3 principles to help build a cyber resilient organization

Business Corporate Protection Safety Security Concept

Cyber resilience has become a defining mandate of our time. Image: Freepik.

Georges De Moura
Head of Industry Solutions, Centre for Cybersecurity, World Economic Forum Geneva
Our Impact
What's the World Economic Forum doing to accelerate action on Cybersecurity?
The Big Picture
Explore and monitor how Cybersecurity is affecting economies, industries and global issues
A hand holding a looking glass by a lake
Crowdsource Innovation
Get involved with our crowdsourced digital platform to deliver impact at scale
Stay up to date:


This article is part of: Annual Meeting on Cybersecurity
  • Cyber-attacks are on the rise around the world, with healthcare and utilities the most targeted sectors.
  • Organizations must not only defend against attacks but be able to recover quickly after a major disruption.
  • Business leaders must embed cyber resilience across their organizations to protect against digital threats.

A large number of government and private sector organizations including some of the most sophisticated companies in the world, have fallen victims to cyber-attacks in recent years. Business critical activities have been disrupted, data has been compromised and the threat continues to evolve at a fast pace.

This year alone, many providers of essential services including energy, healthcare, food, and transportation have been hit by ransomware attacks which crippled their operations and had cascading effects on critical functions that our society relies on.

Have you read?

The COVID-19 pandemic has exposed even more opportunities and vulnerabilities. According to a recent report released by Checkpoint, there has been a 102% global surge in ransomware attacks compared to the beginning of 2020, and healthcare and utilities were the most targeted sectors.

How to anticipate and prevent a high impact cyber-attack

By now, most businesses recognize that they have to invest significant amounts of cash and resources in cybersecurity. Collective global spending has now reached $145 billion a year and is predicted to exceed $1 trillion by 2035.

As the number and impact of cyber-attacks continue to rise, we have come to the realization that globally we’re not doing enough about cybersecurity. The current situation is comparable to trench warfare: progress is slow, and the casualties are high.

No company has the resources to fix all cyber issues and not all fixes are equally important. It is only by starting to identify activities that are important to a business, and understanding how attacks could disrupt them, that one could start to prioritize the process of risk mitigation.

Unfortunately, many companies skip the step of identifying these critical business activities which could be disrupted by a cyber-attack and instead focus on individual technologies to fix individual problems in their IT systems. While there is some value in this approach, a company could spend significant resources without addressing the fundamental issue which is to protect the critical business functions for which the products were procured.


How is the Forum tackling global cybersecurity challenges?

Many companies don’t nearly get the benefits from the investments they make. While there is already a plethora of frameworks and best practice guides aimed at equipping cybersecurity leaders with the tools and knowledge needed to manage cyber risks, business leaders, particularly in SMEs and less mature industries or regions, often struggle to understand the cybersecurity narrative and their responsibilities.

We’re at a crossroad where cyber resilience has become a defining mandate of our time – to anticipate future threats, withstand, recover from cyber-attacks, and adapt to future digital shocks.

Business leaders must be prepared to answer the following questions to reassure their stakeholders:

  • How well prepared are we to counter disruptions related to cyber-attacks?
  • How well can we withstand the loss of mission-critical functions after a cyber-attack and how quickly can we recover them?
COVID-19 Risks Outlook A Preliminary Mapping and Its Implications. Source: The World Economic Forum
COVID-19 Risks Outlook A Preliminary Mapping and Its Implications. Source: The World Economic Forum

These three principles will help business leaders embed cyber resilience into their organizational culture and structure:

1. Cyber resilience must be governed from the top

There is often a perception from non-technical leaders that the cybersecurity field is so complex that they would need to delegate. By bridging the cyber literacy gap, business leaders will be able to make more effective decisions on mitigation strategies.

Businesses should also ensure that an accountable corporate officer has been nominated and reports regularly and directly to the board and executive committee on cyber risks and resilience.

Moreover, the board and executive committee should discuss with their cyber leaders the critical business activities and any concerns they have about what could go wrong:

  • Ask which systems support this activity to help you prioritize, instead of going over which vulnerabilities have to be remediated.
  • Learn about the known attacks, and how they would be able to compromise these systems and the potential economic impact.

2. Cyber resilience must be inherent to the business operating model

Business leaders must start looking at cyber resilience as a business imperative to solve and understand what assets and activities are critical and provide competitive advantage to their organization. A balanced approach to cyber resilience will ensure that investments are not only made in defense and preventive capabilities but also prioritized in response and recovery capabilities from a major cybersecurity breach.

Cyber risk profiles evolve rapidly because of transformational initiatives and changes in operating models.

They also differ between industries and vary widely depending on product and services, geographies and regulatory requirements, and geopolitical context.

By developing the cyber literacy of their workforce and adapting the knowledge required to the role and responsibilities of the employee, businesses will be able to better harness the power of technologies while minimizing the risks associated with the human element.

Moreover, companies need to build internal capabilities to deal with change management processes and incorporate some type of cyber risk assurance. It doesn’t have to be an onerous activity, but it is important that business leaders pay attention to the risk they are accepting.

3. Cyber resilience is an enabler of business outcomes

There will never be guarantees that your organization’s cybersecurity practice will be sufficient to fend off the attack you’ll face. However, if business leaders focus on what is important to protect and understand the kind of attacks that would compromise important business activities, they will be more likely to anticipate and be prepared to mitigate the risk of a major attack and recover quickly.

Such an exercise is continuous and dynamic, and often links with business changes – new supply chain partners, new operating models, etc.

Moreover, business leaders should be seeking value- and outcome-based measures and metrics for assessing the efficacy of the security controls implemented, return on investments for the technologies and services acquisitions made and impact on strategic business outcomes.

To fully realise the dividends of their digital transformation, businesses must align their visions with their risk tolerance. If the security risks associated with the proliferation of technology-enabled infrastructure and internet applications are not appropriately balanced with comprehensive cybersecurity strategies and resilience plans, businesses will be unable to achieve the economic growth and prosperity they seek.

Don't miss any update on this topic

Create a free account and access your personalized content collection with our latest publications and analyses.

Sign up for free

License and Republishing

World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.

The views expressed in this article are those of the author alone and not the World Economic Forum.

Related topics:
CybersecurityGlobal Risks
World Economic Forum logo
Global Agenda

The Agenda Weekly

A weekly update of the most important issues driving the global agenda

Subscribe today

You can unsubscribe at any time using the link in our emails. For more details, review our privacy policy.

The rise of smart contracts and strategies for mitigating cyber and legal risks

Jerome Desbonnet and Oded Vanunu

July 16, 2024

About Us



Partners & Members

  • Sign in
  • Join Us

Language Editions

Privacy Policy & Terms of Service

© 2024 World Economic Forum