How vendor value changes with evolving enterprise cyber maturity levels

The value of third-party cyber services significantly varies depending on organisational maturity levels, indicating that a one-size-fits-all approach to security in the enterprise is flawed.

While arguably common knowledge within the ecosystem given the fluctuating nature of solution adoption curves, smart outsourcers are switching strategies to ensure low, medium and high maturity businesses extract maximum benefit from security offerings.

According to Deloitte findings, advanced companies realised over 30% more value from technology vendors and partners compared to laggards across data protection and privacy (59% vs. 28%), cyber strategy (55% vs. 31%) and cyber cloud (53% vs. 26%) services.

The disconnect continues on the infrastructure security (53% vs. 22%) and application security (51% vs. 20%) fronts, with appetite to leverage expertise related to emerging technologies (45% vs. 21%) and identity and access management (44% vs. 21%) also varied.

To define cyber maturity, Deloitte identified three sets of leading practices to rate organisations – cyber planning, key cyber activities and board involvement.

The report – 2023 Global Future of Cyber – segmented the businesses into three groups – low-, medium-, and high-cyber-maturity – by assigning point values to each set of leading practices.

“Cyber has become an enabler for business and embedding it into all business practices has shown nothing but success,” said Emily Mossburg, Global Cyber Leader at Deloitte. “Advancing cyber will only become more critical as the global economy faces a potential downturn and businesses navigate a looming recession.”

According to findings, high cyber maturity organisations report seeing value from third-party cyber services across:

1. Data protection and privacy: 59%
2. Cyber strategy: 55%
3. Cyber cloud: 53%
4. Infrastructure security: 53%
5. Application security: 51%
6. Detect and respond: 46%
7. Recover and transform: 46%
8. Emerging technologies (AI, 5G etc): 45%
9. Identity and access management: 44%

Meanwhile, low cyber maturity organisations report seeing value from third-party cyber services across:

1. Cyber strategy: 31%
2. Data protection and privacy: 28%
3. Cyber cloud: 26%
4. Recover and transform: 24%
5. Infrastructure security: 22%
6. Emerging technologies (AI, 5G etc): 21%
7. Identity and access management: 21%
8. Application security: 20%
9. Detect and respond: 20%

Irrespective of organisational maturity however, there is no cyber architecture or approach that can guarantee absolute security and risk mitigation. Instead, the most striking feature of highly cyber-mature businesses is their ability to extract value from their security investments.

Of note to the ecosystem, advanced organisations are doing just that specific to engaging leadership, planning and acting.

“And it appears to be generating more business value from their cyber efforts,” Mossburg added.

In relation to realising the impact of increased efficiency, resiliency and agility, highly mature enterprises are ahead of the pack and continue to recognise benefits that may not be typically associated with cyber.

As noted in the research, 55% of mature businesses reported that cyber provides them with confidence to try new things, compared to 40% for low-maturity organisations. This also extends to enhancing trust (69%) compared to companies on the opposite end of the maturity scale (54%).

“We’re now seeing cyber transcend its traditional IT roots and become an essential part of future-proofing businesses – which will be critical in the year ahead as digital transformation continues to be a top investment,” Mossburg noted.

According to findings, 87% of highly mature organisations are more likely to have “robust plans” in place for incident response. Specifically, 91% will have a “robust” operational and strategic plan and 88% will develop a plan to assess the protection of data.

This company segment (60%) is also three times as likely as low maturity organisations (20%) to conduct incident-response scenario planning at a business or board level.

“Cyber is now woven more tightly into business operations, outcomes, and opportunities,” Mossburg said. “CISOs are most successful when they are connectors across their organisation, focused on enabling their organization’s highest business priorities.”

During the past 12 months, 91% of organisations surveyed reported at least one cyber incident – up 3% from last year. This is in addition to 56% of businesses suffering related consequences to a “moderate or large extent”.