6 principles to unite business in the fight against cybercrime

(Credit: Unsplash)

This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.

Author: Friso van der Oord, Senior Vice President, Content, NACD & Larry Clinton, President and Chief Executive Officer, Internet Security Alliance (ISA) & Joe Nocera, Cyber and Privacy Innovation Institute Leader, PwC & Daniel Dobrygowski, Head of Governance and Trust, World Economic Forum


• The COVID-19 pandemic has opened more opportunities for cyberattacks.

• Not enough board members understand the threat to their business.

• The World Economic Forum, PwC, NACD and ISA are partnering to define key principles of good cybersecurity governance .

In 2020, malevolent actors took advantage of the pandemic. The rush to digital-first arrangements at work and in schools, the urgency of vaccine research and increased cloud adoption opened opportunities for criminals to mount more profitable ransomware, phishing and other attacks. In order to effectively move forward into a future where digital connectivity supports most business functions, leaders will need to build their company strategy around cyber-risks.

The surge in cybersecurity attacks in 2020 has made boards and CEOs more acutely aware of the risks of inadequately secure technology. Indeed, in the World Economic Forum’s COVID-19 Risks Outlook, increases in cyberattacks were among the top three most worrisome risks to leaders around the world. As long as businesses pursue digital growth strategies, cybersecurity is a perennial concern; cybercriminals never sleep – and neither can board or corporate chiefs.

Today, few board members fully understand the risks to their organization’s cybersecurity, according to the recent PwC Annual Corporate Directors Survey. While 66% of board directors believe a cyber breach reflects negatively on themselves personally, and 82% believe expertise in cyber-risk is important to the board, very few board members claim to understand their company’s level of exposure to such threats.

Cybersecurity ranks highly among modern business risks
Cybersecurity ranks highly among modern business risks Image: World Economic Forum

Ignorance is not bliss. This inability to effectively assess cyber-risk throughout the enterprise may turn out to be the most dangerous weakness of all — one that malicious actors can exploit to the fullest extent – and which is not easily addressed. What exactly is the board’s role in addressing such risks, and how should they oversee their corporate teams’ efforts to manage them better?

Principles and questions

The first step in resolving the board’s role in overseeing cyber-risk is to establish the principles to guide directors’ behaviours and choices. When leading businesses adapt common principles into practices, the practices can, in turn, become widely accepted standards that the business community expects. The ripple effect can be transformative.

Drawing on our experience and knowledge of what works and what has truly made a difference, the World Economic Forum (the Forum), National Association of Corporate Directors (NACD), Internet Security Alliance (ISA), and PwC, in consultation with partner organizations and experts, have joined forces to offer the following set of consensus principles for organizational leaders’ and board members’ use. Ask these questions about your current practices to help you turn each principle into actions that can improve governance of cyber-risks.

The principles are the result of years of consultation with board members, security practitioners, academics and government entities from around the world. As such, they aim to constitute a de facto standard of practice for corporate boards seeking to fulfill their fiduciary role in overseeing cyber-risk.

In-depth handbooks that adapt these principles and provide real-world examples from our partners will be available as part of the full publication.

1. Cybersecurity is a strategic business enabler

Cybersecurity is more than just an IT issue

Strong, effective cybersecurity adds value to the business. Controlling cyber-risk means coordinating and collaborating with business units throughout the enterprise, including the CEO and the board. This ensures the entire enterprise, not just the IT department, is addressing cyber-risk. Further, organizations must instill a culture of cybersecurity by modelling good cyber decision-making:

• Are all executives – the entire C-suite – required to consider the cybersecurity implications of their activities?

• Has your organization discussed how to use cybersecurity as a market differentiator and business driver?

2. Align cyber-risk management with business needs

Boards should understand and assess how cyber-risks are effectively managed to pursue business objectives

By focusing on how cyber-risks impact their business and how to deal with them (by accepting, transferring, avoiding, or mitigating them), organizations can build a security profile that meets the needs of the business. Strategic leadership means ensuring that cyber-risk management conforms to business objectives with every decision, in mergers and acquisitions, digitizing the business, innovation and all other areas.

• Who is the “owner” of cyber-risk in your organization? The business or the security function?

• Are all business units required to report on key cyber-risks and response strategies?

• Is cyber-risk considered in all significant business decisions, such as launching a new product or publishing an app?

