Four years ago, at the World Economic Forum's elite gathering in Davos, Switzerland, a plea by Alan Marcus and Derek O'Halloran for more research on cybersecurity fell on deaf ears. CEOs were by and large not interested, said Marcus, head of information and communications technology for the World Economic Forum (WEF). A mere four months later, however, with the devastating attack on Sony PlayStation Network, executive attitudes started to change -- and a book was born.
Research by Marcus and O'Halloran, head of information technology and electronics industries at the WEF, shows that businesses are losing ground to cybercriminals -- a course that will prove costly if it isn't corrected. "If attackers continue to increase their advantage over defenders, the result could be a cyberbacklash that decelerates digitization," they wrote in their new book, Beyond Cybersecurity: Protecting Your Digital Business, co-authored by McKinsey & Company's James Kaplan, Tucker Bailey and Chris Rezek. The backlash will amount to a $3 trillion loss in productivity and growth by 2020, according to the authors.
What does "beyond cybersecurity" actually look like? The authors call it "digital resilience," or understanding the risk of cyberattacks, knowing when the return on investment is worth the risk, and having systems that defang cyberattacks so that they don't sink the business or impede innovation.
"To achieve digital resilience, companies need to undergo fundamental, organizational changes, including integrating cybersecurity with business processes and changing how they manage IT," the authors wrote.
The seven pillars of digital resilience
The authors developed a framework composed of seven pillars -- listed below -- for how businesses can be digitally resilient, which was based on, in part, discussions with 200 executives and experts -- many of them CIOs and CISOs -- on what steps should be taken. The pillars, taken individually, are not particularly new and most, such as pegging the level of security protection to the value of the asset, will be familiar to information security professionals. However, taken together, they represent an improvement over the standard cybersecurity approaches, according to the authors:
- Prioritize information assets based on business risks.
- Provide differentiated protection for the most important assets.
- Integrate cybersecurity into enterprise-wide risk management and governance processes.
- Enlist frontline personnel to protect the information assets they use.
- Integrate cybersecurity into the technology environment.
- Deploy active defenses to engage attackers.
- Test continuously to improve incident response across business functions.
"These seven things emerged as being the game changers to move a company along in maturity from where [cybersecurity] is in most cases -- as a control function -- to having integrated cyber-risk management across all functions," O'Halloran said.
O'Halloran strongly suggested businesses start with the first step -- identifying which information assets are important and, therefore, given priority status. But, he warned, don't be limited by information assets that are of value to the business users; also consider information assets that could be valuable to potential attackers.
Rating an information asset's importance to the business -- figuring out where it lives or how vulnerable it is -- isn't something the IT department or the security team can do alone. Success "only happens by bringing different functions inside the organization together, agreeing on a common picture of what's at stake, and then agreeing on a common roadmap for how to move forward," O'Halloran said.
But that's easier said than done. Part of the difficulty in developing a cybersecurity roadmap for many organizations is the gulfs that exist between the business and IT, and even between the security team and the risk team. The teams are often siloed and don't talk to each other. When they do talk, they each rely on a language that defines their particular world -- securing systems versus defining the cost of a lost asset. "You've got to get people talking the same language," Marcus said. "It's going to happen -- just don't expect it to be simple or easy."
Digital resilience requires resilient leaders
The realization that cybersecurity isn't a torch the CIO or even the CISO alone can carry became apparent early on in the research, said Marcus and O'Halloran -- and in retrospect, should have been obvious from the get-go. When digital technology touches every business process, a cyberattack can happen anywhere -- in the HR department, in procurement or in the supply chain.
"We think the board and the CEO both have a specific and directed leadership opportunity here," said Marcus. "If they stand up and make [cybersecurity] part of everything, that means HR is thinking about security, accounting is thinking about security, manufacturing is thinking about security. … And if everyone is thinking about it, then the CIO's job just got easier."
In order to jump-start an enterprise-wide conversation about accountability for cybersecurity, the authors came up with four principles:
- Recognition of interdependence. "The point here is that thinking in terms of boundaries, securing the perimeter, is wrong," Marcus said.
- Role of responsibility. "This is a threat to the ongoing viability of the enterprise, and so, it's the CEO's responsibility," he said.
- Integrated risk management. Rather than talk security, Marcus encouraged top leaders to talk risk, which pushes the dialogue from a technical point of view to a business point of view.
- Promote uptake. Marcus said organizations should commit these principles to the broader network, including suppliers, partners and customers.
These four principles are a first step in reframing how leaders talk about digital business, they said.
A new technology called runtime application self-protection is being touted as the next big thing in security, but is it ready for the enterprise?