Transcription
Future of Digital Economy and Society System InitiativeAdvancing CyberResiliencePrinciples and Toolsfor BoardsIn collaboration with The Boston Consulting Group and Hewlett Packard EnterpriseJanuary 2017
ContentsPreface 31. Introduction 42. How to Use These Tools62.1 Board Governance and Cyber Resilience62.2 Using the Principles and Tools73. Cyber Resilience Principles and Tools for Boards83.1 Board Principles for Cyber Resilience83.2 Cyber Principle Toolkits93.3 Board Cyber Risk Framework153.4 Board Insights on Emerging Technology Risks244. The Future of Cyber Resilience28Appendix 1: Cyber Resilience Tools at a GlanceAppendix 2: Terms and DefinitionsAppendix 3: Principles and Toolkits in PracticeAppendix 4: Future of Cyber Resilience – Risk Benchmarking for Boards29313233Acknowledgements 34World Economic Forum 2017 – All rights reserved.No part of this publication may be reproduced orTransmitted in any form or by any means, includingPhotocopying and recording, or by any informationStorage and retrieval system.REF 110117
PrefaceCyber resilience and cyber risk management are critical challenges for most organizationstoday. Leaders increasingly recognize that the profound reputational and existential nature ofthese risks mean that responsibility for managing them sits at the board and top level executiveteams.Many organizations, however, do not feel that they are equipped with the tools to managecyber risks with the same level of confidence that they manage other risks. Emerging leadingpractices have not yet become part of the standard set of board competencies.Beyond individual organizations, cyber risk is a systemic challenge and cyber resilience apublic good. Every organization acts as a steward of information they manage on behalfof others. And every organization contributes to the resilience of not just their immediatecustomers, partners and suppliers but also the overall shared digital environment.Furthermore, continued technological adoption creates an urgency that cannot be ignored.In the coming years, several billions of everyday devices will be connected. As our virtual andphysical worlds merge, the stakes are increased. This will require two things: 1) a significantlyincreased number of organizations adopting, sharing and iterating current leading practices;and 2) cross-sectoral collaboration to develop the new practices that will be required to dealwith the unique attributes of managing cyber risks of physical assets. The second will bedifficult without an informed body of leaders leveraging common tools and language.For these reason, as part of the World Economic Forum’s System Initiative on the DigitalEconomy and Society, the Forum has partnered with The Boston Consulting Group andHewlett Packard Enterprise to develop an important new resource, Advancing CyberResilience: Principles and Tools for Boards. This report, which is the product of an extensiveprocess of co-collaboration and consultation, has distilled leading practice into a frameworkand set of tools that boards of directors can use to smoothly integrate cyber risk and resilienceinto business strategy so that their companies can innovate and grow securely and sustainably.The Forum would like to thank The Boston Consulting Group and Hewlett Packard Enterprisefor their leadership, the Expert Working Group for their contributions and all of the boardmembers, chairs and CEOs who helped shape and adjust our efforts as we went along. Thiswas truly a community effort, and we remain in debt for the energy and commitment of eachmember.We hope that you will join us in using these tools to help advance our shared cyber resilience.Rick SamansMember of the Managing BoardPrinciples and Tools for Boards3
1. IntroductionCybersecurity features high on theagenda of leaders across all sectors,with business, governments andindividuals rapidly taking advantage offaster, cheaper digital technologies todeliver an unprecedented array of socialand economic benefits. The processof digitizing and connecting, however,introduces a range of new challenges.The World Economic Forum’s work oncybersecurity since 2011,1 along withglobal interest in cybersecurity issues,has gone a long way towards ensuringthat businesses and leaders are aware ofthe risks inherent in the hyperconnectedworld. For this awareness to lead tounderstanding and action, the Forum hasengaged with a diversity of stakeholders todevelop new ways to empower oversightboards to ensure that their organizationscan thrive in this new era.Two ideas have served as touchstones of our approachsince the beginning of the World Economic Forum’sengagement on the topic of cybersecurity and resilience.First, leadership has a vital role to play in securingresilience.2 Second, that in order to effectively deal withcyber challenges, organizational leaders need a mindsetthat goes beyond cybersecurity to build a more effectivecyber strategy and incorporate it into overall strategicthinking.Cyber resilience is a leadership issueThose at