Reports
Published: 25 June 2020

Incentivizing Responsible and Secure Innovation: A framework for entrepreneurs and investors

Download PDF

Technology brings many positive innovations and opportunities but unless it is developed with security in mind, it presents more risks and potential disruption than solutions. This report provides a framework to develop technology in a secure manner, focusing on essential principles such as privacy-by-design and security-by-design.

The great digital shift

The COVID-19 pandemic has underscored the importance of incentivizing cybersecurity in technological development. The security and privacy features in technology are more vital than ever as the majority of public and private communications and operations have shifted to the digital domain. Recent research shows that 93% of executives are willing to pay almost 25% more for more secure devices and technology.

The purpose of this insight report is to provide tools and guidance for entrepreneurs, innovators and investors to enable them to improve security features in new technologies and incorporate cybersecurity features from the get-go. We present here a number of essential cybersecurity requirements to be taken into account when developing new technology, innovation and new companies, to maximize their resilience.

Not so fast

Entrepreneurs have a twofold responsibility: to ensure that their companies and products are digitally secure and that they have a recovery plan ready to activate should hackers succeed. This is all the more important for small and medium-sized enterprises, to which a cybersecurity incident could be fatal or significantly diminish its valuation and attractiveness for investment.

Today there is aserious imbalance between the time to market and the time to security. Market forces pressure for shiny new products and tech gadgets or applications, they care little about the security embedded in a new technology. The current trend rewards entrepreneurs who develop new products as fast as possible and market them at the earliest availability, disregarding that this creates an enormous attack surface of ever newer products filled with vulnerabilities for cyber criminals to exploit. Were entrepreneurs and innovators encouraged and incentivized to prioritize security features in their product development from the very beginning, a much safer cyber space would be incrementally possible.

Consumer behaviour is changing and consumer concerns about privacy and security are growing, inevitably leading to changes in market forces. Clearly these changes must incite entrepreneurs to understand the importance of cybersecurity when launching new products, innovating and developing new entities. Investors, on the other hand, must have the tools they need to evaluate the state of cyber preparedness of their potential investments.

What is the World Economic Forum doing on cybersecurity

The World Economic Forum Platform for Shaping the Future of Cybersecurity and Digital Trust aims to spearhead global cooperation and collective responses to growing cyber challenges, ultimately to harness and safeguard the full benefits of the Fourth Industrial Revolution. The platform seeks to deliver impact through facilitating the creation of security-by-design and security-by-default solutions across industry sectors, developing policy frameworks where needed; encouraging broader cooperative arrangements and shaping global governance; building communities to successfully tackle cyber challenges across the public and private sectors; and impacting agenda setting, to elevate some of the most pressing issues.

Platform activities focus on three main challenges:

Strengthening Global Cooperation for Digital Trust and Security - to increase global cooperation between the public and private sectors in addressing key challenges to security and trust posed by a digital landscape currently lacking effective cooperation at legal and policy levels, effective market incentives, and cooperation between stakeholders at the operational level across the ecosystem.Securing Future Digital Networks and Technology - to identify cybersecurity challenges and opportunities posed by new technologies and accelerate solutions and incentives to ensure digital trust in the Fourth Industrial Revolution.Building Skills and Capabilities for the Digital Future - to coordinate and promote initiatives to address the global deficit in professional skills, effective leadership and adequate capabilities in the cyber domain.

The platform is working on a number of ongoing activities to meet these challenges. Current initiatives include our successful work with a range of public- and private-sector partners to develop a clear and coherent cybersecurity vision for the electricity industry in the form of Board Principles for managing cyber risk in the electricity ecosystem and a complete framework, created in collaboration with the Forum’s investment community, enabling investors to assess the security preparedness of target companies, contributing to raising internal cybersecurity awareness.

For more information, please contact us.

