- As online threats increases, cybersecurity needs to be seen not merely as a technical issue, but rather as one of strategy, culture, and cooperation.
- Cybersecurity failure continues to feature as a critical short- and medium-term threat to the world, according to the World Economic Forum’s Global Risks Report 2022.
- Here are five things senior leadership in organizations should prioritize to embed cyber-resilience in their organizations.
For too long, cybersecurity has been perceived as an IT problem and delegated to technology specialists. Yet as the threat increases, it needs to be seen not merely as a technical issue, but rather one of strategy, culture and cooperation. This requires business leaders to lead from the front when it comes to managing cyber-risk within their enterprises, so that the digital economy on which individuals, organizations and countries increasingly rely on, is safeguarded. Indeed, effective leadership – on cyber and other technology issues – will only become more critical as time passes.
That’s particularly important because the pace of change is accelerating, especially in the digital realm. Signs of increasing digitalization are everywhere. According to DataReportal, a research firm, more than five billion people around the world use the Internet, which means that over 63% of the global population is now online. Digitalization has also been integral to business transformation. According to Statista, another research firm, global spending on digital transformation will reach $2.8 trillion in 2025.
Yet amid these trends, another more sinister one lurks: bad actors are actively looking to exploit the vulnerabilities of individuals and organizations. The nature of cyberspace lends itself favorably to criminals for several reasons.
One, the entry barrier is low. For as little as $10 someone can buy simple attacks off the dark web, with even sophisticated ones costing only a few hundred dollars (so-called “cybercrime-as-a-service”).
Two, the risk of prosecution is relatively low. Unlike with physical crime, where the victim and the perpetrator are in the same jurisdiction, in cybercrime a criminal based in one country can launch an attack on an organization in another, with the proceeds being transferred to a third country. This makes prosecution difficult (and, by the way, makes it all the more important that collaboration is tightened between the private sector and law enforcement agencies everywhere).
Three, the rewards are attractive. According to Sophos, an IT security company, the average ransom payment for organizations hit by ransomware is almost $234,000, which can be paid using hard-to-trace cryptocurrency.
Even if these problems are not new – cybercrime has existed for decades – they are increasingly alarming as technology advances. Arguably, it took until the 2017 leak of the Eternal Blue exploit, developed by the National Security Agency in the US and resulting in the WannaCry ransomware attack that hit the UK’s National Health Service, as well as the NotPetya cyberattack that hit various organizations in Ukraine and elsewhere, to mark a watershed moment in cybersecurity becoming a top-of-mind concern for business leaders globally. Not surprisingly, “cyberattacks” and “data fraud or theft” emerged as among the top-five risks by likelihood in the World Economic Forum’s Global Risks Report 2018.
“Given the dearth of quality talent, senior leadership needs to invest in recruiting and nurturing existing talent within organizations”– Akshay Joshi
This problem is not going away by itself. To the contrary, the frequency and severity of cyberattacks over the past couple of years have shifted the perception of leaders with regards to cyber threats. According to the Forum’s Global Risks Report 2022, “cybersecurity failure” continues to feature as a critical short- and medium-term threat to the world. The fact that cybersecurity appears to fall back in the rankings when respondents are asked for longer term signals implies a blind spot in risk perceptions, rather than the likelihood of the threat magically dissipating.
Risk perception gaps in cyber are indeed real. The Forum’s Global Cybersecurity Outlook 2022 report indicates that while 85% of cyber leaders agree that cyber-resilience is a business priority for their organization, gaining decision makers’ support when prioritizing cyber risks against a plurality of other risks remains a prominent challenge. Moreover, when it comes to cyber-resilience, while 92% of surveyed business executives felt that this was integrated into enterprise risk-management strategies, only 55% of cyber leaders agreed.
We need to be able to bridge this gap if we are to succeed in building cyber-resilient organizations. This will require a mindset shift among CEOs, boards of directors and other C-suite executives. It is not a question of “if”, when it comes to cyberattacks, but “when”. There must be shift, therefore, from a focus on cyber-risks to building cyber-resilience. After all, in an environment where cyberattacks are inevitable, it is undoubtedly crucial to prepare for them but equally important to institutionalize mechanisms to respond to and recover from them.
Here are five things senior leadership in organizations should prioritize to embed cyber-resilience in their organizations:
Recognize cybersecurity as a strategic business priority
A senior executive of a large industrial conglomerate headquartered in Asia that engages in around 10 corporate deals annually reports that cybersecurity teams are the last ones to carry out a due diligence of the target organization, if at all. The result is potentially being left with a host of vulnerabilities to address as acquirors try to integrate target companies with the parent entity, often resulting in significant unwanted costs.
