Why effective cybersecurity and risk management are crucial for business growth

Cybersecurity is crucial across all devices

Cybersecurity is crucial across all devices Image: Getty Images/iStockphoto

Jay Chaudhry
Chief Executive Officer, Chairman and Founder, Zscaler
Our Impact
What's the World Economic Forum doing to accelerate action on Cybersecurity?
The Big Picture
Explore and monitor how Cybersecurity is affecting economies, industries and global issues
A hand holding a looking glass by a lake
Crowdsource Innovation
Get involved with our crowdsourced digital platform to deliver impact at scale
Stay up to date:


This article is part of: World Economic Forum Annual Meeting
  • Technology has changed and enhanced how business is conducted, but it has also introduced a raft of new cybersecurity risks.
  • Business leaders must understand their cybersecurity risks and how to manage them to ensure the safety and security of their organizations, customers and products.
  • An organization’s best defence is to accurately assess its risk, employ techniques to effectively manage that risk and develop a cybersecurity strategy that aligns with its risk profile.

Disruptive technologies, such as mobility, cloud, IoT and AI, have fundamentally changed our lives. They have transformed how we live and work in ways we could have never imagined just a few years ago. While these technologies have yielded a great number of benefits to organizations, they have also changed how business is conducted and introduced a raft of new cyber risks. With everything now being online and data residing everywhere, cyber poses the biggest business risk to organizations.

The global average cost of a data breach in 2023 was $4.45 million, an increase of 15% over the last three years with no signs of slowing down. Leaders need to understand the nuances of cybersecurity and risk and how to effectively manage that risk to ensure the safety and security of their organizations, customers and products.

The honest truth

Risk is everywhere - and that fundamental fact of life is true in the business world as well. With the rise in digital business, organizations now need to focus on protecting their digital assets, such as customer and employee data, just like they would with their physical assets – their offices and equipment. But, as digital data becomes the backbone of business, its value to cyber criminals also increases and the potential damage of a breach to an organization can include damaged reputations, stolen intellectual property and loss of revenue.

Because it’s impossible to fully eliminate business risk and with cyber constituting the largest portion of that risk, leaders should instead focus on managing risk by identifying what’s mission-critical to their organization and then determining how best to protect it.

Have you read?

Examining different types of cybersecurity risks

To effectively manage risk, leaders must do a holistic business risk assessment and evaluate their organization’s risk appetite. In addition to cyber risk, leaders must also consider other risk types, such as operating risk, credit risk and market risk, and break them down into three categories:

1. Mitigatable risk - the amount of risk that can be mitigated with investments in technology, training and additional resources.

2. Transferable risk - the amount of risk that can be transferred to a third party through insurance.

3. Acceptable risk - the amount of risk that can be accepted by the organization (also referred to as acceptable loss).

It’s important to keep in mind that not all risk is created equal – in today’s digitally-driven business world, by all accounts and measures, cyber still represents the biggest risk to modern organizations. Careful assessment, however, of each of these risk categories against the different risk types will provide leaders with the means to make the proper risk management decisions for their organizations.


What is the Forum doing to avert a cyber pandemic?

Regulatory mandates place new expectations on leaders

Cyber’s outsize role in the organizational risk equation is reflected in recent government actions in regulating various cybersecurity-related areas, such as the reporting and disclosure of cyber incidents and the manufacture of digital products.

Examples of government regulation include the Securities and Exchange Commission’s July 2023 cyber mandate that requires U.S.-based public companies to disclose material cybersecurity incidents and provide information on their cybersecurity risk management strategies for the purpose of ensuring consistent and decision-useful disclosures regarding an organization's exposure to cybersecurity risks and incidents. And, most recently, the European Parliament and EU Council reached an agreement on legislation as part of the Cyber Resilience Act that mandates that connected device manufacturers report serious cyber incidents and actively exploited vulnerabilities.

Clearly, these developments demonstrate cyber’s increasing impact on business, but I believe that a balanced approach is most prudent when it comes to government regulation. While some level of government oversight is needed, over-regulation can also stifle innovation, hurt businesses - and ultimately, economies - overall.

Nevertheless, increased regulatory mandates require business leaders to keenly understand the business impacts of a cyber breach within the context of managing risk.

Other considerations for managing risk

Business and industry are dynamic environments and, when it comes to cyber, technology can only get us so far. Cybercriminals are evolving their techniques at an alarming rate and the stakes are only getting higher. Yet, with cyber spending at an all-time high – to the tune of $219 billion on legacy solutions, such as firewalls and VPNs – why aren’t we seeing a drastic reduction in cyber incidents?

The answer is inertia. Leaders need to be aware of the disadvantage that inertia poses when it comes to managing cyber risk. Because change is uncomfortable, many organizations simply keep doing what they’ve always done – implementing legacy technology solutions in the hope that increasing investment will address the problem. But, as the saying goes, “What got us here won’t get us there,” because the game has fundamentally changed, meaning current modes of cyber defence must also change. Leaders must be open to new approaches, like zero-trust architectures, to protect against escalating and evolving threats.

Steps for corporate boards to manage cybersecurity risks.
Steps for corporate boards to manage cybersecurity risks. Image: Zscaler

The only way to combat this is to change the current mindset, shift expectations and embrace change. This happens gradually and it requires leaders to tap into non-technology factors, such as establishing a progressive, risk-aware culture that builds cyber into all processes through transparent leadership and open communication. I’ve seen first-hand that those leaders who follow this playbook tend to be the most successful at managing risk, thus decreasing the likelihood of a serious cyberattack.

The reality is that cyberattacks will continue to happen, especially as technologies, such as AI, advance and threat actors find novel ways to exploit vulnerabilities, so an organization’s best defence is to accurately assess its risk, employ techniques to effectively manage that risk and develop a cybersecurity strategy that aligns with the organization’s risk profile. It’s not a one-size-fits-all approach, but there are steps, like those outlined above, and proven approaches, like implementing a zero-trust architecture, that can help an organization build a solid foundation to fortify its defences against cyber threats.

Don't miss any update on this topic

Create a free account and access your personalized content collection with our latest publications and analyses.

Sign up for free

License and Republishing

World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.

The views expressed in this article are those of the author alone and not the World Economic Forum.

Related topics:
CybersecurityBusinessForum Institutional
World Economic Forum logo
Global Agenda

The Agenda Weekly

A weekly update of the most important issues driving the global agenda

Subscribe today

You can unsubscribe at any time using the link in our emails. For more details, review our privacy policy.

3 things CEOs must prepare to unlock the power of generative AI

Patrick Tsang

June 25, 2024

About Us



Partners & Members

  • Sign in
  • Join Us

Language Editions

Privacy Policy & Terms of Service

© 2024 World Economic Forum