Chapter 2. Findings: Understanding Cyber Risks and Response Readiness:
5. Substantial actions are required from all players in the cyber resilience ecosystem
FIGURE 9: COMBINATION OF EFFORTS WOULD BE MOST USEFUL
But considerable disagreement exists about how such a consensus could take shape. Relationships between private and public institutions are unformed in many cases. Consensus is limited across industries, and across the private and public sectors. Insurance executives indicate that individual companies and institutions may have the strongest impact in fending off cyber risks. Respondents from the high-tech sector and from the largest corporations – those with a market cap of more than US$50 billion – indicate that technology vendors may be in a position to have the strongest impact.
Similarly, the perception of regulation varies widely, depending on sector. Consensus is lacking on which public-sector actions would be most beneficial. Executives worry that broad agreement regulations can lock in outdated techniques, and that regulators lack the skills and capabilities to provide effective input. Financial-services technology executives say that regulation is actively harmful because it forces a focus on the wrong things. Yet a large proportion of respondents from the healthcare and insurance sectors view regulations as helpful in managing cyber resilience. Healthcare technology executives say regulation is not ideal but remains valuable because it compels senior management to commit attention and resources to security issues. “Institutionally, we can take all the actions we want but the threat will only be reduced when governments and law enforcement agencies are able to take action,” says the CISO of a pharmaceutical company. (See Figure 10.)
FIGURE 10: IMPACT OF CYBER RESILIENCE
Traditional approaches also appear increasingly ineffective. In most cases businesses rely mainly on passive measures, typically addressing issues only after they have arisen. Business partners are not sufficiently involved, and policing and application of cyber resilience lack consistent rigour. Responses are often backward looking, require specialized talent that is costly and hard to find, and rely mostly on technology solutions, even though sophisticated agents often attack the weakest link: customers and employees.
Still, the research finds near universal agreement among CSOs, CTOs and CISOs that a step-change improvement is needed in their own capabilities to protect their businesses from increasingly sophisticated cyber threats, enable productivity and innovation, and maintain a competitive cost position. Says the CISO of a global bank: “You have some at the top and some that are clueless, but the bulk are in the middle and they are behind” (i.e. below the median). Adds the cyber resilience chief of a national law enforcement agency: “Some businesses have really improved their position, but more need to take [cyber resilience] as a business issue overall and really need to improve their resilience.”
Solution building with public and private institutions
- Institutional actions
- International and public policy
Participants outlined specific recommendations within each of the categories including:
- The need for all institutions to improve their institutional capabilities through an agreed upon set of next generation operating model principles,
- A need for public sector organizations to work to harmonize action and policy both within their institutions but also globally,
- The importance of a common global language when discussing cyber risks and for collective actions for the public good,
- and, the need to explore potential systemic changes to the way risks are mitigated and accounted for in the global marketplace.
These amongst other conversations served as the basis for the framework for collaborative actions.