the forefront of digital security thinking sharethe Forum’s view that cyber resilience is more a matter ofstrategy and culture than tactics.3 Being resilient requiresthose at the highest levels of a company, organizationor government to recognize the importance of avoidingand proactively mitigating risks. While it is everyone’sresponsibility to cooperate in order to ensure greater cyberresilience, leaders who set the strategy for an organizationare ultimately responsible, and have increasingly been heldaccountable for including cyber resilience in organizationalstrategy.4 For businesses, this means that cyber strategymust be determined at the oversight board level.Going beyond cyber securitySpeaking only about cybersecurity is insufficient if thechallenges of digitalization are to be effectively met.Protection is important, but organizations must alsodevelop strategies to ensure durable networks and takeadvantage of the opportunities that digitalization can bring.While there are many broader definitions of cybersecurity,5there is a difference between cybersecurity and the morestrategic, long-term thinking cyber resilience should evoke.Additionally, since vulnerability in one area can compromisethe entire network, resilience requires a conversationfocused on systems rather than individual organizations.6The Forum recognizes that integrating cyber strategyinto business or organizational strategy is a significantchallenge for any organization. The best way to combatthe fear and uncertainty in this space is through tools andpartnerships designed to develop understanding, createtransparency, and find certainty in order to support muchneeded action in this space. In our aim to normalize cyberrisk, the Forum endeavours to make these risks as familiarto board members as any of the others risks they deal withon a regular basis.This document provides the first in a continuing series oftools that leaders have called for in order to support theirefforts at integrating cyber resilience into overall businessstrategy.4Advancing Cyber Resilience
The challenge of cyberresilienceCountering cyber risk presents a significant strategicchallenge to leaders across industries and sectors butone that they must surmount in order to take advantageof the opportunities presented by the vast technologicaladvances in networked technology that are currentlyin their early stages. Over the past decade, we havesignificantly expanded our understanding of how to buildsecure and resilient digital networks and connecteddevices. However, board-level capabilities for strategicthinking and governance in this area have failed to keeppace with both the technological risks and the solutionsthat new innovations provide.We have recognized a clear desire on the part of forwardthinking and visionary leaders to improve capabilities inthis important aspect of strategy and governance. Asrecent events and predictions for the future show, now isthe time to fill capability gaps with regard to cybersecurityand resilience at the highest level of any organization. Therapid pace of innovation and network connectivity will onlyincrease in the coming years, making board-level action onthis topic absolutely urgent. In the next few years, billionsof new devices will connect to the internet as well as tocorporate and government networks. These networkeddevices bring with them the threat of new risks to theenterprise and, more importantly, to networked systemsthat affect millions of lives.The systematic nature of these threats requires a differentset of responses from policy-makers and business leaders.It is no longer sufficient to subject network security to atrial-and-error or low-oversight approach, as has generallybeen the default for many organizations.Consider a well-publicized cyber-attack that occurredjust as this report was in the drafting process. In the earlymorning of 21 October 2016, Dyn, a company that actsas a kind of switch-board operator for the internet as partof the Domain Name System (DNS), reported that manywebsites were inaccessible. Over the course of the day,users experienced the inability to access some of the mostpopular sites on the internet, including nytimes.com andTwitter. The reason for the outage was that Dyn’s serverswere undergoing a massive Dedicated Denial of Service(DDoS) attack – that is an attack that uses up all availableconnections to a website, thereby rendering it inaccessibleto legitimate users – instigated by actors who had takencontrol of thousands of internet-enabled devices, includingwebcams and DVRs. 7Attackers in the Dyn DDoS attack took advantage ofstrategic choices that a variety of companies made inorder to succeed. On the hardware side, manufacturersadopted a speed-to-market strategy rather than a securityby-design strategy, releasing a significant number ofvulnerable devices that hackers could co-opt for DDoSattacks. Companies running websites made the strategicdecision to concentrate their resources on one or a fewDNS servers rather than