Practical lessons on navigating cyber resilience from leading organizations worldwide

As businesses and governments utilize new technologies and data to evolve their processes, they increase their dependency on cybersecurity to protect against more sophisticated and well-resourced cyber risks.

Protecting from all these risks is impossible. That's why organizations are increasingly adopting a cyber resilience approach.

Cyber resilience is a practice acknowledging that no system is entirely secure. In comparison to previous approaches, the intention is not just to prevent cyber incidents, but to minimize their impact on an organization’s primary goals and objectives.

It encourages entities to operate under the assumption that significant cyber incidents will occur and to implement measures that enable them to absorb, recover and learn from events, while staying attuned to shifting circumstances.

To help organizations understand cyber resilience, the World Economic Forum, in collaboration with the University of Oxford, has introduced the Cyber Resilience Compass, a dynamic resource for leaders and organizations to identify front-line practices, share experiences and exchange insights to enhance their cyber resilience.

Developed through collaboration with business leaders at the forefront of cybersecurity, the Compass shares community driven guidance for what works in practice.

However, the cyber resilience journey differs from organization to organization as it will be shaped by internal contextual environment.

In fact, the specific actions any organization takes to strengthen its cyber resilience will vary depending on the context and will change over time as the business, threat landscape and underlying technologies evolve.

There are, nonetheless, some paths to success that can be illuminated by the collective experiences and insights of peers, as outlined in the recent white paper, The Cyber Resilience Compass: Journeys Towards Resilience.

The Cyber Resilience Compass systemizes front-line practices gathered from cybersecurity experts into seven interrelated categories:

Leadership refers to setting goals, making decisions and providing direction in relation to cybersecurity. Risk owners and top leaders must work together to strategically assess cyber risks and develop a cross-organizational culture of collaboration and ownership with clear definitions of the business’s priorities, risk tolerance and decision-making structures.

Governance, risk and compliance concerns mechanisms for managing risk and meeting compliance requirements. Supported by risk mitigation measures, these mechanisms help to strengthen organizational resilience by defining the risk profile, establishing clear chains of command and aligning practices with regulatory and legislative requirements.

People and culture encompass strategies and practices for building and retaining a workforce, as well as empowering employees and equipping them with the necessary cyber skills and awareness.

Shortages of specialized staff can be mitigated with the adoption of comprehensive strategies for attracting and retaining cyber talent, as well as upskilling existing staff.

Business processes describes approaches to prioritizing, designing, implementing and adapting functions. Through clarifying critical business services and preparing for worst case incident scenarios, organizations can design processes to effectively embed resilience within company structures.

Furthermore, organizations should ensure that their processes are adaptable to meet changing priorities and regularly reviewed to maintain their application to in the evolving operating and risk context.

Technical systems refers to approaches to designing, deploying and maintaining IT, operational technology, cloud and cybersecurity tools and controls.

Efforts should be taken to ensure that technical controls and tools are consistently maintained in line with their ability to prevent incidents and enable business goals. Real-time data and advanced analytics should also be used to help identify emerging issues and inform the application of effective technical controls and tools.

Crisis management describes all components used to respond to and recover from incidents and other crisis that affect its resilience.

From developing clear crisis plans and decision-making protocols, to building crisis response teams and formulating public relations strategies, it is important for organizations to define, practice and review their crisis response frameworks in preparation for incidents that disrupt priority business operations.

Ecosystem engagement describes an organization’s approach to its wider ecosystem, including its supply chain, customers, competitors and regulators. The individual posture of an organization can be heavily dependent on the resilience of the broader ecosystem around it. Consequently, organizations need to consider how to identify and engage with their unique ecosystems to enhance their broader resilience.

Cyber resilience is an organizational imperative that is essential for success in a world that is growing increasingly reliance on technology and cybersecurity.

There is no such thing as 100% cybersecurity, but a cyber resilience approach empowers organizations to minimize the impact of incidents and continue to achieve their critical goals.

The Cyber Resilience Compass has been developed using insights from experts on cybersecurity. While there is no one-size-fits-all approach to cyber resilience, it systematizes lessons learned from the front line and enables organizations to learn from others. The Compass strives to become a dynamic tool that serves as a reference for cyber leaders to enhance their cyber resilience strategies.