Need to align business and cybersecurity, says WEF

s the perception of cyberthreats among business executives and security leaders the same? Apparently not, according to the World Economic Forum’s (WEF) recent annual report The Global Cybersecurity Outlook 2022. One of the findings of that study shows that 80% of cybersecurity heads consider ransomware a “danger” or a “threat”. However, on the other hand, business area directors think their companies are safe and show signs of ignoring, for example, the fact that the average share price of hacked companies shows a 3% NASDAQ drop even six months after the event.

Other figures reinforce the difference in vision between the two areas. Some 92% of business executives say that cyber resilience is part of enterprise risk management strategies, but only 55% of cybersecurity leaders agree. Divergences like this, the result of inconsistent priorities and policies, can leave organizations more vulnerable to attack.

According to the survey, almost two-thirds acknowledge that it is difficult to respond to cyber incidents due to a lack of skills in their teams. Perhaps even more concerning is that it takes an average of 280 days to identify and address cyberattacks. Less than a fifth of cybersecurity leaders trust their organizations to be cyber resilient. And the top three concerns that take away their sleep at night are:

• They are not consulted during business decisions and face difficulties in getting support and being able to prioritize cyber risks.
• Recruiting and retaining talent is another major concern. Business executives don’t seem to realize that not having well-trained teams to combat cyber-attacks is one of their key vulnerabilities.
• Almost nine in 10 see small and medium-sized businesses as the weakest link in the chain – 40% of respondents have been negatively affected by a cyber security incident in their ecosystem.

Proposals to increase resilience

The research highlights that to develop more effective, business-friendly, and resilient cybersecurity programs, a deeper understanding of the organization’s operations must be cultivated, both horizontally (core business functions that require more attention and protection) and vertically (cybersecurity principles and measures to address intolerable risks).

To do this, cybersecurity leaders should regularly interact with different business units, engaging them in strategy development. Simultaneously, their peers in the different business units should engage cybersecurity leaders in their conversations to ensure that cybersecurity is not an element included late in decisions. Both groups need to create and maintain good two-way communication.

Furthermore, the top management of organizations should ensure support for cybersecurity leaders by providing not only sufficient budget but participation in business decisions, aligning the goals of both areas and including, for example, cyber resilience in KPIs (key performance indicators).

The study also highlights that innovative solutions must be found to attract more professionals to the cybersecurity area and thus overcome the shortage of skilled labor, a real threat to business continuity and also to the national defense of countries. Seeking to give a contribution, the WEF’s own Learning Hub gives access to free training modules in cybersecurity, information about careers, and interviews with experts. The importance of partnerships and a common platform to facilitate working together in a more resilient ecosystem was also highlighted – the value of partnerships was confirmed by over 90% of respondents, who reported receiving valuable insights from external groups and/or partners.

And to try and alleviate justified supply chain vulnerability concerns – 58% of respondents feel their suppliers are less resilient than their own organizations, action is needed on three fronts, according to the WEF:

• Map the networks completely, including all endpoints;
• Map the networks completely, including all endpoints;
• Invest your resources not only in prevention, but also in resilience;

And as even the largest and most resource-rich organizations are not immune to attacks, the order of the day is to invest in cyber resilience to the maximum – the ability to anticipate incidents, but also to recover quickly from any interruptions to operations. According to Robert Silvers, Under Secretary for Policy and Strategy Plans at the US Department of Homeland Security, “Companies are not being judged by whether they have been hit by a cyberattack, but by the character of their response.