spreading the load across several,which has implications for a site’s resilience.8 Consideringpractices across industries, it is likely that these decisionswere made by default at a junior management level ratherthan after a thorough examination of their security andresilience implications at the senior management or boardlevel.If strategic guidance for decisions like the ones above isnot set at the governance level, then an enterprise cannotensure its own cybersecurity or resilience. Rather thanimplementing post hoc solutions to problems after theyoccur, boards and leaders must rapidly develop knowncapabilities to provide a sound baseline to surmount thechallenges ahead.The tools included in this report are meant to help strategicdecision-makers at the board of director and CEO levelsto effectively guide the security resources within their ownorganizations so as to effectively and resiliently pursuethe enterprise’s goals and ensure accountability forcybersecurity and resilience throughout the organization.These tools further recognize that resilience as a focus ofstrategy includes the actions an enterprise takes before,during and after an incident, thereby more fully mitigatingpotential threats.9Principles and Tools for Boards5
2. How to Use These Tools2.1 Board Governance and CyberResilienceThe tools offered by the World Economic Forum areaimed at strategy and governance rather than at tacticsor standards and management. Boards have a vitalgovernance function, determining overall companybehaviour and setting a company’s risk appetite. Forboards, action means effectively exercising oversight byasking managers the right questions to ensure that theboards’ strategic objectives are met.10 This function is nodifferent in the area of cyber resilience.11 By offering thefollowing principles and tools, the Forum hopes to facilitateuseful dialogue between boards and the managers theyentrust with the operation of the companies to which theyowe their fiduciary obligations.Demand for board-level cyber resilience toolsBecause of the seemingly novel challenges that cybersecurity and cyber resilience present to organizations, there hasbeen a great demand for tools for leaders, especially senior executives and board members, in this area. The lack ofa conceptual framework for boards of directors, especially, has been well noted in business scholarship12 and by theWorld Economic Forum’s own Community of Chairmen.The Forum’s Advancing Cyber Resilience project examines the gaps in cyber resilience tools by conducting a series ofinterviews with members of boards of directors from leading companies across several industries and continents. Theresults reveal that boards of directors consistently and increasingly see themselves as responsible for the overall cyberresilience of their companies. Board members, especially, are seeking tools to help them fulfil what they see as theirfiduciary responsibilities relating to cyber resilience.According to the results, 84% of board members surveyed agreed that better cyber resilience tools and guidelines areneeded to support their oversight work.13A brainstorming session on board principles with the World Economic Forum Working Group on Cyber Resilience6Advancing Cyber Resilience
2.2 Using the Principles and ToolsThe tools developed by the Forum are meant to help guideboard action with regard to cyber resilience. This reportcontains three distinct, yet interrelated, documents alltied to the Board Principles for Cyber Resilience: CyberPrinciple Toolkits; Board Cyber Risk Framework; and BoardInsights on Emerging Technology Risks. It is recommendedthat board members and senior executives review theBoard Principles for Cyber Resilience first in order to setgovernance expectations around cyber resilience. Boardsshould then use the Cyber Principle Toolkits to engage withmanagement on the topic and validate the management’sresponses, as appropriate, with the Board Cyber RiskFramework and/or the Board Insights on EmergingTechnology Risks.Board Principles for Cyber Resilience – While supervisoryboards developed a high awareness for cyber risk in recentyears, they lack a common set of principles on how to actand how to push cyber resilience in their organizations.This framework of 10 principles is meant to enable boardaction and to aid in board recognition of their vital role.Cyber Principle Toolkits – Each of the 10 Board Principlesfor Cyber Resilience is supported by a set of questionsdeveloped to foster constructive dialogue between theboard and senior management on the topic of cyberresilience. These questions will aid the board in exercisingtheir oversight role.Board Cyber Risk Framework – Board Principle numbersix suggests that boards review their organization’s cyberrisks on a regular basis and ensure they are integratedin the review of other business risks. This Board CyberRisk Framework contributes to the overall cybersecurityprogramme by providing the required informational basis toprioritize risk management actions within the programme.Board Insights on Emerging Technology Risks – Thisdocument lays out guidelines and insights applicable toany organization dealing with business model shifts due toinnovations related to the inevitable change in technologyand risk. These insights and guidelines are meant tofacilitate discussions between board-level stakeholdersand executive teams, and help boards develop strategy forevaluating new technologies.Principles and Tools for Boards7
