Cybersecurity

4 ways to incorporate cyber resilience in your business

Workers deal with cyber resilience on their computers.

Collaboration is key to cyber resilience. Image: Sigmund/Unsplash

Joe Nocera
Cyber and Privacy Innovation Institute Leader, PwC US
Share:
Our Impact
What's the World Economic Forum doing to accelerate action on Cybersecurity?
The Big Picture
Explore and monitor how Cybersecurity is affecting economies, industries and global issues
A hand holding a looking glass by a lake
Crowdsource Innovation
Get involved with our crowdsourced digital platform to deliver impact at scale
Stay up to date:

Cybersecurity

  • Cybersecurity is a major concern for all organizations and collaboration is key to effectively tackle this threat.
  • A report on Cyber Governance by the World Economic Forum, PwC, the National Association of Corporate Directors, and the Internet Security Alliance looks at how board directors can manage cyber risks.
  • Here we explore how companies can accomplish cyber resilience through collaboration.

One goal, one team.

Effective cybersecurity has become a shared responsibility that demands teamwork and an unwavering commitment to internal and external collaboration.

Today, threat actors are targeting organizations and entire industries with increasingly effective cyberattacks. Cybersecurity failure has become a leading threat, according to the World Economic Forum’s Global Risk Report 2022. Businesses agree: 70% of board directors view cybersecurity as a strategic enterprise risk, according to a survey conducted by the National Association of Corporate Directors (NACD).

The ascendant trajectory of cybercrime shows no sign of decline. In fact, 60% of executives forecast that cybercrime will continue to surge in 2022. In particular, respondents expect more attacks on cloud services, ransomware intrusions, and compromises of critical infrastructure. Threat actors are also exploiting dangerous new software vulnerabilities such as the Log4j flaw, which can enable them to remotely execute code on systems and networks. There is also growing unease that geopolitical conflict will likely result in further cyberattacks on critical infrastructure.

In a report published by the World Economic Forum, PwC, the NACD, and the Internet Security Alliance (ISA), we identified six principles that can support board directors in governing cyber-risks:

  • Cybersecurity is a strategic business enabler
  • Understand the economic drivers and impact of cyber-risk
  • Align cyber-risk management with business needs
  • Ensure organizational design supports cybersecurity
  • Incorporate cybersecurity expertise into board governance
  • Encourage systemic resilience and collaboration

In this article, we dive into the sixth principle: encourage systemic resilience and collaboration. Systemic risks require systemic resilience. This requires a decisive dedication to collective effort — and a great deal of individual resilience.

The good news? There are “power moves” you can incorporate to start building resilience in your organization.

Have you read?

Become a cybersecurity team player

Effective cybersecurity comes from the top. The CEO, board, and other senior leaders should champion a cybersecurity culture that fosters collaboration across the company, the industry and with public and private stakeholders.

Creating a culture of security will require everyone's involvement — the board, C-suite, chief information security officers (CISOs), line of business leaders, and individual employees. You will also need to partner with supply chains, contractors, and other third parties.

Discover

How is the Forum tackling global cybersecurity challenges?

Given the complexity and stealth of today’s cyber threats, it is likely that boards will need a bit of cybersecurity tutoring. CISOs may need to step in to help senior executives understand threats, potential business impacts and the specific role each executive can play in keeping the company secure.

Awareness doesn’t stop at the C-suite, however. Cybersecurity education should cascade down to every employee and include training, upskilling, and career advancement opportunities.

Educating the board has become urgent thanks to new regulations requiring cyber disclosures. In the US, for example, the Securities and Exchange Commission (SEC) has proposed rules for disclosing material cyber incidents and practices in cyber governance, strategy, and risk management.

The rules may require public companies to disclose details of the board of directors’ oversight of cybersecurity risk and cybersecurity expertise – if any. Disclosures include the processes by which the board is informed about cybersecurity risks and the frequency of its discussions on this topic. A new law requires entities in critical infrastructures to report significant cyber breaches to the Cybersecurity and Infrastructure Security Agency (CISA).

How to make the move

  • Allocate more time to security discussions in board or subcommittee meetings
  • Provide training for board members to become more cyber-savvy
  • Use business language to frame discussions of cyberthreats
  • Create plans for effective collaboration
  • Confirm performance measures for cybersecurity are aligned for all business executives and not just the CISO

Conduct tabletop exercises and update Business Impact Analysis (BIA)

Security training for employees is essential. But resilience calls for more.

