The study, written in collaboration with Accenture, revealed there is a wide perception gap between business executives and security leaders on the issue of cybersecurity. For example, 92% of businesses believe cyber-resilience is integrated into their enterprise risk-management strategies, compared to just 55% of cyber leaders.

The report, compiled of various sources, including a survey of global cyber leaders, also looked at the surging ransomware threat. Four in five (80%) cyber leaders said they considered this vector a dangerous and evolving threat to public safety, while 50% indicated ransomware is one of their greatest concerns.

Only 17% of global organizations are considered cyber resilience “leaders”

The growth of our global digital footprint has ensured that cybersecurity will remain a priority for business leaders for years to come. As a result, cybersecurity governance will continue to be a matter of importance for boards of directors. As we are seeing when boards consider environmental, social and governance (ESG) factors, [1] companies that manage the entire portfolio of risks, including cyber, do better in the marketplace.

As a result of a rapidly changing cyber-threat landscape and proliferating regulations, it has become clear that boards, especially, need stronger foundations to govern cyber risks effectively. This report details the work of the leading organizations in this field, the World Economic Forum, the National Association of Corporate Directors (NACD) and the Internet Security Alliance (ISA), along with our global partners and our project adviser, PwC; in it we share our consensus-based, principled approach to delivering successful cyber-risk governance at board level.

There is a need for a cohesive, global, cross-border approach to cyber-risk governance. We therefore convened a group of cybersecurity and functional experts, including senior security, legal and risk officers, business leaders and industry experts, to explore methodologies for boards of directors to follow in improving the cyber-risk position of their organizations regardless of location or industry. These practices and approaches were further validated by members of the boards of some of the most advanced companies in the world. The work that follows represents the collaborative efforts of that group to shape the principles and supporting practices for boards of directors. Their adoption will strengthen cybersecurity and resilience across organizations and environments.

Cyberthreats are persistent, strategic enterprise risks for all organizations regardless of the industry in which they operate. Effective organizational cybersecurity directly contributes to both value preservation and new opportunities to create value for the enterprise and larger society. Navigating this risk requires a culture of cybersecurity with leadership commitment to, and modelling of, good cybersecurity decision-making.

Many business initiatives that drive profitability can also increase cyber risk. In order for organizations to make effective business decisions, risk determinations should focus on the financial impact to the organization, including trade-offs between digital transformation and cyber risk. By using scenario planning, leaders in the organization can consider potential gains and losses relative to other business priorities and obligations. Leaders should also measure cyber risk (empirically and economically) against strategic objectives, regulatory and statutory requirements, business outcomes and cost of acceptance, mitigation or transfer.

37% of organizations strongly agree that quantifying risks leads to better management of cyber risks against the spend; chief executive officers are more likely to strongly agree. However, only 17% of organizations say they are realizing the benefits from better quantification of cyber risk. [12]

In a survey of more than 400 global companies, conducted by PwC in Q4 2020, 44% of board member respondents stated that their organizations have made significant progress over the past three years in improving employee experiences with the cyber function.

The highly interconnected nature of modern organizations means we run the risk of failures that spread beyond one enterprise to affect entire industries, sectors and economies. It is no longer sufficient just to ensure the cybersecurity of your own enterprise; rather, cyber resilience demands that organizations work in concert. Recognizing that only collective action and partnership can meet the systemic cyber-risk challenge effectively, senior strategic leaders must encourage collaboration across their industry and with public and private stakeholders to ensure that each entity supports the overall resilience of the interconnected whole.

Recently, Accenture surveyed over 4,600 enterprise security practitioners in global organizations with revenues of more than $1 billion. The report by Accenture Security revealed that just 17% of organizations are performing as leaders in the space. Nearly 85% of respondents believe that companies need to think beyond securing their enterprises and take further steps to secure their vendor ecosystems.

Mitigating some of that risk with cyber insurance sounds like a wise choice, but what does it actually cover? Many organizations have discovered the hard way that insurance is no substitute for a strong resilience profile.

Digital transformation ups the stakes of any cyber event. That is raising the pressure on IT leaders to step up security, but increasing security is not enough to ensure resilience. Cybersecurity by its nature is focused on defending against specific threats and vulnerabilities, points out Larry Ponemon, founder of the Ponemon Institute, a technology research firm. Resilience, on the other hand, requires a more holistic and strategic view: What could go wrong, and how would your organization deal with it?

In many cases, these perception gaps exist between those who should be responsible when something goes wrong and those who actually bear the costs when it does. Wherever there are gaps in responsibility, resilience is at risk. To cover the blind spots and perception gaps in cyber resilience, organizations must develop a clear understanding of who is responsible for what in all the gray areas of their data and technology.

The global survey of 1,500 organizations details the current state of cyber risk perceptions and risk management, building on a related survey conducted in 2017. The report highlights the gap between concern about the risk and the actual approach taken to mitigate cyber threats.

For many organizations, strategic cyber risk management remains a challenge, the report indicated. For example, while nearly two-thirds (65%) of organizations surveyed identified a senior executive or the board as a main owner of cyber risk management, only 17% of c-suite executives and board members said they spent more than a few days in the past year focusing on the issue. More than half, 51%, spent several hours or less.

Most people are not very familiar with the concept of artificial intelligence (AI). As an illustration, when 1,500 senior business leaders in the United States in 2017 were asked about AI, only 17 percent said they were familiar with it.1 A number of them were not sure what it was or how it would affect their particular companies. They understood there was considerable potential for altering business processes, but were not clear how AI could be deployed within their own organizations.

To address these trends, the report offers five steps that organizations can put in place and these include: 1) Securing all users, devices, and network traffic consistently with the same degree of effectiveness, regardless of where they are based; 2) Being transparent in giving users access to what they need when they need it; 3) Employing adaptive security that creates confidence such as using the cloud or expand access to more remote users; 4) Simplifying managed services and automate where it makes sense; 5) Engaging with business leaders to plan, prepare and practice for greater cybersecurity resilience, backed by the right resources and investments.

As companies navigate challenges brought about by accelerated digital transformation, opportunistic phishing campaigns, discontinuity of information security operations, and financial constraints, it is critical for organizations to put necessary measures in place to gain greater cyber resilience for a more flexible and secure future post-pandemic.

Findings reveal that most organizations continue to increase their spending on cybersecurity, with more than 90% of respondents saying they expect higher budgets this year. With mounting cyber threats demanding a more robust response, 87% say that they require up to 50% more funding. However, only 12% expect to receive an increase of more than 25% this year.

Respondents to the WEF survey who reported successful changes in their cybersecurity strategy cited organizational structures that supported interaction among cyber leaders, business leaders across functions and boards of directors toward collaboration on digital resilience across business activities.

"It is imperative that states are aware of this threat and ensure that they are prepared. This can be by expanding deterrence capabilities or developing a global cyber policy. Without effective strategies to prevent them, the potential threat of cyber subversion will only increase."

Last year, we called on organizations to employ a workforce development approach that considers both the dynamic nature of jobs and the equally dynamic potential of workers to reinvent themselves. Even before COVID-19, it was clear that workforce development approaches that focused too narrowly on skills would not help organizations, workers, and leaders build the resilience required to navigate perpetual change. Then, organizations were faced with a pandemic that accentuated the scale of the impact disruption can have on organizations and the workforce. During the COVID-19 crisis, organizations did not have time to rewrite job descriptions or meticulously map skills requirements; they were forced to make real-time decisions and to redeploy workers to the areas where they were needed the most, and where they had the capabilities, interest, and passion to contribute. In short, 2020 has helped us understand the importance of worker potential and choice. 2ff7e9595c