A few weeks ago, the World Economic Forum (WEF) met in Davos, Switzerland where an expert working group issued a report “Advancing Cyber Resilience: Principles and Tools for Boards.” It is touted as a first-of-its-kind resource to support board of directors and CEOs on cyber security and cyber resilience strategy. The WEF’s principles and tools are designed to help corporate boards and senior management strengthen their organizations’ cyber hygiene and posture. The principles are a response to the increasing threat cyber risks pose to the world economy. Their aim is to provide guidance for managing cyber risks much in the same way that organizations manage enterprise risk.
Let’s consider whether the proposed principles and tools can improve cyber resilience, and which types of enterprises can benefit most from implementing them.
Traditionally, cyber security has been considered the exclusive domain of IT and security operations departments, which were charged with the purchase and deployment of technology to defend against network intrusions. However, the long line of devastating data breaches at Yahoo!, Cisco, Oracle, SWIFT, and dozens of other established, respected brands is changing roles and responsibilities. The responsibility for the safety, security, and integrity of an organization’s network has increasingly shifted to executive management and boards of directors.
Operating in this new environment is not easy. A recent study by the National Association of Corporate Directors (NACD) revealed that over 90% of respondents believe their board’s understanding of cyber security risks still needs to improve. In this context, the WEF report details best practices that boards of directors “can use to smoothly integrate cyber risk and resilience into business strategy so that their companies can innovate and grow securely and sustainably.” The 10 board principles for cyber resilience are supplemented by practical questions board members can use to evaluate their organizations’ cyber hygiene. Furthermore, the document outlines a variety of risk management frameworks that should be considered to manage and minimize an organization’s cyber risk exposure.
The WEF report’s framework and tools represent a good first step toward elevating cyber security and resilience to the C-suite and board level. It provides practical guidance on principles and steps to assist organizations in transitioning from a compliance, check-box mentality to a pro-active, risk-based approach toward enterprise security. Ultimately, establishing a proper oversight program can help companies streamline board reporting, integrate multi-department activities required to mitigate operational cyber risks, and ensure that reasonable security protocols and procedures are in place. Furthermore, it can help all stakeholders gain a better understanding of which assets might be at risk, how to estimate potential losses, and how best to mitigate threats using new security practices, investments, or cyber security insurance.
The WEF report also helps boards propagate cyber risk management over cyber security, an approach which has proven to be very effective for defeating today’s sophisticated cyber adversaries. Only when organizations contextualize internal security intelligence with external threat data, and then correlate the findings with business criticality, are they able to focus on the biggest risks to their business. This helps assure timely orchestration of remediation efforts to decrease the window of opportunity for successful cyber-attacks.
In addition, the WEF report provides some valuable building blocks for implementing better cyber security practices. However, it’s not a silver bullet for preventing cyber-attacks and data breaches, since guidelines and regulations are static, and cannot evolve to detect and mitigate morphing threats. Meanwhile, regulatory compliance moves far too slowly to keep up with cyber-attackers. Guidelines can also expose holes in proposed measures, which attackers can use as a blueprint for their attack strategies.
Ultimately, proper security measures and best practices are just one part of the solution. One of the biggest challenges facing organizations is managing the sheer volume, velocity, and complexity of data feeds that must be analyzed, normalized, and prioritized to even stand a chance of detecting a cyber-attack. The Target breach was a good example. Although the company had best-of-breed technology in place that was able to detect the intrusion early on, the alerts were buried in a sea of data, which prevented the security team from connecting the dots and responding in a timely fashion. In fact, a third-party uncovered the breach, after stolen data was posted on the Internet.
Without data automation, it can take months and even years for humans to perform big security data risk analysis and piece together an actionable security assessment. Organizations should focus on finding ways to use technology to overcome the challenges of examining and extracting relevant threat intelligence from their security feeds so that they respond in a timely manner to the most critical risks to their business. The WEF principles and tools are an important first step in this process.