Cyber security is no longer enough: businesses need cyber resilience
Cyber security is not enough to combat attacks that grow more sophisticated by the day. Businesses need to develop a wider understanding of cyber resilience Image: FLY:D for Unsplash
Listen to the article
- Frauds such as phishing, malware and ransomware attacks pose a threat to entire economies, governments, and our way of life.
- Cyber security focuses on protecting data, but it is no longer sufficient; businesses need cyber resilience.
- To help businesses implement greater cyber resilience a framework is needed to measure it.
Today, we work from anywhere, on more devices, more networks, facing more risk than ever before. Widespread phishing, malware, ransomware attacks, and other frauds pose a risk not just to individuals or platforms, but to entire economies, governments, and our way of life.
Yet the way we think about securing our businesses and our data hasn’t really kept up. Business resources are often still allocated to defensive cyber security, which is focused on protecting the confidentiality and integrity of data. But these defenses are proving insufficient in the face of attacks that grow more sophisticated by the day. We need cyber resilience in addition to cyber security, and it’s important to understand the difference.
Why Cyber resilience over cyber security
Cyber resilience starts with nailing the cyber security basics; at Salesforce, we call it “doing the common uncommonly well.” This includes patching vulnerabilities, detecting and mitigating threats, and educating employees on how to defend company security. But we need to be doing these things continuously, not just once a year.
Beyond that, businesses need to build resilience into every part of the business, from business process mapping to engineering service availability to critical vendor dependency. They need to limit the impact of cybercrime to a company’s brand, finance, legal, and customer trust obligations. While these areas typically receive limited attention, resources, or executive focus, they are significant elements in the case of a real threat.
The aim of cyber resilience is clear enough: to ensure operational and business continuity with minimal impact. But the reality can be harder to pin down, because there’s currently no good way to measure cyber resilience. As leaders, we need to have a certain level of confidence in our ability to respond to an attack, to maintain our customers’ trust, to absorb the financial, legal, and brand impact and get back to business. But there is no widely-accepted cyber resilience framework, no maturity model, and I think there should be.
After all, there are countless other maturity models, which allow businesses to measure capabilities, digital transformation, supply chain, cyber security, and data management to name just a few. What might cyber resilience maturity look like? This is not just about the ability to respond and recover; it's how quickly we recover and what we prioritize.
I am not proposing another checklist or self-assessment methodology. A mature cyber resilience approach should be flexible, adaptable, and continuously improving. I propose we design a framework that describes a set of characteristics that helps a company and its leadership understand what cyber resilience is and how it will be achieved. This framework would describe an approach and attitude towards delivering cyber resilience.
For instance, is your organization committing random acts of resilience? Building a plan only to look at it when an auditor asks? Building call trees when you would be better off using PagerDuty? Real resilience involves a multi-dimensional approach that dynamically responds to threats while keeping your business goals intact.
Measuring cyber resilience might involve:
- identifying your crown jewels and critical capabilities;
- looking at the interconnectedness of your systems and how vulnerable you are to attack;
- adapting more quickly to the broader social and political climate;
- creating partnerships with peers, competitors, and public entities;
- looking at how your team hires and develops skills;
- changing your approach, so you are not only securing the business but enabling the business through security;
- measuring whether you are maintaining a culture of trust and agility; and
- measuring customer trust and transparency.
Every organization will have its unique risks, and no one model can serve as a one-size-fits-all approach to cyber resilience. But this approach can help guide investment decisions, unite stakeholders around a common goal, and usher in the practice of continuous improvement. Most of all, cyber resilience should provide leadership with the confidence that when the worst happens, an organization can still deliver on its commitments.
Challenges in the use of maturity models
An assessment-focused framework based on a numerical score can lead to a box-checking culture. But cyber resilience is not about comparison, and there is no final destination. This measurement framework should scale for industry by focusing on the people, processes, and technology required to ensure entire value chains are resilient.
How is the Forum tackling global cybersecurity challenges?
When the National Institute of Standards and Technology (NIST) framework for improving critical infrastructure cyber security was introduced there was a national call to action. Now, society and business is at another turning point. Both public and private organizations are working in entirely new, more digital, more distributed ways, which has further opened the floodgates to cyber risk. The May 2021 Presidential Executive Order states that: “The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy." It calls for a public-private partnership to make the bold changes necessary to protect hybrid cloud infrastructures.
And like the NIST Framework, it’s important that a new, scalable cyber resilience framework is developed out of just such a partnership, fit for organizations to use across industries. So consider this an open call: can we come together to establish this framework? Can we make cyber resilience a part of business as usual? We need to work together, to make everyone stronger.
Don't miss any update on this topic
Create a free account and access your personalized content collection with our latest publications and analyses.
License and Republishing
World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.
The views expressed in this article are those of the author alone and not the World Economic Forum.
Stay up to date:
Cybersecurity
Related topics:
The Agenda Weekly
A weekly update of the most important issues driving the global agenda
You can unsubscribe at any time using the link in our emails. For more details, review our privacy policy.