent as these execs are in battening down the hatches, cyber criminals are also getting wiser. As large targets, federal agencies need to consistently reassess their security posture to protect not only their own enterprises, but their operational ecosystems and supply chains.

Emerging federal threats meet long-standing challenges

The best practices for cyber resilience include leveraging shared threat intelligence, continually updating systems with cutting-edge technology, employing a nimble staff, and automating detection and response to keep pace with the advancements of bad actors.

As our report shows, federal agencies continue to face new forms of attack. Instead of directly attacking their targets, we found cyber criminals increased their use of indirect attacks where they target third parties such as suppliers. This type of attack leads to vulnerability for agencies that rely heavily on a contractor network to achieve their missions. It also means federal agencies need to extend cyber protections beyond their own four walls and into every partner they encounter.

Recognizing this vulnerability, the Department of Defense has mandated compliance with its new Cybersecurity Maturity Model Certification (CMMC) for the 300,000 companies that comprise the defense industrial base (DIB). This is good, as it creates a common baseline with defined levels of maturity based on prescribed and assessed practices. It illustrates that federal agencies will always be under attack and thus the need for cyber resilience will never wane.

However, it shines a bright light on the need and commitment to a joint network defense model, where the DIB (traditional and non-traditional defense contractors, research institutions, and academia) and the departments and agencies it serves, share indicators of attack and compromise in near real-time. This establishes a security model where an adversary must beat all of us to defeat one of us.

However, it shines a bright light on the need and commitment to a joint network defense model, where the DIB (traditional and non-traditional defense contractors, research institutions, and academia) and the departments and agencies it serves, share indicators of attack and compromise in near real-time. This is directly aligned to the recommendations of the Cyberspace Solarium Commission to establish a security model where an adversary must beat all of us to defeat one of us.

What else sets leaders in our survey apart, though, is their ability to use cyber technologies that evolve with these threats without breaking the bank. According to our analysis, a cyberattack costs non-leaders an average of $380,000 to defend and remediate. For leaders, that amount is shaved down to $107,000, on average.

Yet for all of the cost-savings and leadership exhibited by federal cyber execs, there are still hurdles to overcome.

Federal procurement challenges

One such hurdle is a lengthy procurement process that makes it difficult to keep up with innovation. Existing long-term procurement processes typically lock federal agencies into a technology for a minimum of five years, a lifetime in today’s ever-evolving world of cyber threats. It is nearly impossible for an agency to anticipate what the threat landscape will look like in one year, let alone five.

This is compounded by the sheer volume of technology solutions on the market. More than 3,000 unique vendors sell cyber software, creating a smorgasbord of potential solutions with varying levels of effectiveness. As a result, federal agencies must pick the right technology that will be viable for an unpredictable future. This is an incredibly difficult and expensive exercise that produces mixed results.

Seventy-five percent of federal executives report that cyber costs continue to rise, with 60 percent of survey respondents saying that they are unsustainable. Agencies must also contend with the technology talent gap, as a massive deficit in available talent makes it difficult to hire and manage in-house security staff.

The case for managed services

Federal agencies face many challenges in maintaining cyber resilience, but there is a solution. Similar to the way that they have embraced the cloud, federal agencies can take advantage of managed security services to access state-of-the-art, FedRAMP authorized platforms, and the cyber talent to achieve greater predictability and benefit from economies of scale.

Seventy-five percent of federal executives report that cyber costs continue to rise, with 60 percent of survey respondents saying that they are unsustainable. Agencies must also contend with the technology talent gap, as a massive deficit in available talent makes it difficult to hire and manage in-house security staff.

With this model, federal technology executives can establish agency cyber goals and priorities that the managed services provider can execute against to contractually defined service levels and performance indicators. The managed services company brings together innovative technologies, highly trained staff and automated processes to provide more comprehensive coverage with faster response than most agencies could muster on their own.

As one benefit, managed service providers can remove and add different technologies as needed to maintain an agile cyber defense against evolving threats. This ensures that each technology serves a specific purpose with outdated or ineffective services removed. Technologies are also regularly updated, ensuring that agencies always have the most up-to-date version of each product.

Managed services can help federal leaders meet the best practices established in our report at a reasonable price point. But first, federal agencies will need to gain comfort and trust with a new approach, as they did with commercial cloud services.

Conclusion

The federal leaders we identified use their resources to achieve maximum results, which is an increasingly difficult prospect in a world with ever-evolving threats, thousands of technology choices and a procurement system that makes innovation near impossible.

Managed services is a proven alternative. It provides an avenue for continual innovation and technology evolution without locking agencies into a technology that could become obsolete as things change.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.