“Don’t find fault, find a remedy”, as the industrial pioneer Henry Ford used to quip. When it comes to cybersecurity today, both fault and remedy have for too long been left to the IT department. Yet in the Fourth Industrial Revolution, where ubiquitous connectivity and digitalization underpin socio-economic progress and prosperity, it is the responsibility of top public and corporate leaders to take ownership of this challenge.

As cyberattacks grow in sophistication and frequency, strategic decision-making is required to allow for more informed investment and resourcing in order to enhance preparedness and resilience. This is the first of 10 key messages and recommendations to come from over 150 cybersecurity leaders and practitioners who participated in the World Economic Forum Annual Meeting on Cybersecurity in November last year.

As a first step, board and C-Suite members as well as high-level policy-makers need to gain a better understanding of the cyber-risks to which their organization, municipality or country are exposed. This does not mean becoming full-on technical experts; technical expertise rests with the ICT and information security departments or contracted cybersecurity service providers. What urgently needs to improve is the communication and translation of cybersecurity issues between practitioners and leadership. If corporate and government leaders have a strong grasp of their entity’s vulnerabilities and which critical assets are at risk, they can take timely strategic decisions on investment and resourcing to bolster their organizations' resilience and safeguards. The recent downgrade of Equifax by Moody’s showed that cybersecurity readiness is increasingly priced in, and requires a holistic approach to be successful.

Such an approach may require rethinking organizational structures and governance in order to break down silos and enable a more robust cybersecurity posture. Beyond economic losses, the legal, reputational and even physical consequences of a cyberattack can be massive. Leaders must mandate greater cyber-savviness across organizational functions such as risk, compliance, legal, human resources and communications, among others.

Cross-functional task-forces and crisis-response teams that are clear on processes and protocols are crucial when cybersecurity crises hit. When the Norwegian aluminium and renewable energy company Norsk Hydro faced a ransomware attack in March 2019, it decided to refuse payment of the ransom, to report the attack immediately and to be transparent about impact, response and recovery – in addition to collaborating with law enforcement by sharing information. Furthermore, this occurred shortly after the company’s long-standing CEO had stepped down.

From the Annual Meeting on Cybersecurity, Geneva, Switzerland 12-13 November 2019
From the Annual Meeting on Cybersecurity, Geneva, Switzerland 12-13 November 2019
Image: World Economic Forum Centre for Cybersecurity

Navigating a cyberattack successfully under these circumstances demonstrates the importance of having a robust crisis management strategy in place to mitigate negative consequences. Again, this requires corporate leadership to understand and monitor the actual status of their company’s cybersecurity risks, and their response and recovery plans (which equally applies to public entities or NGOs, too). Such readiness also requires regular training and practical exercises.

Beyond that, a culture of cybersecurity needs to be instilled across the organization, from the top floor to the shop floor. The human element in cybersecurity cannot be underestimated. Yet while basic cybersecurity training and hygiene need to be internalized by staff, leaders can leverage technological innovation to curb key attack vectors. For example, new authentication methods can help to replace passwords - one of the most prevalent entry points for data breaches.

Leveraging such technologies requires investment - well spent, considering they can help secure our digital future. Moving data to the cloud, for example, clearly entails risks around confidentiality, integrity and availability. Yet outsourcing security maintenance to cloud providers may actually be beneficial, especially for entities with a limited cybersecurity budget. Providers can better understand the threat environment, deploy the latest security technologies and also cater for physical access security within data centres.

Or consider artificial intelligence (AI). Deploying AI for threat detection and analysis as well as for incident response enables more effective and efficient cybersecurity. At the same time, cybercriminals are adopting new technologies even faster and to their advantage. The developments in AI, quantum and identity management, among others, call for ever-greater investment to stay ahead of malicious actors. Needless to say, talent development also requires funding to build a strong cybersecurity-aware workforce.

What is the World Economic Forum doing on cybersecurity

The World Economic Forum's Centre for Cybersecurity is leading the global response to address systemic cybersecurity challenges and improve digital trust. We are an independent and impartial global platform committed to fostering international dialogues and collaboration on cybersecurity in the public and private sectors. We bridge the gap between cybersecurity experts and decision makers at the highest levels to reinforce the importance of cybersecurity as a key strategic priority.

Our community has three key priorities:

Strengthening Global Cooperation - to increase global cooperation between public and private stakeholders to foster a collective response to cybercrime and address key security challenges posed by barriers to cooperation.

Understanding Future Networks and Technology - to identify cybersecurity challenges and opportunities posed by new technologies, and accelerate forward-looking solutions.

Building Cyber Resilience - to develop and amplify scalable solutions to accelerate the adoption of best practices and increase cyber resilience.

Initiatives include building a partnership to address the global cyber enforcement gap through improving the efficiency and effectiveness of public-private collaboration in cybercrime investigations; equipping business decision makers and cybersecurity leaders with the tools necessary to govern cyber risks, protect business assets and investments from the impact of cyber-attacks; and enhancing cyber resilience across key industry sectors such as electricity, aviation and oil & gas. We also promote mission aligned initiatives championed by our partner organizations.

The Forum is also a signatory of the Paris Call for Trust and Security in Cyberspace which aims to ensure digital peace and security which encourages signatories to protect individuals and infrastructure, to protect intellectual property, to cooperate in defense, and refrain from doing harm.

For more information, please contact us.

Beyond preventing reputational, legal and even physical damage, what are the incentives for such investment and for the development of a holistic cybersecurity approach and culture? Market players such as insurers and investors are increasingly paying attention to the cybersecurity posture of an organization in their decision-making and offerings. Coherence, however, is still missing. Therefore, trusted and verified cybersecurity ratings are needed to improve assessment and comparability across peers. This not only helps to evaluate organizations' resilience, but could increasingly guide consumer, citizen and investor decisions. Digital trust has evolved as a critical currency in the Fourth Industrial Revolution and cybersecurity has already become a competitive differentiator. At the same time, considering the systemic risks – and opportunities – at stake, digital trust and cybersecurity require collaboration at a pre-competitive level and concerted action by all stakeholders.

Global cooperation across the public and the private sectors is vital - from promoting dialogue and accelerating new models of effective collaboration beyond geo-economic fault lines, across advancing “security by design and default” in the development of new technologies and digital networks, to accelerating knowledge transfer and the adoption of best practices to address the global deficit in professional skills and adequate capabilities, particularly in emerging economies.

Equally, and particularly to prevent the balkanization of the internet, maintaining an open and secure internet must be a collaborative effort between the public and private sectors. The Internet Service Provider Principles - launched at this year's World Economic Forum Annual Meeting - are a major step towards reinforcing safety and trust in cyberspace. They are but one example of how the World Economic Forum's Platform for Shaping the Future of Cybersecurity and Digital Trust can provide a neutral, trusted and globally recognized platform to facilitate cooperation and deliver tangible impacts in global cybersecurity.

Had Henry Ford known that his conveyor belts could be brought to a halt by a hack, that his supply chain would only be as cyber-strong as its weakest link and that the company’s data and intellectual property could easily be stolen by cybercriminals, he would have set out to find a remedy. For private and public-sector leaders today, notably seeking to give meaning to the notion of stakeholder capitalism, it is their responsibility to take full ownership of the cyber challenge and to work out a remedy together.