Faster, cheaper digital technologies are delivering an unprecedented array of social and economic benefits. And the process of digitizing and connecting isn’t slowing down; it’s introducing a whole range of new risks from a variety of known and unknown sources. No surprise, then, that business and government leaders place cybersecurity high on their agenda.
But it’s not just security that matters: in order to increase the benefits and minimize the harms in this digital landscape, leaders should be considering cyber resilience as a strategic goal.
What is cyber resilience?
As you can see by the chart above, which shows how much cybersecurity costs have increased in the United States (and are likely to continue to increase), organizations perceive that significant threats exist to the networked systems on which the economy relies. But organizations can develop tools and policies to avoid, absorb and mitigate them.
The idea of resilience, in its most basic form, is an evaluation of what happens before, during and after a digitally networked system encounters a threat. Resilience should not be taken to be synonymous with “recovery”. It is not event-specific: it accrues over the long term and should be included in overall business or organizational strategy.
The spectrum of resilience described in this 2012 World Economic Forum whitepaper outlines the ability of systems and organizations to withstand cyber events. Resilience in this context means the preparations that an organization has made with regard to threats and vulnerabilities, the defences that have been developed, and the resources available for mitigating a security failure after it happens.
There is a multitude of ways in which an organization or society can be considered resilient, but a common denominator is the inclusion of a deep understanding of risk in strategic planning. For cyber risk, this means going beyond information-technology planning and making risk evaluation a normal part of strategy.
Normalization is key. Cyber risk should be viewed just like any other risk that an organization must contend with in order to fulfil its goals.
Why is cyber resilience important?
Leaders of business and government need to think about resilience for two reasons: first, by doing so they avoid the catastrophic failure threatened by an all-or-nothing approach to cyber risks (i.e. preventing network entry as the only plan), and second, it ensures that the conversation goes beyond information technology or information security.
The first point, that a long-term view and durability are key factors in ensuring cyber resilience, does not need further explanation. A plan that encompasses actions and outcomes before, during and after the emergence of a threat will generally be superior to a plan that only considers one instance in time.
The second point, that leaders must broaden the conversation, merits more attention. It is vital to our economic and societal resilience that we think beyond information security to overall network resilience that ensures we can deal with existing risks and face new risks that will come with such things as artificial intelligence, the internet of things or quantum computing. In order to ensure long-term cyber resilience, organizations must include in their strategic planning the ability to iterate based on evolving threats from rapidly evolving disruptive technologies.
At this time, there are clear and tested strategies for ensuring the security of data. There’s also information available for organizations to adopt. The risk of taking a mere information-security approach is that, once a technology such as the internet of things is fully implemented, the risk profile of a company must be looked at anew and will likely proceed in an ad hoc fashion. This could be ineffective.
By promoting an overall cyber-resilience approach, long-term strategy (including which technologies a business will implement over the next five, 10 or more years) is a continual strategic conversation involving both technology and strategic leaders within an organization. The cyber-resilience approach ensures greater readiness and less repetition – making it, on the whole, more efficient and more effective.
Why resilience rather than security?
Security, in contrast to resilience, can be seen as binary. Either something is secure or it isn’t. It is often relegated to a single, limited technical function, keeping unauthorized users out of a networked system.
While there are many broader definitions of cybersecurity, there is a difference between the access control of cybersecurity and the more strategic, long-term thinking cyber resilience should evoke. Additionally, since vulnerability in one area can compromise the entire network, resilience requires a conversation focused on systems rather than individual organizations.
How does an organization become cyber resilient?
For networked technologies, vulnerability in one node can affect the security and resilience of the entire network. Therefore, resilience is best considered in the context of a public good or “commons”. That’s why partnerships are key. These can be between businesses as well as with regulators, prosecutors and policy-makers.
Since cyber resilience is really a matter of risk management, there isn’t a single point at which it begins or ends. Instead, it comes from building strategy and working to ensure that the risk-transfer mechanisms that work for more traditional threats are also brought to bear on new cyber threats.
Who is responsible?
It’s really a question of strategy rather than tactics. Being resilient requires those at the highest levels of a company, organization or government to recognize the importance of avoiding and mitigating risks. While it is everyone’s responsibility to cooperate in order to ensure greater cyber resilience, leaders who set the strategy for an organization are ultimately responsible, and have increasingly been held accountable for including cyber resilience in organizational strategy.
Where can I get more information?
Computer emergency readiness teams, known as CERTs, provide excellent resources to help you assess your organization’s resilience.
Incorporating cyber resilience into business strategy has been a focus of the World Economic Forum since 2011. The Forum has been active in developing principles, frameworks and tools for raising awareness and understanding cyber resilience. It is currently developing a set of tools and guidelines for corporate boards.
There is also significant insight to be gained from private companies, standard-setting bodies, organizations of corporate directors, government entities and industry groups that have become more and more active in this space.