3. Understand the economic impact of cyber-risk

Enterprise decision-making requires analysis of the economic impact of cybersecurity choices

For effective business decisions, organizational risk assessments should weigh the costs of cybersecurity against strategic objectives, regulatory and statutory requirements, business outcomes, and the costs associated managing that risk. More than half (55%) of 3,249 business and tech/security executives lack confidence that cyber spending is aligned to the most significant risks, according to PwC’s Global Digital Trust Insights 2021.

Executives remain unconvinced that cybersecurity budgets are currently well-deployed
Executives remain unconvinced that cybersecurity budgets are currently well-deployed Image: PwC

• Does your organization apply a consistent framework for calculating the economic impact and likelihood of cybersecurity events?

• Do business decisions consider the costs of compromise on cybersecurity?

• Has your organization set its cyber-risk appetite in the context of the company’s realistic vulnerabilities and strategic goals?

4. Ensure organizational design supports cybersecurity

Organizational structure should support security and strategic goals

Organizations should design an internal governance structure that addresses cybersecurity throughout the enterprise. Clearly define who’s accountable for critical actions and design cybersecurity practices into how the business operates and makes decisions.

• When was the last time you reviewed your organizational structure to ensure that the cybersecurity function is adequately represented throughout the business?

• Which officer has authority and accountability for coordinating cyber-risk strategy throughout the organization? Are they in a senior enough position?

5. Incorporate cybersecurity expertise into board governance

Boards need diverse sources of cybersecurity expertise

In 2020, 28% of S&P 500 companies reported that a member of the board of directors was a cybersecurity expert, up from 23% in 2019 and 7% in 2013. To provide proper oversight of the enterprise’s cybersecurity program, the board needs to understand common risks, challenges, and failures. To educate themselves, directors may consult industry and other guidance, board peers and third parties, and internal resources.

• Does your board have the right relationships inside and outside the organization to build their security knowledge?

• How many, if any, board members have cyber expertise?

• How often do you get input from third-party experts and assessors, who report to the board, to ensure effective oversight of management?

6. Foster systemic resilience and collaboration

Boards can take the lead in improving the cyber-resilience of industries and sectors

It takes a virtual village to fight cybercrime. Recent events have taught us that even the best cybersecurity-focused companies can be compromised by a sophisticated actor. Knowing that it is a matter of when, not if, attackers will be successful, it is important to be ready to respond and limit the damage of any attack. Security breaches may affect an entire sector and working with peers and even competitors can be crucial for systemic, industry-wide resilience. Stress-testing resilience plans is one of the lasting lessons from the pandemic. Risk leaders in the US say that in 2021, stress-testing will become more frequent and commonplace, both internally and externally. Boards can set the tone at the top for how inter-organizational relationships should look and set the expectation of management for cyber-risk collaboration.

Frequent stress-testing will be necessary to ensure the cyber-resilience of different business sectors
Frequent stress-testing will be necessary to ensure the cyber-resilience of different business sectors Image: PwC

• How well do you collaborate with peers, including other board members, to raise the baseline cybersecurity of the industry as a whole?

• Does your organization interact with its public-sector counterparties to understand the resilience issues facing the industry?

What is the World Economic Forum doing on cybersecurity

The World Economic Forum’s Centre for Cybersecurity is leading the global response to address systemic cybersecurity challenges and improve digital trust. We are an independent and impartial global platform committed to fostering international dialogues and collaboration on cybersecurity in the public and private sectors. We bridge the gap between cybersecurity experts and decision makers at the highest levels to reinforce the importance of cybersecurity as a key strategic priority. World Economic Forum | Centre for Cybersecurity

Our community has three key priorities:

Strengthening Global Cooperation – to increase global cooperation between public and private stakeholders to foster a collective response to cybercrime and address key security challenges posed by barriers to cooperation.

Understanding Future Networks and Technology – to identify cybersecurity challenges and opportunities posed by new technologies, and accelerate forward-looking solutions.

Building Cyber Resilience – to develop and amplify scalable solutions to accelerate the adoption of best practices and increase cyber resilience.

Initiatives include building a partnership to address the global cyber enforcement gap through improving the efficiency and effectiveness of public-private collaboration in cybercrime investigations; equipping business decision makers and cybersecurity leaders with the tools necessary to govern cyber risks, protect business assets and investments from the impact of cyber-attacks; and enhancing cyber resilience across key industry sectors such as electricity, aviation and oil & gas. We also promote mission aligned initiatives championed by our partner organizations.

The Forum is also a signatory of the Paris Call for Trust and Security in Cyberspace which aims to ensure digital peace and security which encourages signatories to protect individuals and infrastructure, to protect intellectual property, to cooperate in defense, and refrain from doing harm.