Tabletop exercises, which use simulated attacks to illustrate threat response and decision-making processes, can be an effective way for board members to practice the decision-making required in a cyber crisis. Tabletop exercises can prepare business leaders to confidently — and quickly — take appropriate action when real threats are detected. They can illuminate gaps or weaknesses in current response plans.

Similarly, a business impact analysis (BIA) can help organizations develop more targeted and effective strategies for incident response and business continuity. BIAs prioritize business systems, processes, and interdependencies to focus defence, response, and recovery strategies on the issues that matter most to the business.

How to make the move

  • Revisit and update the company's BIA annually or whenever a major business change occurs
  • Leverage the BIA to inform Cyber Resiliency Planning
  • Conduct tabletop exercises throughout the year at different levels of the organization (technical, business, C-suite and boards) using different threat scenarios
  • Consider including critical third parties like outside counsel and law enforcement in some tabletops

Build relationships with info-sharing groups, law enforcement, and government agencies

If cybercriminals share information on attack techniques and tools — and they do — then why shouldn’t you? Sharing intelligence about cyber threats and responses may be critical to staying ahead of cybercriminals. Companies cannot, single handedly, defend themselves against attacks by powerful hackers.

Critical infrastructure providers, for example, require proactive cooperation and collaboration among governments, cybersecurity groups, industry peers, and organizations to combat geopolitical and nation-state threats.

The practice of cyber-related information-sharing is growing around the world. Today, 84% of global organizations say they participate in public-private information-sharing. Organizations fostering such a culture include the World Economic Forum Centre for Cybersecurity, Interpol, the US CISA, the UK National Cyber Security Centre, and the Open Data Center, where there is global collaboration of over 1,500 governments and organizations.

Loading...

You should build robust relationships with local, national and global government and law enforcement agencies to promote intelligence sharing. In addition, companies can build ties with nonprofit cybersecurity organizations such as Information Sharing and Analysis Centers (ISACs), some of which offer 24/7 threat warnings, incident reporting capabilities, and networking opportunities.

Sharing requires trust. Organizations are often reluctant to disclose incidents and responses to industry peers and government entities. To create a collective consciousness of cybersecurity, attitudes must change. While private-public collaboration is commonplace — 45% of organizations do so — there is often a reluctance to divulge breached information. That mindset must change.

How to make the move

  • Use all available resources, including government agencies, to identify potential threats
  • Participate in collaborative groups such as the European Union Agency for Network and Information Security (ENISA), Information Systems Security Association (ISSA International), the Cloud Security Alliance, the Internet Security Alliance, and WiCyS Women in Cybersecurity
  • Join information-sharing groups such as the Information Security Forum, the Anti-Phishing Working Group, and ISACs
  • Critical infrastructure providers can join organizations such as the European Programme for Critical Infrastructure protection, the Task Force on Critical Infrastructure Protection, and the DHS Cyber Information Sharing and Collaboration Program (CISCP)
  • Proactively build relationships with law enforcement and government agencies prior to a breach occurring
Discover

How is the World Economic Forum improving the global financial system?

Collaborate on collective cybersecurity

In today’s hyper-connected digital world, cybersecurity is no longer the responsibility of a singular organization or single executive.

Cybersecurity is the ultimate team sport and it is crucial for businesses, industries, and governments to unite to defend against global threat actors.

Don't miss any update on this topic

Create a free account and access your personalized content collection with our latest publications and analyses.

Sign up for free

License and Republishing

World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.

The views expressed in this article are those of the author alone and not the World Economic Forum.

Share:
World Economic Forum logo
Global Agenda

The Agenda Weekly

A weekly update of the most important issues driving the global agenda

Subscribe today

You can unsubscribe at any time using the link in our emails. For more details, review our privacy policy.

Safeguarding central bank digital currency systems in the post-quantum computing age

Cameron Nili, Tom Patterson and Carl Dukatz

May 21, 2024

1:06

About Us

Events

Media

Partners & Members

  • Join Us

Language Editions

Privacy Policy & Terms of Service

© 2024 World Economic Forum