• Frauds such as phishing, malware and ransomware attacks pose a threat to entire economies, governments, and our way of life.
  • Cyber security focuses on protecting data, but it is no longer sufficient; businesses need cyber resilience.
  • To help businesses implement greater cyber resilience a framework is needed to measure it.

Today, we work from anywhere, on more devices, more networks, facing more risk than ever before. Widespread phishing, malware, ransomware attacks, and other frauds pose a risk not just to individuals or platforms, but to entire economies, governments, and our way of life.

Yet the way we think about securing our businesses and our data hasn’t really kept up. Business resources are often still allocated to defensive cyber security, which is focused on protecting the confidentiality and integrity of data. But these defenses are proving insufficient in the face of attacks that grow more sophisticated by the day. We need cyber resilience in addition to cyber security, and it’s important to understand the difference.

Why Cyber resilience over cyber security

Cyber resilience starts with nailing the cyber security basics; at Salesforce, we call it “doing the common uncommonly well.” This includes patching vulnerabilities, detecting and mitigating threats, and educating employees on how to defend company security. But we need to be doing these things continuously, not just once a year.

Beyond that, businesses need to build resilience into every part of the business, from business process mapping to engineering service availability to critical vendor dependency. They need to limit the impact of cybercrime to a company’s brand, finance, legal, and customer trust obligations. While these areas typically receive limited attention, resources, or executive focus, they are significant elements in the case of a real threat.

The aim of cyber resilience is clear enough: to ensure operational and business continuity with minimal impact. But the reality can be harder to pin down, because there’s currently no good way to measure cyber resilience. As leaders, we need to have a certain level of confidence in our ability to respond to an attack, to maintain our customers’ trust, to absorb the financial, legal, and brand impact and get back to business. But there is no widely-accepted cyber resilience framework, no maturity model, and I think there should be.

After all, there are countless other maturity models, which allow businesses to measure capabilities, digital transformation, supply chain, cyber security, and data management to name just a few. What might cyber resilience maturity look like? This is not just about the ability to respond and recover; it's how quickly we recover and what we prioritize.

I am not proposing another checklist or self-assessment methodology. A mature cyber resilience approach should be flexible, adaptable, and continuously improving. I propose we design a framework that describes a set of characteristics that helps a company and its leadership understand what cyber resilience is and how it will be achieved. This framework would describe an approach and attitude towards delivering cyber resilience.

For instance, is your organization committing random acts of resilience? Building a plan only to look at it when an auditor asks? Building call trees when you would be better off using PagerDuty? Real resilience involves a multi-dimensional approach that dynamically responds to threats while keeping your business goals intact.

Measuring cyber resilience might involve:

- identifying your crown jewels and critical capabilities;

- looking at the interconnectedness of your systems and how vulnerable you are to attack;

- adapting more quickly to the broader social and political climate;

- creating partnerships with peers, competitors, and public entities;

- looking at how your team hires and develops skills;

- changing your approach, so you are not only securing the business but enabling the business through security;

- measuring whether you are maintaining a culture of trust and agility; and

- measuring customer trust and transparency.

Every organization will have its unique risks, and no one model can serve as a one-size-fits-all approach to cyber resilience. But this approach can help guide investment decisions, unite stakeholders around a common goal, and usher in the practice of continuous improvement. Most of all, cyber resilience should provide leadership with the confidence that when the worst happens, an organization can still deliver on its commitments.

Challenges in the use of maturity models

An assessment-focused framework based on a numerical score can lead to a box-checking culture. But cyber resilience is not about comparison, and there is no final destination. This measurement framework should scale for industry by focusing on the people, processes, and technology required to ensure entire value chains are resilient.

What is the World Economic Forum doing on cybersecurity

The World Economic Forum's Centre for Cybersecurity is leading the global response to address systemic cybersecurity challenges and improve digital trust. We are an independent and impartial global platform committed to fostering international dialogues and collaboration on cybersecurity in the public and private sectors. We bridge the gap between cybersecurity experts and decision makers at the highest levels to reinforce the importance of cybersecurity as a key strategic priority.

Our community has three key priorities:

Strengthening Global Cooperation - to increase global cooperation between public and private stakeholders to foster a collective response to cybercrime and address key security challenges posed by barriers to cooperation.

Understanding Future Networks and Technology - to identify cybersecurity challenges and opportunities posed by new technologies, and accelerate forward-looking solutions.

Building Cyber Resilience - to develop and amplify scalable solutions to accelerate the adoption of best practices and increase cyber resilience.

Initiatives include building a partnership to address the global cyber enforcement gap through improving the efficiency and effectiveness of public-private collaboration in cybercrime investigations; equipping business decision makers and cybersecurity leaders with the tools necessary to govern cyber risks, protect business assets and investments from the impact of cyber-attacks; and enhancing cyber resilience across key industry sectors such as electricity, aviation and oil & gas. We also promote mission aligned initiatives championed by our partner organizations.

The Forum is also a signatory of the Paris Call for Trust and Security in Cyberspace which aims to ensure digital peace and security which encourages signatories to protect individuals and infrastructure, to protect intellectual property, to cooperate in defense, and refrain from doing harm.

For more information, please contact us.

When the National Institute of Standards and Technology (NIST) framework for improving critical infrastructure cyber security was introduced there was a national call to action. Now, society and business is at another turning point. Both public and private organizations are working in entirely new, more digital, more distributed ways, which has further opened the floodgates to cyber risk. The May 2021 Presidential Executive Order states that: “The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy." It calls for a public-private partnership to make the bold changes necessary to protect hybrid cloud infrastructures.

And like the NIST Framework, it’s important that a new, scalable cyber resilience framework is developed out of just such a partnership, fit for organizations to use across industries. So consider this an open call: can we come together to establish this framework? Can we make cyber resilience a part of business as usual? We need to work together, to make everyone stronger.