Cyberattacks, cyber-breaches and cybercrime are not new problems and are universally acknowledged to be costly, pervasive and increasingly sophisticated. Each week new breaches become public, most recently an incident at a large internet service provider that had gone unnoticed for more than two years. The best defence against such intrusions is cyber-resilience: building capabilities to protect yourself and your business from cyber threats, and building the ability to rebound from attacks, should they happen.
Cyber-resilience is a major strategy issue and the need for boards and senior executives to give it serious attention cannot be overstated. In many industries, cyber-resilience can be a source of competitive advantage, a factor for valuation in M&A situations, and a key enabler for flexible, interconnected value chains. Because it helps determine the speed at which organizations can benefit from technology innovation, it affects how value is created. But what is required to build cyber-resilience and how can boards and executives speed up the process?
Cyber-resilience cannot be left exclusively to the technology domain. As recent Boston Consulting Group (BCG) research indicates, more than 70% of breaches exploit non-technical vulnerabilities. For example, an attack may trick users into disclosing their legitimate credentials. The lesson here is that cyber-resilience in an organization must extend beyond the technical IT domain to the domains of people, culture and processes. A company’s protective strategies and practices should apply to everything the company does — to every process on every level, across departments, units and borders, in order to foster an appropriately security-conscious culture. Ultimate responsibility for cyber-resilience rests squarely on the shoulders of boards and senior executives. It is up to them to push this culture change through the layers of their company.
In the technology domain, a division of duties and reporting lines within the organization is necessary to separate the IT implementation role, which often falls to the chief information officer; the IT security role, which usually falls to the chief information security officer; and the risk management role, which tends to be the chief revenue officer’s responsibility. In many cases, implementing this organizational change requires a board-level push.
Defending against cybercrime is a new challenge for many boards. Regularly including the topic of cyber-resilience on the board’s agenda is especially important in such cases, because the board’s awareness of the issue is relatively low. Boards must devote considerable effort and attention to the task of supervising the transition to a new, cyber-resilient state.
Boards should focus on increasing their knowledge of the topic and their level of comfort in dealing with it. First and foremost, to challenge their executive teams on the subject of cyber-resilience, they need to arm themselves with a set of principles or good practices for dealing with the issue. Multiple general recommendations exist on how to act. BCG recently had the opportunity to support the World Economic Forum by creating a set of guidelines, designed for board-level use, that address these challenges. The forum and its cross-industry working group have identified 10 principles and backed them up with pragmatic tools to enable boards to establish them. The principles emphasize taking responsibility, becoming informed on the subject of cyber threats, anchoring responsibility in the organization, and implementing plans for cyber-resilience. Boards also need to join their executive teams in a discussion of risk appetite, in order to define the current risk posture of their organizations.
In addition, boards need tools for understanding, assessing and quantifying the risk patterns that their organization faces today and may face in the future. A good first step is to identify the organization’s most important informational assets and to determine the biggest risks to these assets. A second step is to determine how the executive team aims to manage these risks and how much its plan will cost the company. The forum’s publication includes recommendations, in the form of a Board Cyber Risk Framework, for analysing and understanding cyber risk at the board level.
Emerging technologies create great changes and great opportunities, but they also expose companies to grave new risks. Examples of disruptive technologies are big data, the Internet of Things, and autonomous vehicles. Boards need to understand how disruptive technologies change their exposure to cyber risk. The forum’s publication provides insights directed toward board-level stakeholders regarding challenges such as vendor management, technology life cycle security and the ability to quickly adapt to change.
Although cyber-resilience and cyber risk management are still young disciplines in many organizations, they are gaining speed. Boards are in a unique position to support and expedite their development — be it to derisk their organizations’ value creation or to make the world a bit safer for business partners and consumers. It is imperative that boards possess the tools necessary to increase their own understanding, to ask the right questions and, overall, to develop cyber-resilience.
The report by the World Economic Forum, The Boston Consulting Group, and Hewlett Packard Enterprise is available to download.
The views expressed in this article are those of the author alone and not the World Economic Forum.