Future of Digital Economy and Society System Initiative
In collaboration with The Boston Consulting Group and Hewlett Packard Enterprise
Preface
Cyber resilience and cyber risk management are critical challenges for most organizations today. Leaders increasingly recognize that the profound reputational and existential nature of these risks mean that responsibility for managing them sits at the board and top level executive teams.
Many organizations, however, do not feel that they are equipped with the tools to manage cyber risks with the same level of confidence that they manage other risks. Emerging leading practices have not yet become part of the standard set of board competencies.
Beyond individual organizations, cyber risk is a systemic challenge and cyber resilience a public good. Every organization acts as a steward of information they manage on behalf of others. And every organization contributes to the resilience of not just their immediate customers, partners and suppliers but also the overall shared digital environment.
Furthermore, continued technological adoption creates an urgency that cannot be ignored.
In the coming years, several billions of everyday devices will be connected. As our virtual and physical worlds merge, the stakes are increased. This will require two things: 1) a significantly increased number of organizations adopting, sharing and iterating current leading practices; and 2) cross-sectoral collaboration to develop the new practices that will be required to deal with the unique attributes of managing cyber risks of physical assets. The second will be difficult without an informed body of leaders leveraging common tools and language.
For these reason, as part of the World Economic Forum’s System Initiative on the Digital Economy and Society, the Forum has partnered with The Boston Consulting Group and Hewlett Packard Enterprise to develop an important new resource, Advancing Cyber Resilience: Principles and Tools for Boards. This report, which is the product of an extensive process of co-collaboration and consultation, has distilled leading practice into a framework and set of tools that boards of directors can use to smoothly integrate cyber risk and resilience into business strategy so that their companies can innovate and grow securely and sustainably.
The Forum would like to thank The Boston Consulting Group and Hewlett Packard Enterprise for their leadership, the Expert Working Group for their contributions and all of the board members, chairs and CEOs who helped shape and adjust our efforts as we went along. This was truly a community effort, and we remain in debt for the energy and commitment of each member.
We hope that you will join us in using these tools to help advance our shared cyber resilience.
Rick Samans
Member of the Managing Board
Introduction
Cybersecurity features high on the agenda of leaders across all sectors, with business, governments and
individuals rapidly taking advantage of faster, cheaper digital technologies to deliver an unprecedented array of social and economic benefits. The process of digitizing and connecting, however,introduces a range of new challenges.
The World Economic Forum’s work on cybersecurity since 2011 along with global interest in cybersecurity issues, has gone a long way towards ensuring that businesses and leaders are aware of the risks inherent in the hyperconnected world. For this awareness to lead to understanding and action, the Forum has
engaged with a diversity of stakeholders to develop new ways to empower oversight boards to ensure that their organizations can thrive in this new era.
Two ideas have served as touchstones of our approach since the beginning of the World Economic Forum’s engagement on the topic of cybersecurity and resilience.
First, leadership has a vital role to play in securing resilience.
Second, that in order to effectively deal with cyber challenges, organizational leaders need a mindset
that goes beyond cybersecurity to build a more effective cyber strategy and incorporate it into overall strategic thinking.
Cyber resilience is a leadership issue Those at the forefront of digital security thinking share the Forum’s view that cyber resilience is more a matter of strategy and culture than tactics.
Being resilient requires those at the highest levels of a company, organization or government to recognize the importance of avoiding and proactively mitigating risks. While it is everyone’s responsibility to cooperate in order to ensure greater cyber resilience, leaders who set the strategy for an organization
are ultimately responsible, and have increasingly been held accountable for including cyber resilience in organizational strategy.
For businesses, this means that cyber strategy must be determined at the oversight board level.
Going beyond cyber security Speaking only about cybersecurity is insufficient if the challenges of digitalization are to be effectively met.
Protection is important, but organizations must also develop strategies to ensure durable networks and take advantage of the opportunities that digitalization can bring. While there are many broader definitions of cybersecurity, there is a difference between cybersecurity and the more strategic, long-term thinking cyber resilience should evoke. Additionally, since vulnerability in one area can compromise the entire network, resilience requires a conversation focused on systems rather than individual organizations.
The Forum recognizes that integrating cyber strategy into business or organizational strategy is a significant challenge for any organization. The best way to combat the fear and uncertainty in this space is through tools and partnerships designed to develop understanding, create transparency, and find certainty in order to support muchneeded action in this space. In our aim to normalize cyber
risk, the Forum endeavours to make these risks as familiar to board members as any of the others risks they deal with on a regular basis.
This document provides the first in a continuing series of tools that leaders have called for in order to support their efforts at integrating cyber resilience into overall business strategy
Download & read the complete document below 👇👇👇
