How did the banking industry do in the Accenture Security Index?
Accenture has released an important research report on security performance called the “Accenture Security Index.” The research assessed performance in information security at companies across multiple countries and industries.
How did the banking industry do? The quick answer: Pretty good, but not nearly good enough.
More about that in a moment. But first, here’s some more information about the Accenture Security Index. It assessed cybersecurity performance across 33 capabilities, organized into seven domains:
- Business alignment
- Cyber response readiness
- Strategic threat context
- Resilience readiness
- Investment efficiency
- Governance and leadership
- Extended ecosystem
Companies and industries with the highest aggregate scores across all the capabilities were deemed to be “high performing” in cybersecurity. Across the countries studied, the average organization was high performing in only 11 of the 33 cybersecurity capabilities.
Banking came out near the top in the research, with high performance in 44 percent of the security capabilities in the index. That’s the good news. The bad news, of course, is that the results mean that, in 56 percent of security capabilities, the banking industry was NOT high performing.
Financial services firms have, with some justification, felt superior to other industries in their information security capabilities. But the research results point to something curious: In fact, banks are just on a par with communications firms and high-tech companies.
At a time when high-tech behemoths like Amazon.com, Inc., Google Inc. and Facebook, Inc. are increasingly pushing into the financial services space, this is one more reason to be concerned. A poll conducted last year found that 20 percent of the consumer survey respondents would be willing to buy banking or insurance services from Amazon, Google or Facebook.
What’s the next step?
The current cybersecurity market is fragmented, with many organizations too focused on point solutions that can’t stop the growing number of cyber attacks. Point solutions often prove effective for a specific application but at the enterprise level, they ultimately resemble attempts to plug individual holes in a sieve.
Instead of wasting time and resources attempting to plug the sieve with exterior defenses, companies need to develop a holistic cybersecurity strategy that protects the organization’s most important assets from the inside out.
In my next blog, I’ll get more specific about that holistic strategy, and about the security capabilities banks are good at—and those they’re not.