by Joe Nocera*
One goal, one team.
Effective cybersecurity has become a shared responsibility that demands teamwork and an unwavering commitment to internal and external collaboration.
Today, threat actors are targeting organizations and entire industries with increasingly effective cyberattacks. Cybersecurity failure has become a leading threat, according to the World Economic Forum’s Global Risk Report 2022. Businesses agree: 70% of board directors view cybersecurity as a strategic enterprise risk, according to a survey conducted by the National Association of Corporate Directors (NACD).
The ascendant trajectory of cybercrime shows no sign of decline. In fact, 60% of executives forecast that cybercrime will continue to surge in 2022. In particular, respondents expect more attacks on cloud services, ransomware intrusions, and compromises of critical infrastructure. Threat actors are also exploiting dangerous new software vulnerabilities such as the Log4j flaw, which can enable them to remotely execute code on systems and networks. There is also growing unease that geopolitical conflict will likely result in further cyberattacks on critical infrastructure.
In a report published by the World Economic Forum, PwC, the NACD, and the Internet Security Alliance (ISA), we identified six principles that can support board directors in governing cyber-risks:
-Cybersecurity is a strategic business enabler
-Understand the economic drivers and impact of cyber-risk
-Align cyber-risk management with business needs
-Ensure organizational design supports cybersecurity
-Incorporate cybersecurity expertise into board governance
-Encourage systemic resilience and collaboration
In this article, we dive into the sixth principle: encourage systemic resilience and collaboration. Systemic risks require systemic resilience. This requires a decisive dedication to collective effort — and a great deal of individual resilience.
The good news? There are “power moves” you can incorporate to start building resilience in your organization.
Become a cybersecurity team player
Effective cybersecurity comes from the top. The CEO, board, and other senior leaders should champion a cybersecurity culture that fosters collaboration across the company, the industry and with public and private stakeholders.
Creating a culture of security will require everyone’s involvement — the board, C-suite, chief information security officers (CISOs), line of business leaders, and individual employees. You will also need to partner with supply chains, contractors, and other third parties.
Given the complexity and stealth of today’s cyber threats, it is likely that boards will need a bit of cybersecurity tutoring. CISOs may need to step in to help senior executives understand threats, potential business impacts and the specific role each executive can play in keeping the company secure.
Awareness doesn’t stop at the C-suite, however. Cybersecurity education should cascade down to every employee and include training, upskilling, and career advancement opportunities.
Educating the board has become urgent thanks to new regulations requiring cyber disclosures. In the US, for example, the Securities and Exchange Commission (SEC) has proposed rules for disclosing material cyber incidents and practices in cyber governance, strategy, and risk management.
The rules may require public companies to disclose details of the board of directors’ oversight of cybersecurity risk and cybersecurity expertise – if any. Disclosures include the processes by which the board is informed about cybersecurity risks and the frequency of its discussions on this topic. A new law requires entities in critical infrastructures to report significant cyber breaches to the Cybersecurity and Infrastructure Security Agency (CISA).
How to make the move
-Allocate more time to security discussions in board or subcommittee meetings
-Provide training for board members to become more cyber-savvy
-Use business language to frame discussions of cyberthreats
-Create plans for effective collaboration
-Confirm performance measures for cybersecurity are aligned for all business executives and not just the CISO
Conduct tabletop exercises and update Business Impact Analysis (BIA)
Security training for employees is essential. But resilience calls for more.
Tabletop exercises, which use simulated attacks to illustrate threat response and decision-making processes, can be an effective way for board members to practice the decision-making required in a cyber crisis. Tabletop exercises can prepare business leaders to confidently — and quickly — take appropriate action when real threats are detected. They can illuminate gaps or weaknesses in current response plans.
Similarly, a business impact analysis (BIA) can help organizations develop more targeted and effective strategies for incident response and business continuity. BIAs prioritize business systems, processes, and interdependencies to focus defence, response, and recovery strategies on the issues that matter most to the business.
How to make the move
-Revisit and update the company’s BIA annually or whenever a major business change occurs
-Leverage the BIA to inform Cyber Resiliency Planning
-Conduct tabletop exercises throughout the year at different levels of the organization (technical, business, C-suite and boards) using different threat scenarios
-Consider including critical third parties like outside counsel and law enforcement in some tabletops
Build relationships with info-sharing groups, law enforcement, and government agencies
If cybercriminals share information on attack techniques and tools — and they do — then why shouldn’t you? Sharing intelligence about cyber threats and responses may be critical to staying ahead of cybercriminals. Companies cannot, single handedly, defend themselves against attacks by powerful hackers.
Critical infrastructure providers, for example, require proactive cooperation and collaboration among governments, cybersecurity groups, industry peers, and organizations to combat geopolitical and nation-state threats.
The practice of cyber-related information-sharing is growing around the world. Today, 84% of global organizations say they participate in public-private information-sharing. Organizations fostering such a culture include the World Economic Forum Centre for Cybersecurity, Interpol, the US CISA, the UK National Cyber Security Centre, and the Open Data Center, where there is global collaboration of over 1,500 governments and organizations.
You should build robust relationships with local, national and global government and law enforcement agencies to promote intelligence sharing. In addition, companies can build ties with nonprofit cybersecurity organizations such as Information Sharing and Analysis Centers (ISACs), some of which offer 24/7 threat warnings, incident reporting capabilities, and networking opportunities.
Sharing requires trust. Organizations are often reluctant to disclose incidents and responses to industry peers and government entities. To create a collective consciousness of cybersecurity, attitudes must change. While private-public collaboration is commonplace — 45% of organizations do so — there is often a reluctance to divulge breached information. That mindset must change.
How to make the move
-Use all available resources, including government agencies, to identify potential threats
-Participate in collaborative groups such as the European Union Agency for Network and Information Security (ENISA), Information Systems Security Association (ISSA International), the Cloud Security Alliance, the Internet Security Alliance, and WiCyS Women in Cybersecurity
-Join information-sharing groups such as the Information Security Forum, the Anti-Phishing Working Group, and ISACs
-Critical infrastructure providers can join organizations such as the European Programme for Critical Infrastructure protection, the Task Force on Critical Infrastructure Protection, and the DHS Cyber Information Sharing and Collaboration Program (CISCP)
-Proactively build relationships with law enforcement and government agencies prior to a breach occurring
Collaborate on collective cybersecurity
In today’s hyper-connected digital world, cybersecurity is no longer the responsibility of a singular organization or single executive.
Cybersecurity is the ultimate team sport and it is crucial for businesses, industries, and governments to unite to defend against global threat actors.
*Cyber and Privacy Innovation Institute Leader, PwC US
**first published in: www.weforum.org