As cyber attacks increase, here's how CEOs can improve cyber resilience

Unprecedented digitalization in our society has pushed many business leaders and executives to understand how they can adequately assess and govern cyber risk. Governing cyber risk is a holistic process aiming to improve organizational cyber resilience. In this context, governments define cyber resilience obligations, designate critical infrastructure that requires mandatory protection and help investors better compare their companies’ cyber efforts.

Successfully managing cyber resilience is necessary as organizations and executives face fines and other serious consequences. Potential repercussions mean board members must understand cyber risks and the best ways to mitigate them.

This is easier said than done. Ninety-three percent of companies are confident in their best practices mitigating cyber risks, while 57% expect to be hit by a cyber attack. Unfortunately, only half of these organizations have implemented suitable cyber measures.

In 2021, the World Economic Forum and its partners, with the National Association of Corporate Directors (NACD), Internet Security Alliance (ISA) and PwC, published the Principles for Board Governance of Cyber Risk (the Forum’s Cyber Risk Principles), critical to driving resilience across industries. This guidance (initially developed for corporate boards of directors) is summarized in six principles:

The principle represents a significantly different approach to resilience compared to how organizations delegate cyber security to IT, have a misplaced perception of the strategic nature of cyber risk and keep breaches under wrap.

A misplaced perception of the strategic nature of cyber risks can have enormous consequences. For instance, software company Kasaye experienced a ransomware attack in July 2021, which caused the postponement of their planned initial public offering (IPO) until further notice, leading them to fail to raise an estimated $875 million. Moreover, SolarWinds, breached in 2019, had specific advertising techniques to display their commercial success stories of high-profile customers, ultimately providing a “shopping list” for the adversary.

With cyber risk a vital issue on leaders’ agendas, MIT CAMS has developed a method to improve leaders’ abilities to foresee and manage cyber risks. This technology, referred to as a cyber risk dashboard, is grounded in control theory and system dynamics and is built on significant research in the field, including interviews with chief information security officers (CISOs). It has been validated over the years at a Fortune 500 company by analyzing a wide range of strategic cyber risk challenges.

The dashboard closely mimics the cyber risk decision-making ecosystem. It considers current defence posture and development of attack tactics, emerging cyber incidents and changing organizations in terms of people, processes and technology. The cyber risk dashboard provides the means to make projections according to the performance indicators of an organization’s cybersecurity strategy. This work can be easily adapted for other strategic analyses. MIT CAMs used a simulation added approach to understand organizational behavior when adapting the Forum’s Cyber Risk Principles.

The use of personas – artificial decision-makers profiles with specific characteristics that drive their cyber risk management strategy – is a scientifically grounded approach to exploring the behavioural side of cyber risk management. Using the personas of different organizations to drive strategic decision-making, this simulation technology can foresee the future impact of their strategy. In this analysis, we also reuse data from our anonymized case study at a Fortune-500 company called Smart Wealth Management Inc. As such, we recognize:

This CEO might be aware of the principles but has yet to adopt them (yet). This CEO focuses on reasonable compliance with security standards and controls security costs. Increasing workload and lack of security resources drives a more reactive approach to cyber risk.

This CEO is cyber-conscious but has gone further by adopting the Forum’s Cyber Risk Principles to foster resilience. He or she may be a signatory to the Forum's Cyber Resilience Pledge. This CEO has a proactive and anticipatory approach to threats, knows how their technology drives their business and focuses on maintaining business performance and cyber risk cost predictions.

We observe a significant difference when comparing the strength of defence posture represented by the number of security incidents/compromised assets. The CEO who follows the Forum’s Cyber Risk Principles (the WEF-CEO) is predicted to have up to 85% fewer cyber incidents (see Figure 1) compared to the CC-CEO.

The cyber risk efforts and task prioritization of the WEF-CEO allows early intervention that limits adversarial behaviour, whereas the CC-CEO’s team often responds slower, which ultimately benefits the adversary.

Similar insights can be observed in the risk profile (see Figure 2) regarding a frequency distribution of potential cyber incident occurrence in favour of the WEF-CEO, mainly when vast numbers of cyber incidents may require the IT teams to help the security teams. These situations, known as spill-over effects, require IT task reprioritization, usually at the expense of IT project delivery.

The WEF-CEO likely has lower costs than the CC-CEO (see Figure 3). The major difference between these two scenarios is in the allocation of task priorities and cyber risk efforts of the security staff. The CC-CEO has ongoing efforts that require additional staff resources to support response and recovery processes, execute post-mortem research and adjust and improve security capabilities accordingly. The WEF-CEO-implemented security by design has an ongoing proactive capability adjustment and improvement (including continuous automation) and has implemented regular board-level cyber risk dashboarding and reporting.

Adopting the Forum’s Cyber Risk Principles demonstrates that individual organizations can significantly improve their cyber resilience without raising costs. In these simulations, adopting the principles proved valuable. In practice, interconnectedness and connectivity between organizations introduces new interdependencies, which will be explored through further research and simulations. The current findings in themselves, however, make a strong case for organizations to adopt the Forum’s Cyber Risk Principles.

MIT’s work is co-funded by Fondo Europeo di Sviluppo Regionale Puglia POR Puglia 2014 – 2020 – Asse I – Obiettivo specifico 1a – Azione 1.1 (RS) – Titolo Progetto: Suite prodotti Cybersecurity e SOC and BV TECH S.p.A. and co-funded by Cybersecurity at MIT Sloan (CAMS).