Cyber issues are more integrated into enterprise risk management: WEF’s Global Cybersecurity Outlook 2023

The recently published Global Cybersecurity Outlook 2023 report by World Economic Forum presents the results from this year’s study of cybersecurity and business leaders’ perspectives on leading cyber issues and examines how they affect organisations around the world. The WEF engaged 117 cyber leaders from 32 countries and 22 industries, in collaboration with Accenture for the study.

More than 39 percent of organisation leaders agree that “cybersecurity is a key business enabler”. Interestingly, however, when broken down further, this equates to 51 percent of business leaders and 32 percent of security leaders giving an affirmative answer. As the report states, this can point to the inference that perhaps business leaders have leapfrogged security leaders in championing the importance of cybersecurity, or it could reflect a lingering perception gap worthy of further research.

Upholding the integration of cyber resiliency

Maya Bundt, Director, Bâloise Holding; Board member, Swiss Risk Association; and Member of the WEF’s Global Future Council on Cybersecurity, quotes in the report, “More and more corporate boards now have true cyber experts among their members. It helps when people at the board level are sufficiently cyber-literate to ask pertinent questions of their security teams but also to bring cyber into strategic business discussions. Boards also need to understand what a cyber event means for their organisation. Too many business leaders still underestimate the impact a cyberattack can have on their operations, on their reputation and on their company as a whole.”

The report findings highlight a clear disparity in how business executives and cyber executives described the integration of cyber resilience into enterprise risk management strategies. In addition, most business and cyber leaders also agree that incorporating cyber-resilience governance into their business strategy is one of the most impactful principles when it comes to cyber resilience.

Here’s a graph on how leaders felt about their organisation’s ability to be cyber resilient:

Cyber issues are more integrated into enterprise risk management: WEF’s Global Cybersecurity Outlook 2023

 

The data represents that not only is there a shift in leaders’ perception of their priorities, but there is a shift in reported behaviours among cyber leaders. More than half (56 percent) of cyber leaders meet with business leaders monthly, or more frequently, to discuss cyber-focused topics.

Of organisational leaders who meet at least monthly, underlining the importance of communication on aligning towards cybersecurity priorities, 36 percent are confident that their organisation is cyber resilient. Only 8 percent of those respondents report that their organisations either are not cyber resilient or that they are concerned about their organisation’s ability to be cyber resilient.

Cyber resiliency across the supply chain

The difference between the capabilities of larger and smaller organisations is a point of concern listed by cybersecurity experts working across sectors and regions. Smaller organisations do not often have the capacity to respond to incidents and are more likely to be economically paralysed by a major attack. This should make preparation for cyberattacks on suppliers a part of cyber-resilience measures and business continuity planning. Leaders from larger organisations, those with more than 1,000 employees, were more likely to report incidents where they were negatively affected by a cyber incident originating from their suppliers, service providers or business partners (39 percent of larger organisations affected) than smaller organisations with fewer than 1,000 employees (25 percent).

Cyber insurance is one way for organisations to mitigate the damage from cyber incidents. Similar to supply-chain risk, organisational size was a determining factor in whether an organisation was likely to have cyber insurance. Smaller organisations were more likely to report they did not have cyber insurance (48 percent) than larger organisations (16 percent).

Leadership support to maintain optimal cybersecurity

This year’s outlook indicates that a third of all cyber leaders still ranked gaining leadership support as the most challenging aspect of managing cyber resilience. A majority, 94 percent, of respondents believe, however, that their board of directors has a duty of care when it relates to cybersecurity.

Organisational leadership has begun to listen to the concerns of cyber leaders. A primary challenge for cyber executives is still shifting from gaining board support to enabling impactful board action. The difficulties cyber leaders report in communicating with business leadership demonstrate a comprehension gap between security issues and business impacts.

Cyber talent recruitment and retention continues to be a substantial obstacle for all organisations

Last year’s report deliberated that 10 percent of cyber leaders indicated they lacked the critical people and skills needed to deal with a cyberattack. No business leaders indicated that deficit. This year’s report showed that 10 percent of business leaders and 13 percent of cyber leaders feel that they have critical gaps in skilled personnel. It was mainly critical infrastructure industries (such as energy utilities and the public sector) that reported a lack of critical people and skills, while the industries that relied on heavy tech services (such as infotech and telecom), have the sufficient skills they need today.

It’s the scale of the challenge in critical infrastructure, where specialised skills are often needed, is a concern. 59 percent of business leaders and 64 percent of cyber leaders ranked talent recruitment and retention as a key challenge for managing cyber resilience. Here are some statistics on the cybersecurity skills gap by industry:

Cyber issues are more integrated into enterprise risk management: WEF’s Global Cybersecurity Outlook 2023

 

Additionally, less than half of respondents reported having the people and skills needed today to respond to cyberattacks. The level of shared understanding on this topic makes it more likely that steps can be taken to solve the challenge of creating and retaining cyber talent.

Security leaders and business leaders sometimes have difficulty translating cyber-risk information into mitigating actions in their organisation. Security leaders who reported they were successful in translating risk to mitigation regularly demonstrated a capacity to make technical data comprehensible and relevant for organisational leaders.

The difficulty in translating cyberthreats to operational risk is a barrier to collaboration between security executives and business leaders. Commonplace terms such as “ransomware” can be explained to boards more easily, but mapping cybercrime campaigns or threat actors to the targeting of particular assets and resources is complicated. It has also proven difficult to quantify and assess cyber risk. Costs are often expressed in “average” terms when referring to a breach, but this may not be appropriate for an individual organisation assessing its own risk.

Many organisations have too many assets on their network to identify the key risk points, or even to map their assets. This makes it difficult to assess where and how much money should be spent. Without a way to clearly map risks to value-creating assets or processes, as well as a plan of action arising from this, it is hard to quantify and justify the resources that should be allocated to mitigating them. Cyber risk leaders are most concerned about:

Cyber issues are more integrated into enterprise risk management: WEF’s Global Cybersecurity Outlook 2023

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.