• Beyond complex terminology, there are other factors that shape the way security and business leaders approach cyber security.
  • Cyber security management is constantly evolving thanks to changes in technology, changing processes and changing cyber threats and risks.
  • Cloud security should be a priority for all concerned.

Planning for months ahead can seem like an eternity in the current climate. But as the world continues to leverage digital innovation ever faster, company boards must ask themselves the tough questions to make the right risk-reward decisions for the future of their businesses.

Asking the right questions shows a grasp of the knowledge sphere. Yet listening and comprehending the answers isn’t always so easy. Cyber security is said to be full of acronyms, so it can seem like a foreign language. This makes it tougher to get useful answers. This may explain why so many boards look to their own staff for the appropriate way to manage cyber risks.

Beyond the terminology, there are other factors that shape the way security and business leaders approach cyber security and nuances that affect the quality of security that is eventually provided.

Mismatch of goals

Boards think strategically about how to maximize profit and minimize losses, which typically requires taking calculated risks. Cyber security officers (CSOs) on the other hand focus on how to maximize risk management and mitigate risk. To put it simply, boards think in dollars, cents, and shades of grey, and CSOs take a binary approach to risk, which leads to them to think in absolutes. They focus on questions like how to keep businesses safe and how to quickly respond to security incidents. So, while boards are thinking about cost, CSOs are thinking about action. My suggestion is to always challenge your CSO and security team to come back with 2-3 solutions to each security risk, with different costs and criteria of success.

Different timelines

Cyber security management is constantly evolving thanks to changes in technology, changing processes and changing cyber threats and risks. As such, CSOs do not make long-term plans and like to frequently update their boards. By contrast, business leaders tend to plan in much longer cycles. It can be frustrating for board members who want CSOs and their teams to adopt steady and predictable planning cycles. But business leaders must recognize that the cloud and cyber threats are dynamic and that solutions will vary day-to-day and month-on-month.

Defining key terms

Many of the technical terms used by CSOs and their teams are static and yet what they describe continues to change. One example would be 'ransomware'; this is a term that many non-specialists have heard of, but the way it functions, and the damage it can cause continues to evolve. The ransomware of two years ago is very different from the advanced ransomware we have today, and it will evolve further in the years to come. Both CSOs and business leaders must work towards capturing the same understanding of key technical terms.

Understanding the risks of the cloud

Many businesses believe that the best way to operate is to make everything digital so that they can ensure both speed and efficiency of business processes. Analysts continue to flag digitization as the door to new markets and cost reductions, which is sweet music to business leaders’ ears. On the other hand, CSOs and their teams approach the cloud from a security perspective. For example, many businesses have shifted customer records to the cloud to reap operational gains and increase profits by leveraging client data in new and innovative ways.

What is the World Economic Forum doing on cybersecurity

The World Economic Forum's Centre for Cybersecurity is leading the global response to address systemic cybersecurity challenges and improve digital trust. We are an independent and impartial global platform committed to fostering international dialogues and collaboration on cybersecurity in the public and private sectors. We bridge the gap between cybersecurity experts and decision makers at the highest levels to reinforce the importance of cybersecurity as a key strategic priority.

Our community has three key priorities:

Strengthening Global Cooperation - to increase global cooperation between public and private stakeholders to foster a collective response to cybercrime and address key security challenges posed by barriers to cooperation.

Understanding Future Networks and Technology - to identify cybersecurity challenges and opportunities posed by new technologies, and accelerate forward-looking solutions.

Building Cyber Resilience - to develop and amplify scalable solutions to accelerate the adoption of best practices and increase cyber resilience.

Initiatives include building a partnership to address the global cyber enforcement gap through improving the efficiency and effectiveness of public-private collaboration in cybercrime investigations; equipping business decision makers and cybersecurity leaders with the tools necessary to govern cyber risks, protect business assets and investments from the impact of cyber-attacks; and enhancing cyber resilience across key industry sectors such as electricity, aviation and oil & gas. We also promote mission aligned initiatives championed by our partner organizations.

The Forum is also a signatory of the Paris Call for Trust and Security in Cyberspace which aims to ensure digital peace and security which encourages signatories to protect individuals and infrastructure, to protect intellectual property, to cooperate in defense, and refrain from doing harm.

For more information, please contact us.

From a security perspective, the focus would be on managing the risks that come with uploading customer data to the cloud. And there would be cost implications around new security controls, processes, and training to protect that data from attack. This protection would extend beyond just the company itself to third party infrastructure, which can be a challenge for in-house CSOs and their teams to roll-out.

All things considered, cloud security should be a priority for all concerned. Here are some key areas that CSOs, boards, and third-party providers must consider as they manage the risks that come with the cloud.

  • The dynamics of every business process, and how frequently those processes should be reassessed for opportunities and risks
  • The third-party dependencies of cloud processes and what they mean to the business from a risks and delivery perspective
  • The metrics used to measure the successful delivery of cloud functions and the risks around that. Every team member needs to know what those metrics are and to understand exactly what they mean
  • The ‘how' is as important as the ‘what’. Business leaders must challenge their teams to understand cloud process and to appreciate the inherent opportunities and risks that could happen at various stages of the chain


Knowing the right questions to ask is key, but only if you can understand the answers. Digital innovation continues to evolve at pace, which can make it hard for business leaders to fully appreciated the risks and opportunities that come with it. Therefore, everyone on the team needs to understand how to measure the efficacy of digitalization vis-à-vis the risks. Every company will have its own metrics, based on individual questions, and demands, and provision of the right answers and solutions.