Cybersecurity

Building a cyber resilience strategy for a geopolitically unstable world

Photo shows a padlock on top of a keyboard illustrating the need to develop a strong cyber resilience strategy

Developing a strong cyber resilience strategy is key to protecting against cyber threats in an unstable world Image: Photo by FLY:D on Unsplash

Andrea Bonime-Blanc
Founder and CEO, GEC Risk Advisory
Tomer Saban
CEO, WireX Systems
Share:
Our Impact
What's the World Economic Forum doing to accelerate action on Cybersecurity?
The Big Picture
Explore and monitor how Cybersecurity is affecting economies, industries and global issues
A hand holding a looking glass by a lake
Crowdsource Innovation
Get involved with our crowdsourced digital platform to deliver impact at scale
Stay up to date:

Cybercrime

Listen to the article

  • Russia's invasion of Ukraine has increased the risk of cyber attacks on businesses and other organizations, such as NGOs and universities.
  • To create an effective cyber resilience strategy, it is important to have four critical internal, overlapping cyber-systems in place relating to governance, culture, risk, and crisis management.
  • Organizations that have a systematic approach to cyber-risk governance and a culture of cyber-hygiene, cyber-risk management and cyber-crisis management can achieve systematic cyber preparedness and resilience.
Loading...

As Russia's invasion of Ukraine becomes more entrenched, with important cyber and disinformation components, businesses and other organizations, such as NGOs and universities, must have four critical internal, overlapping cyber-systems in place to build a strong cyber resilience strategy. These relate to governance, culture, risk, and crisis management.

The figure below summarises the thesis of this piece, which is that businesses that have a systematic approach to cyber-risk governance, a culture of cyber-hygiene, cyber-risk management and cyber-crisis management strategies will be able to achieve systematic cyber preparedness and resilience. Vital to surviving and thriving in our tumultuous times.

Systematic cyber resilience
The four tick boxes for systematic cyber resilience Image: Ⓒ A Bonime-Blanc, GEC Risk Advisory 2022

It is no longer good enough to hope for the best or to ‘acquire' some technical solutions and think of cyber-security as a ‘once and done’ job or something that is optional or siloed. Cyber-security is a multi-system of continuous concern and it's now exacerbated by a global environment of continuous risk and crisis. We are under assault on numerous global fronts – climate, geopolitics, war, infectious disease, humanitarian crises and, yes, cyber and disinformation.

Discover

How is the Forum tackling global cybersecurity challenges?

For situational awareness, it is key for businesses and organizations to understand the moment we are living in and the five megatrends that are affecting them in both predictable and unpredictable ways, opening them up to cyber exposure. These trends, more deeply explored in The ESGT Megatrends Manual 2022-2023, are:

1. Geopolitical tectonic shifts catalyzing

2. Climate and war propelling complex risk

3. Technological disruption becoming multidimensional

4. Stakeholder capitalism and ESG intertwining

5. Leadership and institutional trust recalibrating

As the impact of these megatrends squeezes all manner of entities – corporate, social and governmental – a much greater situational awareness that systematically includes a cyber resilience strategy must be the top priority for organizations. Let’s start with a review of where we are:

The geopolitical context of cyber resilience

Since Putin’s invasion of Ukraine in February 2022, several major tectonic geopolitical changes have catalysed, not the least of which is how global democracies have upped their game on cybersecurity collaboration both inter-governmentally, as well as in private/public operational collaboration and in the overall sense of unity that NATO and the EU, for example, have experienced.

The fact that no major cyber-attack, along the lines of Not Petya or Colonial Pipeline, has transpired, however, has the danger of lulling business leaders into a sense of complacency that (a) war-related cyber-attacks will not happen because Western nations have it ‘under control’ or (b) the Russians are too distracted or unable to execute high-impact attacks.

Neither is true. Indeed, several cyber-attack trackers prove otherwise – as this one from The Council on Foreign Relations and this one from the Cyber Peace Institute show.

