Cyber attacks, cyber breaches, cyber crime. These are not new problems and they are universally acknowledged to be costly, pervasive, and increasingly sophisticated. Each week new breaches become public, most recently a major incident at a large internet service provider. The best defense against such intrusions is cyber resilience—building in the capabilities to protect yourself and your business from cyber threats, and building in the ability to rebound from attacks, should they happen.
This week, I have the privilege of attending the World Economic Forum’s Annual Meeting in Davos as part of BCG’s engagement with the Forum on Advancing Cyber Resilience. The results of this collaboration have been captured in a report released yesterday, which senior leaders here in Davos are now discussing. In this summary, I will share some of the key insights from our discussions here at the Annual Meeting.
As the share of technology-based value creation has jumped over the past decade, the need for boards and senior executives to give greater attention to the topic of cyber resilience cannot be overstated. In many industries, cyber resilience can be a source of competitive advantage, a factor for valuation in M&A situations, and a key enabler for flexible, interconnected value chains. Because it helps to determine the speed at which organizations can benefit from technology innovation, it impacts value creation. Here in Davos, we discussed key concepts for building cyber resilience and enabling boards and executives to accelerate the process. Action in four critical areas emerged as essential practices to adopt.
1. Anchor responsibility for cyber resilience at the board level.
Cyber resilience cannot be left exclusively to the technology domain. Many breaches today exploit nontechnical vulnerabilities—for example, by tricking users into disclosing their legitimate credentials. Therefore, cyber resilience in an organization must extend beyond the technical IT domain to the domains of people, culture, and processes. A company’s protective strategies and practices should apply to everything the company does—to every process on every level, across departments, units, and borders in order to foster an appropriately security-conscious culture. Ultimate responsibility for cyber resilience rests squarely on the shoulders of boards and senior executives. It is up to them to push this culture change through the layers of their company.
2. Set up a robust line organization for cyber resilience.
In the technology domain, a division of duties and reporting lines within the organization is necessary to separate the IT implementation role (which often falls to the CIO), the IT security role (which usually falls to the CISO), and the risk management role (which tends to be the CROs responsibility). In many cases, implementing this organizational change requires a board-level push.
3. Have the board regularly engage on cyber resilience.
Defending against cyber crime is a new challenge for many boards. Regularly including the topic of cyber resilience on the board’s agenda is especially important in such cases because the board’s level of awareness of the issue is relatively low. Boards must devote considerable effort and attention to the task of supervising the transition to a new, cyber resilient state. To meet this challenge, boards need to increase their knowledge of the topic and their level of comfort in dealing with it.
4. Identify and assess current and future risk patterns.
In addition, boards need tools for understanding, assessing, and quantifying the risk patterns that their organization faces today and may face in the future. A good first step is to identify the organization’s most important informational assets, and to determine the biggest risks to these assets. A second step is to determine how the executive team aims to manage these risks and how much its plan will cost the company. The Forum’s publication includes recommendations, in the form of a Board Cyber Risk Framework, on how to analyze and understand cyber risk at the board level.
Emerging technologies create great changes and great opportunities, but they also expose companies to grave new risks. Examples of disruptive technologies are Big Data, the Internet of Things, and autonomous vehicles. Boards need to understand how disruptive technologies change their cyber risk exposure.