According to a series of interviews the World Economic Forum conducted with board members from a variety of multinational corporations, cyber risk has made a drastic climb to the top of leaders’ agendas and gains significant board attention today.
Another analysis by the Forum confirms the necessity of this attention, estimating that cyber-attacks cost the global economy $445 billion – far more than most countries’ GDP. Experts estimate that cybercrime alone cost the average US firm $15 million a year in 2015. And as the threat increases, so too does the sum businesses stand to lose.
It’s because of this growing risk that many companies are starting to take the concept of cyber resilience – which essentially means the capability to protect oneself against cyber-attacks and to recover from them when they occur – very seriously.
To find out more, we spoke with two experts who have been working on the Forum’s Advancing Cyber Resilience Project, Stefan Deutscher of BCG and Christopher Leach of HPE. Both Stefan and Christopher regularly advise boards of global organizations on their cyber resilience strategy.
You both work with clients on cyber resilience. How relevant is this topic to global organizations?
Stefan: You can’t overestimate the importance of addressing cyber resilience. In today’s world, every organization is or is becoming a technology organization. The digitization of products, production and value chains is transforming industries, and making every organization dependent on highly connected technology. That’s bringing numerous benefits, but it also makes companies increasingly vulnerable.
Christopher: At the same time, attackers are becoming more sophisticated, more resourceful, and better organized. They continually change their tactics. That’s why cyber resilience is so important today. The companies that succeed in the future will be those that have successfully balanced the need to manage risk with the opportunities offered by digital.
Some people say that cyber-attacks may slow down the adoption of new technology, and therefore stymie economic growth and other societal benefits. Do you see any indication of this in your work?
Christopher: Successful cyber-attacks are growing in number and impact. This leaves decision-makers with the feeling that cyber risk is not controllable, which reduces their willingness to introduce new technology.
Stefan: Just think of the economic or societal benefits of telemedicine for an ageing population, or those of connected cars. Recent breaches drive uncertainty among leaders about how fast these new technologies can be adopted. Attacks on connected vehicles, for example, and the associated cost of recalls may have implications for the speed of further innovation.
What is the state of cyber resilience in organizations in general?
Stefan: Current cyber resilience capabilities range in maturity. That’s because they are still mainly seen as a cost – not as risk control, not as a strategic opportunity, and not as a source of competitive advantage. In many cases, there is a conflict of interest between resilience requirements and business opportunities. Executives tend to prioritize business opportunities.
Christopher: In many cases, the problem is even simpler: cyber risk is not fully understood by senior executives and therefore difficult for them to act on.
What will it take to overcome these hurdles and make cyber resilience a strategic priority?
Stefan: We believe it requires a push by an organization’s board to balance the interests of both cyber resilience and the business. And it fits nicely into the board’s supervisory role of business risk in general. Cyber risk should be considered a regular business risk – an important one, though. Boards are able to establish the right KPIs and anchor cyber resilience in the organization’s incentive system.
Christopher: Boards are in a perfect position to encourage and orchestrate the right dialogue on cyber resilience. They can include all business units in the process and also involve other organizations up and down the value chain. Moreover, it is in their best interest to balance the short-term needs of their business with the long-term strategy required by the shareholders.
Cyber resilience sounds quite technical to many executives and boards. What are boards supposed to do, and are they equipped for this additional responsibility?
Christopher: This is an understandable concern, but let me put it in perspective. There are, indeed, technical and non-technical aspects to it. The technical ones are important, especially when looking at new technologies such as big data and the internet of things, both of which are being increasingly used across industries and society.
But the good news is that from a board’s perspective, the other non-technical aspects are more relevant. As an example, the chief information security officer is often left out, or engaged too late, in innovation and technology deployments. If cyber resilience is built into the lifecycle of any new business initiative, the benefits can far outweigh any perceived “speed” issues.
Stefan: Boards lack a toolset to address these non-technical aspects of cyber resilience. There is no common language shared by boards and no set of principles advising boards on what to look for – although it is being developed as part of the Forum’s Advancing Cyber Resilience project. The idea of these principles is that they’ll ensure the right organizational framework exists and that the board engages in risk discussions with the executive team.
Stefan Deutscher is a principal in BCG's Berlin office and a core member of the Technology Advantage and Technology, Media & Telecommunications practices. He serves as a global topic leader for IT infrastructure and data centre operations and information security.
Chris Leach is a chief technologist in the office of the CTO at Hewlett Packard Enterprise. His role requires him to work with senior executives in defining their cyber resilience strategy and to assist boards with their strategic review process. Prior to joining HPE, Chris was responsible for the cyber security for major global organizations, including one of the world’s largest banks.