Cybersecurity is a $445 billion problem, and some predict that figure could rise to $6 trillion by 2021. The list of companies that have already been hacked, attacked, and breached – suffering business interruptions, intellectual property losses, and exposing their customers to identity theft – reads like a who’s who of the retail, tech, telecomm, manufacturing and financial services industries, among others. The finances, operations, customer data, R&D, intellectual property and brand reputations of all companies are at risk, which makes cybersecurity a fiduciary responsibility of the board and senior management. Yet in many organizations, top executives and board members still believe that cybersecurity is only an IT issue.
Nothing could be further from the truth; IT alone will never be able to address cybersecurity in a meaningful way. Sustainably addressing cyber risk requires an organization-wide and cross-functional approach, and the integration of cybersecurity and business strategy. Boards and senior management play a pivotal role in creating the organizational and cultural environment for such a joint approach. Top management and board members must recognize the risks involved and take steps to ensure they are prepared for the day that their company is compromised – because it’s all but certain it will happen.
Over the past year, in collaboration with the cyber resilience initiative of the World Economic Forum, BCG, MIT Connection Science and MIT Sloan (IC)3 have worked together to identify, design and test methods to effectively engage boards and other senior stakeholders on the critical complex issue of cybersecurity. While there are robust principles to be followed and tools to be employed to both help prevent attacks and to deal with attacks that have occurred, we have found one medium that is particularly well suited to boosting the engagement and preparedness of top management and board members: table top exercises that simulate cybersecurity events and their fallout in real time.
These exercises can be useful in at least three ways. The first is practicing incident response, business continuity and disaster recovery plans, as well as decision-making under pressure, so that top leadership is not introduced to the far-reaching ramifications of a cyber breach only when one has just occurred. Second, immersive and interactive exercises can be the most effective (and memorable) method of teaching the basic concepts of cybersecurity. Third, these exercises can be used as a laboratory for developing and testing cost-effective strategies for cybersecurity defense and mitigating the consequences of cyberattacks.
Practicing incident response
Military commands play war games (including cyberwar games). Schools and office buildings practice evacuation procedures and fire drills. The goals include improving performance, learning from doing, and saving lives. Captain Chesley “Sully” Sullenberger attributed his successful emergency landing of US Airways flight 1549 in the Hudson River, after the plane lost both engines on takeoff, to the extensive drilling and rehearsal he had undergone in flight simulators.
In similar fashion, by practicing the implementation of incident response, business continuity and disaster recovery plans in a simulated cyberattack, board members and senior executives can gain a comprehensive understanding of how these attacks unfold, the range of potential impacts, and their individual roles during a response, including potential interaction with law enforcement, regulatory officials, shareholders, employees and customers. For this reason alone, such an exercise ought to be an essential part of any cybersecurity programme.
Learning by doing
The most effective way of learning is by doing. Think about kids learning to play soccer, for example. Studies by BCG and MIT have shown that the same theory applies to learning basic cybersecurity concepts. “Doing” via immersion in a simulated cyberattack gives executives working knowledge of the wide variety of cybersecurity concepts that they need to understand to properly support the cyber resilience of their organization.
Cybersecurity is a complex field. The first step is defining a standard syllabus of subjects that need to be covered, which can include liabilities, mandatory regulations, voluntary guidelines, common threats, assets, methods of protecting assets, risk management, methods of detecting intrusions, forensics, and other key capabilities. The second step is taking teams of executives and board members through immersive scenarios using interactive simulations in which the concepts of the syllabus come into play and the impact of board decisions on the organization's P&L is modeled. For example, what are the liabilities to the company (and to the board members) if the company continues operations in the face of a known cyber breach? What systems and protections does the company have in place to redress a cyber incursion? What are the legal and regulatory (and good common-sense) requirements for notifying customers, shareholders, employees and other stakeholders?
In our exercises, participating executives may operate as a single collaborative team, or they may be divided into two or more teams, which compete to see which obtains a better score and finishes the exercise with the highest profits in their virtual P&L. Using such a hypothetical business case approach, the board and senior management learn cybersecurity concepts by experiencing them, and our research shows that they emerge with an excellent understanding of what otherwise seems like a daunting technical challenge.
Developing a cybersecurity strategy
Companies use laboratories to test products and processes before they are put into production. In a similar vein, table top exercises enable companies to test, evaluate and refine cybersecurity strategies, and in so doing, to convert ideas and invention to systematic and scientific discipline.
When executives are immersed in a properly constructed scenario, they see how cyber defenses they have built, or plan to build, actually perform, and the benefits that can be achieved by investments in further vulnerability prevention, attack detection, attack mitigation and recovery. By living through a simulation using the company's own cybersecurity investment plan, the board and senior management can experiment first-hand the impact of each proposed investment, from training to technology. At the end of the exercise, they can consider changes, improvements – and whether a different cybersecurity investment plan might have provided a better outcome. For example, would a greater investment in multi-factor authentication, and/or advanced biometrics, have negated the attack? Would a larger investment in supply chain cybersecurity have made a difference? What would be the benefit of implementing a company-wide training programme over six months rather than over 18 months? The goal is tangible output from the workshop, including a roadmap of next steps and a set of action items that optimize investments for cyber defense.
These immersive exercises allow organizations to focus on how to plan and budget to maximize the business resiliency, including the cyber resiliency, of the company. Sometimes the best investments may be ones that reduce consequences of an attack, rather than trying to prevent the attack outright. A properly designed exercise enables board members and senior management to make more informed trade-offs and decisions on how to best invest in cyber resilience.
Handling cyberattacks is a company-wide concern. Building an effective cybersecurity strategy and culture is an essential competitive differentiator and business enabler. Culture starts with leadership, and leadership starts at the top. Through immersive table top exercises, leaders will gain understanding, and can now start to create in their organizations a culture of cyber resilience.