A similar situation exists with investors, who seldom carry out cybersecurity due diligence before investing. In 2019, the Forum published a report, Incentivizing Responsible and Secure Innovation: Principles and guidance for investors, in an attempt to help address this. The lesson is that cyber-risk is business risk, and needs to be understood, prioritized and hardwired into key strategic and operational decisions.
Ensure cybersecurity governance is a board imperative
In most organizations, the chief information security officer (CISO) assumes responsibility for cybersecurity. However, as is the case for most strategic issues, the board of directors and the senior leadership within organizations need to set the tone, to develop mechanisms to govern cyber-risks, and to assume accountability for the cyber-resilience of the enterprise.
Last year, the Forum worked with the National Association of Corporate Directors, the Internet Security Alliance, PwC, and its global partners to develop a set of six consensus principles to help directors as they seek to understand their organization’s current cybersecurity posture, exercise their oversight function and set future goals.
In addition, the US Securities and Exchange Commission recently proposed new rules that would require disclosure of a company’s cybersecurity governance at board and management levels. Once finalized, these rules will highlight the role of the board in exercising effective oversight over cyber-risk management, ensuring that cyber-risks remain integral to overall business strategy.
Cultivate a culture of cyber-resilience
Effective cyber-risk management requires addressing three key elements: technology, process and people. The last one is arguably the weakest link in the chain. According to Cybint, a cybersecurity education and training company, 95% of cybersecurity breaches are due to human error. Naturally, it is crucial to ensure that employees are empowered to understand and embody behaviors that result in cyber-resilience for the organization.
In order to change the culture, senior leadership must set the tone and put in place mechanisms that promote accountability for cyber-resilience at every level within the organization. Openness and communication about cyber-resilience strategy, practices and knowledge can help to instill a sense of ownership among employees.
Finally, the importance of continuous training to raise awareness among employees about cyber-resilience concepts and best practices cannot be overstated.
Build a quality cybersecurity workforce
There is an acute shortage of cybersecurity talent globally. According to the (ISC) 2021 Cybersecurity Workforce Study, there is still a workforce gap of over 2.7 million, and the workforce needs to grow by 65% effectively to defend organizations’ critical assets.
When asked whether their organization had the skills needed to respond and recover from a cyberattack, half of the respondents in the Forum’s Global Cybersecurity Outlook 2022 said they would find it challenging to respond due to the shortage of skills within their team. Fewer than a quarter of companies with between 5,000 and 50,000 employees “have the people and skills [they] need today”.
Given the dearth of quality talent, senior leadership needs to invest in recruiting and nurturing existing talent within organizations. In a job seekers market, the right working conditions that include a mix of what American author Dan Pink calls “intrinsic” and “extrinsic” levers of motivation are essential to ensure employee satisfaction and retention.
There is also a need to devise innovative solutions to provide pathways for existing talent to transition into cybersecurity as a career. To help with this, Salesforce, Fortinet, the Global Cyber Alliance, and the World Economic Forum have created the Cybersecurity Learning Hub, which provides free and career-oriented modules that give people a route towards these sought-after roles.
Incentivize public-private collaboration
Cybercrime is a business and cybercriminals collaborate by sharing information on attack techniques and tools. To stay ahead of cyber threats, more collaboration is needed between public-private actors in the wider ecosystem.
The value of partnerships is proven. In the Global Cybersecurity Outlook 2022 report, over 90% of respondents claimed to have received actionable insights from external information-sharing groups and/or partners. A noteworthy 85% of respondents agreed that they would be willing to be more transparent and to cooperate with law enforcement if it led to greater punishment of cybercrime.
However, there are also significant barriers to collaboration; regulatory restrictions and legal boundaries often prevent information sharing, for example. Senior leaders must encourage collaboration on cybersecurity issues and address organizational barriers that restrict exchange with and between industry players, national cyber agencies, and law enforcement. Not only do these partnerships help boost preparedness but also come in handy in the face of a crisis where support from the wider ecosystem can be a game changer.
All of this makes cybersecurity not just a technical issue, but one of strategy, culture and cooperation.
The leading companies of the 21st century will be those that have the right leadership to prioritize not just cybersecurity but also cyber-resilience.
Akshay Joshi Head of Industry and Partnerships, Centre for Cybersecurity, World Economic Forum
Sourced by Queenie Nair
This Article was first published on World Econmic Forum and is republished under the Creative Commons Licence