Incentivizing Responsible and Secure Innovation: A framework for entrepreneurs and investors

The COVID-19 pandemic has underscored the importance of incentivizing cybersecurity in technological development. The security and privacy features in technology are more vital than ever as the majority of public and private communications and operations have shifted to the digital domain. Recent research shows that 93% of executives are willing to pay almost 25% more for more secure devices and technology.

The purpose of this insight report is to provide tools and guidance for entrepreneurs, innovators and investors to enable them to improve security features in new technologies and incorporate cybersecurity features from the get-go. We present here a number of essential cybersecurity requirements to be taken into account when developing new technology, innovation and new companies, to maximize their resilience.

Entrepreneurs have a twofold responsibility: to ensure that their companies and products are digitally secure and that they have a recovery plan ready to activate should hackers succeed. This is all the more important for small and medium-sized enterprises, to which a cybersecurity incident could be fatal or significantly diminish its valuation and attractiveness for investment.

Today there is aserious imbalance between the time to market and the time to security. Market forces pressure for shiny new products and tech gadgets or applications, they care little about the security embedded in a new technology. The current trend rewards entrepreneurs who develop new products as fast as possible and market them at the earliest availability, disregarding that this creates an enormous attack surface of ever newer products filled with vulnerabilities for cyber criminals to exploit. Were entrepreneurs and innovators encouraged and incentivized to prioritize security features in their product development from the very beginning, a much safer cyber space would be incrementally possible.

Consumer behaviour is changing and consumer concerns about privacy and security are growing, inevitably leading to changes in market forces. Clearly these changes must incite entrepreneurs to understand the importance of cybersecurity when launching new products, innovating and developing new entities. Investors, on the other hand, must have the tools they need to evaluate the state of cyber preparedness of their potential investments.

In the building of innovative business models and technology solutions, cybersecurity is essential to protecting data, intellectual property, online transactions and ensuring user trust. Digital technologies are introducing new vulnerabilities faster than they can be secured and the prospect of curbing cyberattacks diminishes with each additional unsecured technology. Technologies are at increased risk because cyberattacks could cause more traditional, kinetic impacts as technology is being extended into the physical world, creating a cyber-physical system. Without security, anything connected to the internet, from a vehicle to a medical device, can be hacked, exploited and presents a threat to an organization.

More businesses are understanding that cybersecurity is an enabler of the everyday operations and its significance will only increase in the future. In terms of successful business conditions, cybersecurity is a business management challenge that requires a strategic and unified approach across all business units to ensure its most effective implementation.

The cyber essentials developed by the World Economic Forum and its partners consist of core cybersecurity principles and requirements to be applied when developing new companies and innovation. They represent what the Forum’s Centre for Cybersecurity and its partners consider to be the most important requirements that, if implemented, will provide a robust cybersecurity framework encompassing organizational, product and infrastructure security.

The successful future of our digital economies depends on integration of cyber essentials from the very outset of technological development. Incorporating cyber essentials in business processes and corporate culture must be an continuous process, not a once-a-year audit or compliance effort. The commitment to prioritizing cybersecurity rather than considering it as an afterthought must be firmly rooted in and throughout the corporate culture, product and services development cycle. A detailed cybersecurity programme and strategy does not have an end goal, but rather must be adapted and adjusted on regular basis.

The cyber essentials proposed in this report were developed by a community of stakeholders involving executives from technology companies, investment firms, credit rating agencies, entrepreneurs, academics and public-policy experts. The proposed cyber essentials are:

Readers of this report will find a detailed description of each cyber essential followed by practical steps for entrepreneurs on their implementation and guidance for investors on how to validate them. It is important to emphasize that cyber essentials need to be tailored to each organization, based on its size, nature and type of product.

The technology is here to stay and flourish: there are no “digital rollback” plans. Consequently, entrepreneurs and innovators have a responsibility to respect technology as an essential component of daily life and consumers must demand security and safety standards as they do of other essential products and services.

The cyber essentials focus on improving the security baseline across technology innovation. Over time, implementing the fundamental security and privacy features in technology will reduce the frequency, scale and success of cyberattacks and breaches, resulting in substantially more robust cybersecurity across industries and geographies.

Incorporating cybersecurity in technology from the very start of its development is no longer an option; it underpins the survival and stability of our economic systems, the transparency, sustainability and trust in our communication tools. It is a matter of national and international security.