3. Cyber Resilience Principlesand Tools for Boards3.1 Board Principles for Cyber ResiliencePrinciple 1Principle 2Responsibility for cyber resilience. The board as a whole takesultimate responsibility for oversight of cyber risk and resilience.The board may delegate primary oversight activity to an existingcommittee (e.g. risk committee) or new committee (e.g. cyberresilience committee).Command of the subject. Board members receive cyberresilience orientation upon joining the board and are regularlyupdated on recent threats and trends – with advice andassistance from independent external experts being available asrequested.Principle 3Principle 4Accountable officer. The board ensures that one corporate officeris accountable for reporting on the organization’s capability tomanage cyber resilience and progress in implementing cyberresilience goals. The board ensures that this officer has regularboard access, sufficient authority, command of the subjectmatter, experience and resources to fulfil these duties.Integration of cyber resilience. The board ensures thatmanagement integrates cyber resilience and cyber riskassessment into overall business strategy and into enterprisewide risk management, as well as budgeting and resourceallocation.Principle 5Principle 6Risk appetite. The board annually defines and quantifies businessrisk tolerance relative to cyber resilience and ensures that this isconsistent with corporate strategy and risk appetite. The boardis advised on both current and future risk exposure as well asregulatory requirements and industry/societal benchmarks forrisk appetite.Risk assessment and reporting. The board holds managementaccountable for reporting a quantified and understandableassessment of cyber risks, threats and events as a standingagenda item during board meetings. It validates theseassessments with its own strategic risk assessment using theBoard Cyber Risk Framework.Principle 7Principle 8Resilience plans. The board ensures that management supportsthe officer accountable for cyber resilience by the creation,implementation, testing and ongoing improvement of cyberresilience plans, which are appropriately harmonized across thebusiness. It requires the officer in charge to monitor performanceand to regularly report to the board.Community. The board encourages management to collaboratewith other stakeholders, as relevant and appropriate, in order toensure systemic cyber resilience.Principle 9Principle 10Review. The board ensures that a formal, independent cyberresilience review of the organization is carried out annually.Effectiveness. The board periodically reviews its ownperformance in the implementation of these principles or seeksindependent advice for continuous improvement.8Advancing Cyber Resilience
3.2 Cyber Principle ToolkitsEach of the Board Principles for Cyber Resilience belowis accompanied by questions that allow for stringentself-assessment by the board and examples aimed atfacilitating discussion with executive teams. This toolkit hasbeen developed in order to allow board members to betterexercise their oversight responsibilities.Principle 1: Responsibility for cyber resilienceThe board as a whole takes ultimate responsibility foroversight of cyber risk and resilience. The board maydelegate primary oversight activity to an existing committee(e.g. audit committee or risk committee) or a newcommittee (e.g. cyber resilience committee).The board should discuss their scope and responsibilitiesand the manner in which those responsibilities shouldbe performed, including the structure and process ofreviewing the management of cyber resilience. Theboard should determine whether it should take on cyberresilience responsibilities as a whole, or if oversight throughan existing or new committee is preferable.Questions for the board1. Determine whether the board should retain primaryresponsibility or designate a committee.–– Is the board able to devote the time to consistentlydiscuss cyber resilience matters, or do timeconstraints only permit for periodic updates?–– Does the board prefer to have discussions withmanagement with respect to cyber resilience morefrequently than regular scheduled board meetings?–– Does the company’s industry warrant specialattention to cyber resilience matters, and doindustry practices or peer companies suggestuse of specific governance structures? Does aregulatory or other oversight body or obligationcurrently exist?