The World Economic Forum (WEF) recently outlined its three principles of cyber resilience, which focus on governance, operating models and business outcomes.
While cyber attacks such as ransomware are steeply increasing, it said, too few business focus mitigation efforts on key business activities. Instead, they deploy technologies to fix individual problems with IT systems.
But WEF said this approach was short-sighted. Businesses are more resilient against attack when they protect the underlying business functions that those systems are supposed to protect.
“No company has the resources to fix all cyber issues and not all fixes are equally important,” it said. “It is only by starting to identify activities that are important to a business, and understanding how attacks could disrupt them, that one could start to prioritise the process of risk mitigation.”
“Three principles to help build a cyber resilient organisation” aims to help leaders embed cyber resilience in their businesses.
First, cyber resilience must be governed from the top. Too many leaders who are not technical experts delegate cyber defence because they think it is too complex. That is a mistake, WEF said.
In addition to taking responsibility, a dedicated cyber resilience officer needs to report directly to the board. In fact, boards should focus on which systems support critical activities, rather than approaching the problem through the lens of software vulnerabilities.
Second, leaders need to strike the right balance between defence and bounce-back capabilities. The business’ operating model must be cyber resilient at its core. That means cyber security should be embedded in everything from employee skills to change management programmes.
“It doesn’t have to be an onerous activity, but it is important that business leaders pay attention to the risk they are accepting,” WEF said.
Finally, business need to balance the risks between security and technological transformation. Cyber resilience must support these change programmes if the business is to achieve its return on investment in IT.