Moreover, several important developments have taken place that demonstrate that business needs to adopt several critical cyber-systems as part of a continuous strategy of cyber and organizational resilience. This means that:

  • Cyber warfare should be thought of more broadly as including information and disinformation warfare.
  • Businesses operating in or with Russia will remain prime targets for the rise in hacktivists and anonymous cyber actors taking the side of Ukraine against Russia.
  • Businesses should be wary of official and unofficial allies of Russia (China, North Korea, hacker groups, etc) who might take advantage to assist the Russian side of this equation against the loose coalition of democratic nations and multilateral alliances assisting Ukraine.
  • Businesses outside of Ukraine, Belarus and Russia may not have experienced major cyber disruptions relating to the Ukraine war yet, but businesses anywhere should brace themselves for disruptions to essential government and business services in the energy, transportation, and financial sectors.
  • The role of economic sanctions against Russia may play into the underlying cyber-warfare in ways that are predictable and unpredictable, making businesses on the front lines of implementing some of these sanctions particularly vulnerable.
Have you read?

Four business cyber-system imperatives

In the face of this continuous risk and crisis environment, it is imperative that businesses build overall organizational resilience with the eight elements of the Virtuous Resilience Lifecycle Model shown in the figure below.

The virtuous cyber resilience lifecycle
The virtuous cyber resilience lifecycle Image: Ⓒ A Bonime-Blanc, Gloom to Boom, Routledge 2020

Building on our work on cyber-organizational resilience and that of the World Economic Forum, NACD and Internet Security Alliance, below is a depiction followed by a description of the four necessary cyber-systems needed to build overall organizational resilience. Companies that get it, get the best chance at organizational cyber-resilience and surviving and even thriving through the global storm.

Where the four cyber systems fit within the virtuous cyber cyber resilienceresilience lifecycle
Where the four cyber systems fit within the virtuous resilience lifecycle Image: Ⓒ A Bonime-Blanc, Gloom to Boom, Routledge 2020

1. Systematic cyber risk governance

Systematic cyber risk governance needs to be a core part of the board’s work. Keeping cyber-security on the agenda of the board and the c-suite with at least quarterly updates is a must in this environment. The figure below summarizes how the board must be the driver of cyber-risk governance, always coordinating with the c-suite for strategy and with frontline cyber-managers for implementation.

Cyber risk governance cyber resilience
The board must drive cyber risk governance Image: Ⓒ GEC Risk Advisory sourced from A Bonime-Blanc, Gloom to Boom, Routledge 2020

2. Systematic cyber hygiene culture

This is the second system-wide element that must be omnipresent in an organization beginning with a systematic and intelligent approach to personnel cyber-hygiene education. A critical part of this system-wide culture is to have a set of coordinated, deliberately constructed and synchronous IT systems designed for coordinated information security measures at every level - network and cloud – as well as for prevention, detection and auditing.

3. Systematic cyber risk management

As many experts have pointed out, cyber risk is a business risk and must be part of an enterprise risk management (ERM) system. See the figure below. This is the only way to produce useful and consistent cyber metrics that are part of ERM and cyber-specific dashboards and reports that go to the c-suite and the board. Such metrics are increasingly required for outside stakeholders, such as regulators, too.

A big picture visualisation of enterprise risk management cyber resilience
A big picture visualisation of enterprise risk management Image: Ⓒ A Bonime-Blanc, Gloom to Boom, Routledge 2020

4. Systematic cyber crisis management

This means making sure that the nuances and bells and whistles of possible cyber exposure are considered in the creation, development, revision and implementation of organizational crisis management teams and plans, business continuity strategies and tactics and data protection and backup considerations. The figure below suggests that for cyber risks and crises (as for others of significant impact and import), cross-functional teams of internal and external experts need to work in close coordination before, during and after the crisis event.

The risk management cross functional imperative cyber resilience
The risk management cross functional imperative Image: Ⓒ A Bonime-Blanc, Gloom to Boom, Routledge 2020

Also read about the biggest risks facing the world from 2023's Global Risks Report.

Loading...
Don't miss any update on this topic

Create a free account and access your personalized content collection with our latest publications and analyses.

Sign up for free

License and Republishing

World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.

The views expressed in this article are those of the author alone and not the World Economic Forum.

Share:
World Economic Forum logo
Global Agenda

The Agenda Weekly

A weekly update of the most important issues driving the global agenda

Subscribe today

You can unsubscribe at any time using the link in our emails. For more details, review our privacy policy.

Quantum computing could threaten cybersecurity measures. Here’s why – and how tech firms are responding

Simon Torkington

April 23, 2024

About Us

Events

Media

Partners & Members

  • Join Us

Language Editions

Privacy Policy & Terms of Service

© 2024 World Economic Forum