In the building of innovative business models and technology solutions, cybersecurity is essential to protecting data, intellectual property, online transactions and ensuring user trust. Digital technologies are introducing new vulnerabilities faster than they can be secured and the prospect of curbing cyberattacks diminishes with each additional unsecured technology. Technologies are at increased risk because cyberattacks could cause more traditional, kinetic impacts as technology is being extended into the physical world, creating a cyber-physical system. Without security, anything connected to the internet, from a vehicle to a medical device, can be hacked, exploited and presents a threat to an organization.

We should not forget... that entrepreneurs are typically small and medium-sized enterprises (SME) and that SMEs represent about 90% of businesses and more than 50% of employment worldwide. Cyber-related incidents could have a dramatic impact on their survival.

—Martina Cheung, President, S&P Global Market Intelligence

More businesses are understanding that cybersecurity is an enabler of the everyday operations and its significance will only increase in the future. In terms of successful business conditions, cybersecurity is a business management challenge that requires a strategic and unified approach across all business units to ensure its most effective implementation.

4 things to know about cybersecurity

  • 1
    Cybersecurity is an enabler of the everyday operations of most businesses today and its significance will only increase in the future.
  • 2
    It is vital for the founders of and investors in a new business to commit to cybersecurity if they are to succeed in building cyber capabilities and foster a cyber-focused environment.
  • 3
    The successful future of our digital economies depends on integration of cyber essentials from the get-go of technological development.
  • 4
    Cybersecurity must be an ongoing, dynamic process, requiring regular assessment of risk and consideration of what else might be needed to reduce risk to acceptable levels and according to evolving business needs and challenges.

Cyber essentials: how to build security into tech innovation

The cyber essentials developed by the World Economic Forum and its partners consist of core cybersecurity principles and requirements to be applied when developing new companies and innovation. They represent what the Forum’s Centre for Cybersecurity and its partners consider to be the most important requirements that, if implemented, will provide a robust cybersecurity framework encompassing organizational, product and infrastructure security.

The successful future of our digital economies depends on integration of cyber essentials from the very outset of technological development. Incorporating cyber essentials in business processes and corporate culture must be an continuous process, not a once-a-year audit or compliance effort. The commitment to prioritizing cybersecurity rather than considering it as an afterthought must be firmly rooted in and throughout the corporate culture, product and services development cycle. A detailed cybersecurity programme and strategy does not have an end goal, but rather must be adapted and adjusted on regular basis.

The cyber essentials proposed in this report were developed by a community of stakeholders involving executives from technology companies, investment firms, credit rating agencies, entrepreneurs, academics and public-policy experts. The proposed cyber essentials are:

  • Organizational security:
    Cybersecurity culture
    Cybersecurity governance
    Cyber resilience
  • Product security:
    Security by design
    Privacy by design
  • Infrastructure security:
    Data governance
    Third party security

Readers of this report will find a detailed description of each cyber essential followed by practical steps for entrepreneurs on their implementation and guidance for investors on how to validate them. It is important to emphasize that cyber essentials need to be tailored to each organization, based on its size, nature and type of product.

A matter of survival

The technology is here to stay and flourish: there are no “digital rollback” plans. Consequently, entrepreneurs and innovators have a responsibility to respect technology as an essential component of daily life and consumers must demand security and safety standards as they do of other essential products and services.

Everyone needs to step up: users and consumers, governments and regulators, corporations and investors. The successful future of our digital economies depends on integration of cybersecurity principles like privacy and security by design from the get-go of technology development.

—Bruce Schneier, Lecturer, Harvard Kennedy School of Government

The cyber essentials focus on improving the security baseline across technology innovation. Over time, implementing the fundamental security and privacy features in technology will reduce the frequency, scale and success of cyberattacks and breaches, resulting in substantially more robust cybersecurity across industries and geographies.

Incorporating cybersecurity in technology from the very start of its development is no longer an option; it underpins the survival and stability of our economic systems, the transparency, sustainability and trust in our communication tools. It is a matter of national and international security.