8 steps to starting a cybersecurity virtuous cycle

In the face of an unprecedented and exponentially growing global cyberthreat matrix, there must be a call to arms to all businesses – big, medium and small – to build cyber-organizational resilience.

According to Verizon, 86% of all cyber breaches are financially motivated. The World Economic Forum has estimated costs from cybercrime will be at around $2.2 trillion this year – likely to grow almost five times to $10.5 trillion by 2025.

Even when businesses do all the right things, they will still be at a severe disadvantage because, unlike many other operational risks, cyber-risk is primarily a frontierless criminal activity where only 0.5% of criminals get prosecuted and/or a nation-state, geopolitical level one, for which businesses are completely outgunned.

One of the few things within a company’s cyber-control is building organizational cyber-resilience. Here’s an eight-step plan to get this done.

Even being resilient doesn’t guarantee cyber-success. But what it does do is provide greater confidence and trust to key stakeholders that the company is doing its utmost to safeguard the crown jewels of the company, including people and assets, as well as pursuing a mission, purpose and strategy that is both resilient and sustainable.

Cyber-resilience is an organization’s ability to sustainably maintain, build and deliver intended business outcomes despite adverse cyber-events. Organizational practices to achieve and maintain-cyber resilience must be comprehensive and customized to the whole organization (i.e. including the supply chain). They need to include a formal and properly resourced information security programme, team and governance that are effectively integrated with the organization’s risk, crisis, business continuity, and education programmes.

It slots into the broader context of organizational resilience, which is the ability of an organization to provide and maintain an acceptable level of operation, service and performance in the face of challenging conditions, disruptions, risks and crises, and to bounce back and recover quickly from them with minimal impact to the organization including to its reputation.

This is the best possible “Virtuous” organizational resilience life-cycle (as opposed to the “Vicious”, depicted beneath it):

Let’s review the eight elements as they apply to cyber-resilience:

Your leaders understand the depth of the cyber challenge and are prepared to provide tone from the top and necessary resources and budget to create lean-in, triangular cyber-risk governance where board oversight, C-suite strategy and front-line functional and operational coordination of cyber policy take place.

In this World Economic Forum, ISA, PwC and the National Association of Corporate Directors publication, these resilience elements are underscored:

The culture that the tone from the top imbues the organization with is one that highlights, underscores, incentivizes and reinforces a culture of information hygiene and cyber hygiene where all concerned are trained regularly on pitfalls and best practices. Employees are not afraid to speak up, and when they do they are not ignored. Here’s a great set of approaches from the Chief Information Security Officer of the World Health Organization, Flavio Aggio:

• Work hard to change the mindset that “IT ensures 100% security”

• Monthly phishing exercises make users understand cyberattacks faster and better

• Communicate often, but not too much

• Concentrate on “what’s in it for me?”

• Collaborate and share information with external organizations

• Concentrate on human-centric technology

Each company needs to know where its cyber crown jewels are (assets – digital or physical that cyberattackers might be interested in), understand how to prioritize and protect them and then understand how their main stakeholders – owners/shareholders, customers, employees, other – may be negatively affected. A key part of this component of cyber-organizational resilience is to reach out and have close stakeholder relations and information-sharing, especially in the more vulnerable sectors with the greatest potential damage from cyberattacks (health, utilities, financial).

It is absolutely crucial that cyber-risk management be a seamless part of a company’s risk-management system – fully integrated into enterprise risk management and risk mitigation and transfer opportunities such as cyber insurance. Part of a robust cyber-risk management programme is to have the right interdisciplinary, cross-functional, multi-divisional group of experts internally (with access to outside experts) within your company.

No business will be cyber-secure or prepared if it does not integrate cyber-risk considerations into its business strategy. Period. There are too many weak links in the chain – whether at the innovation stage, the product or services research and development chain, the supply chain, the mergers and acquisitions space, talent acquisition strategy (employee or contractors, subcontractors, etc.) or simple software updating protocols – if a company is not bringing vigilance into all aspects, it exposes itself to potential cyber damage and lost opportunities.

You cannot reward what you cannot measure. The same goes for cyber-resilience – how do you measure it? Do you have the right people, doing the right things, with the right resources, budget and reporting? All of it tied back to professional and executive compensation metrics and properly reported to the board?

Companies must have a crisis management team and plan that is ready at any given time, especially in these turbulent times, to deal with a major crisis, including in the cyber realm. That means that the right people, resources and tools are ready and available, and that proper scenario-planning by an interdisciplinary team of high-level professionals, the executive team and the board is being addressed periodically. All this seamlessly integrated with business continuity and data management.

The same approach that companies give to their product and services innovation should be brought to cybersecurity and risk-management innovation. This means thinking and acting outside of the box and integrating lessons learned from both company incidents, as well as sector and industry incidents, that might have occurred. It means joining sector information-sharing groups and public/private collaboration. It means doing deep dives, root-cause analysis and adopting the important takeaways. It means that the cybersecurity ethos must be one of continuous improvement and reinvention.

While there are no guarantees in the rapidly changing and explosive world of cyberattacks, business has the responsibility to at least build resilience – and these eight steps will go a long way.

• Andrea Bonime-Blanc is the author of Gloom to Boom: How Leaders Transform Risk into Resilience and Value. This piece is based on a longer feature article, published in Spain’s Actuarios Magazine Spring 2021 edition.