For more information, please contact us.

Equipped with the right strategy, one that understands the centrality of cyber-risk to doing business in the 21st century, boards will be able to be more effective leaders in the future. By following these principles, the NACD, ISA and the Forum agree that boards will begin the journey that leads to more cyber-resilient and innovative companies.

the sting Milestone

Featured Stings

Can we feed everyone without unleashing disaster? Read on

These campaigners want to give a quarter of the UK back to nature

How to build a more resilient and inclusive global system

Stopping antimicrobial resistance would cost just USD 2 per person a year

Tools of asset development: Renewable Energy Projects case

How the massive plan to deliver the COVID-19 vaccine could make history – and leverage blockchain like never before

President von der Leyen’s State of the Union Address: charting the course out of the coronavirus crisis and into the future

Why capital markets have no more reservetions about Eurozone

OECD tells Eurozone to prepare its banks for a tsunami coming from developing countries

China in my eyes

Voice tech and the question of trust

My twin from Guangzhou

Business is a crucial partner in solving the mental health challenge

One third of poorer countries face both undernutrition and obesity: WHO report

Eurozone in trouble after Nicosia’s ‘no’

New energy security framework will help meet growing needs in East Africa, sustainably – UN economic wing

A shortened EU Summit admits failures, makes risky promises

Excise duties: Commission welcomes agreement on rules governing alcohol

COVID-19 lessons learnt: boosting EU civil protection

These are the countries best prepared for the fight against cancer

UN chief welcomes Taliban’s temporary truce announcement, encourages all parties to embrace ‘Afghan-owned peace’

Businesses are thriving, societies are not. Time for urgent change

GSMA Mobile 360 Series – MENA in Dubai, in Association with The European Sting

Korea should adapt its migration programmes to ensure continued success in the face of expected challenges

World must do more to tackle ‘shadowy’ mercenary activities undermining stability in Africa, says UN chief

Risks rising in corporate debt market

Military Medicine and its Relationship with Antibiotic Therapy

LGBTQI+ and medicine: are we prepared to deliver dignified and non-discriminatory health care?

ICC Appeals Chamber acquits former Congolese Vice President Bemba from war crimes charges

New labour laws in Qatar benefiting migrant workers a ‘momentous step forward’: ILO

Drinking water: new plans to improve tap water quality and cut plastic litter

Commission tries to solidify the EU statistical system

COP21 Breaking News_03 December: Argentina Accepts KP Amendment

On eve of Gaza border protest anniversary, UN’s top humanitarian official for Palestine calls for calm

What matters most to young Europeans?

Parliament pushes for cleaner cars on EU roads by 2030

How drones can help rural Africa take flight

Art has the power to change the world, says this renowned Iranian muralist

Spending on health increase faster than rest of global economy, UN health agency says

nCoV: An Emerging Respiratory Infection

What cybersecurity professionals can learn from triathletes

Russia accepts what the EU has to offer and settles to negotiate with Ukraine

New Erasmus: more opportunities for disadvantaged youth

GSMA Mobile 360 – MENA Dubai on 26-27 November 2019, in association with The European Sting

Businesses are lacking moral leadership, according to employees

Antitrust: Commission imposes interim measures on Broadcom in TV and modem chipset markets

Japan’s population is shrinking by a quarter of a million people every year

This robot boat delivered a box of oysters in a breakthrough for unmanned shipping

Key elements of the EU-China Comprehensive Agreement on Investment

“A global threat lies ahead worsened after the EU’s green light to the Bayer-Monsanto merger”, a Sting Exclusive by the President of Slow Food

Car-free day – and the other 364 days of the year

The global liberal order is in trouble – can it be salvaged, or will it be replaced?

The JADE Spring Conference 2017 is casting its shadows before

Entrepreneurship in a newly shaped Europe: what is the survival kit for a young Catalan and British entrepreneur in 2018?

Draghi tells the EU Parliament his relaxed policies are here to stay

3 charts to help you understand the American shale boom

Where do health literacy and health policy meet?

How listening to patients could change the way we tackle cancer

How the diaspora is helping Venezuela’s migration crisis

Car emissions: MEPs set end on gap between lab and real driving emission tests

New El Salvador law, a victory for forced displacement victims: UN refugee agency

4 ways the way we make things can change for a sustainable world

Millennials (and Gen X) – Here are the steps you should take to secure your financial future

Trump systematically upsets global order and trade: Where does this end?

More Stings?

Advertising

Speak your Mind Here

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s