Data breaches are fast becoming a fact of digital life. The WEF offers a way to recover if one happens to hit.
While reading Cisco's 2014 Midyear Security Report, I learned about an organization called World Economic Forum (WEF): an international nonprofit foundation committed to improving the state of the world through public-private cooperation. WEF's global perspective allows them a certain clarity when it comes to defining what constitutes the current cybersecurity landscape:
● Today's cyber defenses are reactionary. Historically, it can be shown that reactive solutions are almost always outdated before they are released.
● The time is fast-approaching when all the world's societies will be dependent on internet connectivity to function. This then makes internet access a vital, yet shared resource similar to water and air.
● Like environmental concerns about water and air, resolving internet issues, especially cybersecurity, will require cooperation among multiple organizations.
With this information in hand, and aware of their mission, the WEF created Partnering for Cyber Resilience — a plan for improving cybersecurity.
The principles of cyber resilience
The WEF uses the term cyber resilience. By definition, resilience is the ability to return to the original form, position, or recover readily from adversity. In order for a company to achieve cyber resilience, a certain company-wide mentality is needed. WEF organized what was required into the following parameters:
● Recognition of interdependence: All parties have a role in fostering a resilient, shared digital space.
● Role of leadership: Encourage executive-level awareness and leadership of cyber-risk management.
● Integrated risk management: Regular risk assessments will inform company leaders of cyber-security status, the company's cyber resilience, and what improvements or changes are needed.
● Extended security chain: Where suitable, encourage suppliers and customers to develop a similar level of awareness and commit to cyber resilience.
Cyber resilience starts inside the company
Ensuring that company management buys into the cybersecurity program is paramount. Without it, to be honest, there is no cybersecurity program. One way WEF suggests to encourage buy-in is to pattern risk-assessment documentation pertaining to cybersecurity in a way similar to documents familiar to company management. The WEF also suggests using business terminology whenever possible.
Once an internal security plan is in place, WEF suggests tracking results using a well-known Carnegie-Mellon business-process improvement model called Capability Maturity Model Integration (CMMI). The following slide shows the steps of maturation with regards to cyber resilience.
The following explanations of each step show how a company progresses from no cyber resilience to a company that is prepared to weather the aftereffects of a cyber attack.
Step 1: Unaware organizations consider cybersecurity irrelevant, there is no cyber-risk management program in place, and no regard for the security posture of companies they are networked with.
Step 2: Due to a breach or education a company starts to understand that being connected to other organizations is a source of risk, there is still little regards for a cyber-risk management program, except for isolating what the company IT department considers important data.
Step 3: At this point, C-level executives are on board with a cyber-risk management program, but do not understand it or consider it a competitive advantage.
Step 4: The company has a working cyber-risk management program and complete ownership by the company's leaders. Management is also cognizant of exploitable weaknesses within the company and those created by interconnections with third parties.
Step 5: At this point, cyber-risk assessment is forefront in every business decision. Company management can convey cyber-risk information within the company and inter-company using business terms that enhance understanding across all departments and between companies.
In an effort to second source what WEF suggests, I asked several CEOs for their opinion. The CEOs who felt conversant about cybersecurity either had an IT manager or third-party consultant who talked in business terms. They admitted it was not always easy. However, by showing interest, the CEOs felt they enabled the company's IT department to explain concepts and problems in an understandable manner.