–– Would having a designated committee ofspecialized or interested members be beneficialto the review of the company’s cybersecurity/resilience strategy and the review of itsmanagement?2. If a primary oversight by committee is preferable,determine whether an existing committee ornew committee is appropriate and identify itsresponsibilities.–– Does an existing committee have the capacity tomanage the increase in workload necessary toeffectively oversee cyber resilience?–– Are there guidelines applicable to the committeeand its primary responsibilities (considerformalizing through terms of reference or by addingto existing terms of reference)?–– What performance measures are necessary for thecommittee to assist the board in its evaluation ofthe performance and benefits of the committee?–– Can you identify individual board memberswho are qualified to become members of thecommittee?3. Evaluate whether existing board members have therequisite skills and experience to effectively overseecyber resilience and whether knowledge gaps warrantrecruiting new members to the board.–– What criteria for skills and attributes would behelpful for understanding cyber resilience?–– How can the board include knowledge of emergingcyber resilience best practices, trends andregulations as criteria for evaluating future boardmembers?Principle 2: Command of the subjectBoard Members receive cyber resilience orientation onjoining the board and are regularly updated on recentthreats and trends, with advice and assistance fromindependent external experts being available as requested.Questions for the board1. Board members should have a good understandingof cyber resilience and should be provided withcyber resilience orientation when they first join theboard. Board members need a good level of generalunderstanding about cybersecurity in order tounderstand and challenge the organization’s specificapproach.–– Do new board members receive cyber resiliencegeneral orientation? (This should include a generaltraining of the subject matter in order to have afoundational understanding of the subject matterand their oversight responsibilities over the subjectmatter.)–– Are regular updates on general cyber resiliencegiven? (The board should receive periodictraining, e.g. annually, on cyber resilience andwhen significant threats or risks are identified thatare industry specific in order for the membersto have a good command of the subject matter.This regular/annual update may be accomplishedby leveraging the enterprise’s current awarenessprogramme.)2. Board members should receive orientation on theorganization’s cyber resilience and technology riskstance.- Are new board members given organizationspecific cyber resilience orientation? (New boardmembers should be brought up to speed on theorganization’s current approach with regards tocyber resiliency.)- Are board members provided with regularupdates on the organization’s cyber resiliency, riskexposure and risk stance? (Board members shouldreceive updates as the risk stance changes or thethreat environment changes.)Principles and Tools for Boards9
3. External experts should provide independentassessment of the organization’s cyber resilienceapproach and benchmark the organization’scapabilities.–– Does the board sanction independent third-partyassessments? (The board should be able tosanction third-party assessments and benchmarkthe organization’s capabilities and maturity in orderto gauge the organization’s overall risk exposureand risk reduction strategy and plans.)–– Does the board have advice from outside expertson cyber resilience? (Board members shouldrequest expert insight on the subject matter sothat independent third-party perspectives arehighlighted.)Principle 3: Accountable officerThe board ensures that one corporate officer isaccountable for reporting on the organization’s capabilityto manage cyber resilience and progress in implementingcyber resilience goals. The board ensures that this officerhas regular board access, sufficient authority, command ofthe subject matter, experience and resources to fulfil theseduties.Questions for the board1. Roles and responsibilities should be clearly defined.–– Is there a clearly assigned corporate officer incharge of cyber resilience? (The accountableofficer should be clearly identified by managementand accepted by the board; the accountableofficer should have a strong command of thesubject matter, and should have direct access tothe CEO and board when needed.)–– Does the accountable officer have sufficientindependence from IT to provide oversightreporting on overall matters of technology andcyber risk? (Cyber resilience is a componentof both business and technology risk. As such,the accountable officer has a direct reportingrelationship with business and IT leadershipand the board. This will ensure that risks arereported in a timely manner and appropriately.This also ensures that the cyber resilience and riskmanagement strategies are aligned with, and insupport of, the business strategy and direction.)