“Cyber resilience in an organization must extend beyond the technical IT domain to the domains of people, culture and processes. A company’s protective strategies and practices should apply to everything the company does — to every process on every level, across departments, units and borders — in order to foster an appropriately security-conscious culture.” – Walter Bohmayr and Alexander Türk, The Boston Consulting Group

The World Economic Forum (WEF) is known for its yearly meetings of the global elite held in Davos, Switzerland, as well as its “Global Risks Report,” which is typically released around the same time. Recently, the WEF has taken on a new role on the global scene and is spearheading a global effort to help organizations become more cyber resilient. In January 2017, the WEF released a report entitled “Advancing Cyber-Resilience: Principles and Tools for Boards.”

Getting the Board On Board With Resilience Efforts

Recognizing the key role that business leadership must play to improve cyber resilience, the WEF sought to raise the visibility of this issue to “build a more effective cyber strategy and incorporate it into overall strategic thinking” that encompasses entire systems and industries instead of just leading organizations.

The report noted that while some organizations today have built resilience into their business fabric, being cyber resilient is gaining traction rather slowly among boards of directors. To ensure continued performance, the report explained, organizations must recognize that “resilience as a focus of strategy includes the actions an enterprise takes before, during and after an incident, thereby more fully mitigating potential threats.”

10 Cyber Resilience Principles for Boards of Directors

The report outlines 10 key principles for boards of directors to keep in mind when discussing cyber resilience. The principles are:

  1. Responsibility for cyber resilience is a full-board issue, even if the board delegates primary oversight to a particular committee.
  2. Board members should have a certain level of education on the subject. New board members should be provided with an orientation, and all members should receive regular updates. They should also have access to independent, external experts to seek different opinions or validate management’s assertions.
  3. There should be an accountable officer who is provided with appropriate authority, access and resources to report on how effectively the organization is managing cyber resilience.
  4. The board should ensure that the enterprise risk management approach includes an assessment of cyber risks across the business and a focus on resilience.
  5. The board should conduct yearly reviews to determine whether its risk appetite is consistent with its strategy and seek to quantify the amount of business risk it is willing to tolerate.
  6. Management is accountable for the regular assessment and reporting of cyber risks. The board should then validate the impact of these risks on board strategy using the Board Cyber Risk Framework outlined in the report.
  7. The board should ensure that the cyber resilience officer has the support and resources he or she needs to effectively create, implement, test and refine resilience efforts across the organization. The board should receive regular updates on the organization’s performance.
  8. The board must recognize the communal nature of cyber resilience and support collaboration with other stakeholders in the community.
  9. The board should commission a yearly formal review of the organization’s progress toward resilience.
  10. The board should review its own ability to provide effective oversight of cyber resilience efforts and, when needed, seek an independent assessment of its performance.

A Turning Point

While the concept of cyber resilience is not new, this report marks a turning point of awareness and advises business leaders across the globe to pay attention to one of the key security issues of the decade — and likely many decades to come.

More from CISO

How to Solve the People Problem in Cybersecurity

You may think this article is going to discuss how users are one of the biggest challenges to cybersecurity. After all, employees are known to click on unverified links, download malicious files and neglect to change their passwords. And then there are those who use their personal devices for business purposes and put the network at risk. Yes, all those people can cause issues for cybersecurity. But the people who are usually blamed for cybersecurity issues wouldn’t have such an…

The Cyber Battle: Why We Need More Women to Win it

It is a well-known fact that the cybersecurity industry lacks people and is in need of more skilled cyber professionals every day. In 2022, the industry was short of more than 3 million people. This is in the context of workforce growth by almost half a million in 2021 year over year per recent research. Stemming from the lack of professionals, diversity — or as the UN says, “leaving nobody behind” — becomes difficult to realize. In 2021, women made…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…