[box type=”info” align=”” class=”” width=””]William Dixon Head of Operations, Centre for Cybersecurity, World Economic Forum
Rebekah Lewis Project Lead, Governance and Policy, Centre for Cybersecurity, World Economic Forum[/box]
Cybersecurity is one of the most strategically important issues facing the world today. Cyber actors continue to pose significant challenges to global business; in the next five years assets worth more than $5 trillion are estimated to be at risk.
Rapid digitalization and the key technology trends of the Fourth Industrial Revolution, the rollout of highly connected networks, artificial intelligence and smart cities have the potential to dramatically accelerate the pace and impact of cyberattacks. To counter these growing threats, the global business community is set to spend over $124 billion on cybersecurity by the end of 2019, a sum comparable with world spending on cancer therapies and care drugs last year. Yet while global cybersecurity spending has skyrocketed, the return on traditional investment has not stemmed the tide of security breaches. Over the past five years, breaches have increased by 67%.
Conventional wisdom suggests that those who spend the most will be the best protected. But shifts in the current landscape indicate that from now on, the key question with respect to building cybersecurity capabilities will be not how much organizations invest but what they invest in.
To date, the cybersecurity industry has placed significant focus on investing in people, processes and technologies aimed at protecting an organization’s assets. Phrases and buzzwords like perimeter defense, crown jewels, defense-in-depth, cyber kill-chain and detect-and-respond invite spending on whatever is necessary to keep attackers out and prize possessions safe.
But an exclusively internally-focused strategy is a losing one. To successfully operate in the new digital future, organizations need to look at cybersecurity within the broader multi-stakeholder environment in which they operate. Business leaders must understand themselves as key players in a dynamic and powerful ecosystem – and successful investment in the cybersecurity of this ecosystem will be the most effective defense.
Shifting understanding of roles and responsibilities
To better understand the true nature of cybersecurity challenges, leaders of organizations need to shift their frame of reference beyond their own perimeter and towards their broader role in the wider connected community, which encompasses partners, suppliers, customers, government entities, competitors and more.
Under current cybersecurity paradigms, an organization’s primary role is as a defender. Its primary responsibilities are to ensure its defenses are strong and avoid the cardinal sins of ‘getting hacked’ or being the ‘weakest link’. In the ecosystem context, a purely defensive stance is insufficient as it reinforces an inherent lack of trust among entities with a de facto shared reliance on, and usage of, the same resources.
Information sharing as a pillar of trust
To build the trust needed for a resilient ecosystem, participants must invest in one of the most potent instruments at their disposal: their ability to share information. Information sharing and analysis centers (ISACs) and related initiatives provide operational platforms for information sharing, with the purpose of protecting specific communities. Similarly, a wide variety of commercial entities have partnered to offer consolidated security solutions based on shared intelligence and capabilities. While these efforts provide the technical and communication pathways for active protection of certain networks, they represent only the beginning of the critical development of trust-based relationships that will provide the foundations of a strong ecosystem.
To move beyond transactional information sharing to an integrated ecosystem, organizations must view information sharing as a strategic asset driven by common values and the intrinsic need to build trust. Cyber-resourcing must focus more on sharing insights, which should be measured not by the volume but the quality of information shared and the relationships at its disposal. Moreover, companies must prioritise – and devote resources to – the need to determine what, why and when to share. While much of the nascent enterprise architecture exists, leaders must keep moving it towards a new end state. This end state includes information partnerships that are wide, that cross new industries and geographies and are deep in technical and operational detail, and which are increasingly happening at a digital pace.
Driving continuous collective action is the best defence
Continuous collective action must become the new norm – and robust information-sharing and trust-building are how we can get there. Effective collective action should take many forms, all driven by the shared purpose of securing our digital future. These will include hardening common infrastructure through shared technical expertise; shaping smarter and more effective regulation; and empowering global law enforcement. At a macro level, the full force of this shared investment in cybersecurity will work to shape global ethics and tech governance related to the use and misuse of the capabilities of the Fourth Industrial Revolution.
To begin moving towards this new paradigm, senior leaders can take purposeful steps well within their current scope of influence. Leadership should resource capabilities within their own organizations that will build and enable collective action, including not only technical platforms but also the internal processes necessary to engage external entities. Moreover, leadership has an obligation to brave a potentially uncertain legal landscape by engaging in activities needed to enable collective action, such as the robust sharing of potentially sensitive and proprietary information. Recent laws governing information-sharing are powerful examples of public-private collaboration towards building this desired outcome and of providing formal reassurance, where necessary, to business leaders.
This vital shift in focus from enterprise to ecosystem requires new frameworks for measuring community resilience and collective action that go beyond traditional organizational risk management. Public and private-sector actors need to work together to modify existing frameworks and standards to reflect this new reality. Boards and senior management must incorporate ecosystem-wide thinking into the very foundation of their cyber leadership practices. Organizations’ key performance indicators (KPIs) must measure the effectiveness of relationship-building and management, information-sharing processes, insight generation and collaborative action. These changes are well within the power and capabilities of public and private entities, but what they urgently require is a fundamental and radical change in perspective.
[box type=”note” align=”” class=”” width=””]Written by