–– Is there a need for multiple lines of review andaudit? (Should there be other means of oversightof the organization’s cyber risk, such as internalaudit, external audit, etc.?)10Advancing Cyber Resilience2. The accountable officer should have sufficient authorityand influence.–– To whom does the accountable officer in chargeof cyber risk management report? What is theseniority of this officer? (Most organizationshave identified cyber risk as one of their toprisks. Because priorities may differ between ITdepartments’ objectives to run IT cheaply andcyber risk management objectives to increasetechnology costs to manage risk more effectively,many organizations have established anaccountable officer that has a sufficient separationfrom IT, can act independent of IT, but workscollaboratively with IT to address the risk)–– Are there clear communication and escalationpathways, processes and thresholds for resolutionof conflict? (The accountable officer needs to havethe capability to communicate and escalate tobusiness leadership in matters that compromisethe organization’s cyber resiliency.)–– Does the accountable officer have sufficientauthority to drive a business and IT culture thatbuilds suitable controls into the business and ITprocesses?–– Who makes decisions on sourcing of cyberresilience activities/resources? (Businessleadership should have oversight over cyberresilience activities and resources. Theaccountable officer should have direct lineauthority to execute. This ensures alignmentbetween business goals and cyber resilience.)3. The accountable officer should have sufficientresources–– What percentage of the annual operatingexpenditure is spent on cyber resilience and howdoes this compare with industry norms? (Industriesvary in the amount of operating expenditurededicated to cyber resilience.)–– Is there a dedicated cyber resilience budgetand who owns it? (Cyber resilience should beconsidered as part of the overall risk profileof the organization. As such, cyber resiliencebudgets should be under the direct control ofthe accountable officer, with final authority fromexecutive leadership, i.e. CEO, in order to addressthe organization’s risk exposure and not competewith other support functions.)
––––Are there other budgets contributing to cyberresilience, such as for IT or risk? (The challengeof having cyber resilience budgets spread acrossvarious departments is that competing prioritiesmay reprioritize such budgets, and the true cost ofcyber resilience may not be obtainable.)Are metrics regularly benchmarked against peerswithin the organization’s own industry and beyondits industry? Such metrics might include:–– The percentage of the organization’s annualrevenue that is spent on cyber resilience–– The size of the cyber resilience team? (e.g.number of cyber resilience full-time equivalent(FTE) per 1,000 employees or per 1,000 ITemployees)–– The % growth in the cyber resilience budget/resource over the past three years–– The planned % growth in the cyber resiliencebudget/resource for the next three years–– Maturity of control operationsPrinciple 4: Integration of cyber resilienceThe board ensures that management integrates cyberresilience and cyber risk assessment into overall businessstrategy, into enterprise-wide risk management, as well asbudgeting and resource allocation.Questions for the board1. Are cyber risks and cyber resilience evaluated bymanagement using the same risk framework as otherrisks?2. How does the organization govern cyber risks?–– Is there a senior management-led risk committeethat evaluates cyber risk?–– Is there a board-level risk committee that evaluatesrisks across the organization, including IT risk,cyber and third-party risk?–– Is cyber risk a standing agenda item for boardmeetings with briefings from the chief informationsecurity officer (CISO)?3. How involved is the board in reviewing and approvingenterprise resilience strategy and associated risks?–– Does the board review annually the organization’sstrategic plan? As part of this plan, does theboard also approve the operating budget forcybersecurity and key cybersecurity strategicpriorities?–– Is the board briefed periodically on how theorganization is meeting its business strategy,including around key cybersecurity priorities?4. Is cyber resilience awareness incorporated at all levelsand operational elements across the enterprise?–– How are resources allocated to make thispossible?5. Has the board reviewed the cyber resilience strategy,including whether key cybersecurity-related risks havebeen adequately assessed, prioritized and mitigated,and whether the board or committee has evaluated theorganization’s cyber insurance coverage?Principle 5: Risk appetiteThe board annually defines and quantifies business risktolerance relative to cyber resilience and ensures that thisis consistent with corporate strategy and risk appetite. Theboard is
Feb 24, 2016 · into business strategy so that their companies can innovate and grow securely and sustainably. The Forum would like to thank The Boston Consulting Group and Hewlett Packard Enterprise for thei
