by Michael Rohrs and Andreas Wolf*
Too often, there is an inappropriate level of trust between organizations in the digital ecosystems we depend on. The dynamic is born from institutional aversion to loss, fear of condemnation, fragile confidence, and lack of cyber resilience.
The World Economic Forum’s Global Cybersecurity Outlook 2022 report, developed in collaboration with Accenture, found that:
-Only 19% of cyber leaders feel confident that their organization is cyber resilient
-58% of respondents feel their partners and suppliers are less resilient than their own organization
-88% of respondents are concerned about the cyber resilience of Small and Medium-Sized Enterprises (SMEs) in their ecosystem.
It doesn’t have to be this way. If organizations can overcome such self-limiting stigma, each will gain from the collective wisdom and combined capability of its partners. Doing so is a necessary foil for the cascading consequences that occur when fragile, interconnected ecosystems break down, as so many recent events have demonstrated.
Cyber collaboration and shared wisdom
For organizations to move past this protracted mistrust, they must exploit a different kind of critical vulnerability from what cyber professionals are used to—the vulnerability of an organization to be truly seen. They must embrace the willingness to be transparent within their organization and ecosystem about shortcomings in cyber resilience posture. They should set realistic expectations about exposure and provide clear information about the systemic consequences of disruptions. They should be forthcoming about experiences with disruptive events and share lessons learned as a result.
Cyber resilience is what takes over when security prevention measures falter. In the digital economy, the ability to transcend cyber disruption distinguishes market champions. Organizations that turn vulnerability into strength will have the confidence to take healthy risks.
Turning institutional vulnerability into organizational strength is not easy to do. Fortunately, the World Economic Forum’s newly-released Cyber Resilience Index Framework – developed in collaboration with Accenture - presents the six principles to cultivate a culture of resilience:
-Regularly assess and prioritize cyber risk
-Establish and maintain core security fundamentals
-Incorporate cyber resilience governance into business strategy
-Encourage systemic resilience and ecosystem-wide collaboration
-Ensure design supports cyber resilience
-Cultivate a culture of resilience
Two principles in particular—cultivating a culture of cyber resilience and encouraging systemic resilience and collaboration—have long been under-valued. Both these principles provide organizations with a starting point to turn vulnerability into cyber resilience. The principles are put into practice as follows:
Cultivate a culture of resilience
Employees are empowered to understand and embody cyber resilient behaviours. This principle has the following practices:
-Earn trust through accountability and transparency: Management regularly, clearly, and openly communicates the cyber resilience strategy, practices, operations, successes, and failings. This builds and maintains knowledge, trust, openness, and ownership over organizational success.
-Cyber resilient aware leadership: Leadership has the expertise and power to manage the organization’s cyber resilience according to best practices and is incentivized to advance its expertise with changes in the landscape.
-Leadership drives culture: Leadership sets the tone and puts the organizational mechanisms in place to drive a culture of capability and accountability for cyber resilience at every level of the organization.
-Champion employee behaviour: Employees understand the defined cyber resilience objectives, feel responsible for the organization’s cyber resilience, and are empowered to exercise cyber resilient behaviour in their daily interactions without fear of punishment.
-Provide continuous training: Employees are taught cyber resilience concepts and best practices, the importance of cyber resilience and its role in daily responsibilities. They continuously exercise these lessons, which evolves with the cyber resilience landscape. Furthermore, they get prompt feedback on their actions.
Encourage systemic resilience and ecosystem-wide collaboration
The organization understands the interdependencies within its ecosystem, engages with other organizations, and fulfils its role in maintaining the resilience of the entire ecosystem. This principle has the following practices:
-Trust through knowledge, accountability, and transparency: The organization maintains transparency in its practices, operations, successes, and failings with its ecosystem partners and shares best practices to build a more resilient collective.
-Ecosystem-wide collaboration. Management creates a culture of collaboration and sets strategic objectives for knowledge and information sharing. So too, it identifies, understands, and mitigates cyber risks in the ecosystem. The organization also actively collaborates with industry peers and policymakers.
-Ecosystem-wide cyber resilience capabilities. The organization continuously improves collective cyber-resilience capabilities alongside other members of the ecosystem to share knowledge, raise awareness and boost the overall standards of practice. This increases the collective capabilities of all members of the ecosystem, appropriately balancing innovation, preparedness, protection, response, and recovery.
These principles and practices promote the kind of cyber vulnerability that organizations and ecosystems need. It’s not just about creating a more capable ecosystem, either. It’s about the opportunity to gain a sustainable competitive advantage. The organizations that quickly adopt resilience through confident vulnerability quickly emerge as leaders in their industry and set the standard for their ecosystem.
ISO 31000:2018 emphasises the fact that risk is the “effect of uncertainty on objectives” and that, despite conventional thinking, that effect can be positive as well as negative. Amid the Fourth Industrial Revolution, systemic interdependence creates both downside costs of cyber risk and holds a much greater upside value. On both sides, the effect of resilient organizational behaviour on the future is more than the sum of its parts. The organizations that will lead us into the digital future are those that are not only vulnerable enough to admit they can’t do it alone but are also confident and savvy enough to realize that it’s better for businesses to not even attempt it.
*Senior Manager, Security, Accenture and Chairman of ISO/IEC JTC 1/SC 27 Information security, cybersecurity& privacy, International Organization for Standardization (ISO)
**first published in: www.weforum.org