The theft of information assets and the intentional disruption of online processes are among the most important business risks facing major institutions. If companies, governments, and other organizations continue to address this issue in the way that they have, the risk of cyber-attacks could slow the pace of technology innovation with as much as $3 trillion in lost economic value in 2020.
Companies, with the support of a broader ecosystem, must instead build cybersecurity into their business and information technology (IT) processes in order to achieve digital resilience.
At its heart, this book addresses three questions:
Companies are losing ground to cyber-attackers. Nearly 80 percent of technology executives said that they cannot keep up with attackers’ increasing sophistication and many said they are seeing attack strategies filter down from nation-states to a wide range of criminals and hacktivists, who have much more destructive ambitions.
Although companies are spending tens, and sometimes hundreds of millions of dollars protecting themselves, they lack the facts and processes to make effective decisions about cybersecurity. Of more than 60 institutions whose practices we surveyed in detail, a third had only a “nascent” level of cybersecurity maturity, while the next 60 percent were still “developing.” Very few were “mature” and not a single one was “robust.” Many institutions simply appear to be throwing money at the problem, but larger expenditures have not translated into greater maturity.
The controls required to protect against cyber-attacks are already having a negative impact on business. For example, security concerns are delaying the rollout of more advanced mobile functionality in companies by an average of six months, and are even more dramatically limiting the extent to which companies are using public cloud services. For nearly three quarters of companies, security controls reduce frontline productivity by slowing employees’ ability to share information, and even though direct cybersecurity spend is relatively small, the indirect costs can be substantial: some CIOs told us that security requirements drove as much as 20 to 30 percent of their overall activity.
The cybersecurity environment could evolve in many different ways over the next five to seven years. However, if attackers continue to increase their advantage over defenders, the result could be a cyber-backlash that decelerates digitization. In this scenario, a relatively small number of destructive attacks would reduce trust in the economy, causing governments to impose new regulations and institutions to slow the pace of technology innovation. The world would capture less of the $8 trillion to $18 trillion we predict can be generated by 2020 from technological innovations such as big data and mobility—the ultimate impact could be as much as $3 trillion in lost productivity and growth.
Companies, governments, and society at large must strive for digital resilience in order to realize the full potential value of innovation. This means cybersecurity must move up the corporate and political agenda.
The first section of this book deals with this issue. Chapter 1 demonstrates why concerns about cyber-attacks are already affecting companies’ ability to derive value from technology investments. Chapter 2 lays out the potential scenarios that describe how the cybersecurity environment could evolve over the next five to seven years and explains in more detail why we believe that $3 trillion is at risk.
As recently as seven or eight years ago, cybersecurity was not a priority for many companies. Even large and sophisticated IT organizations spent relatively little protecting themselves from attack and had little insight into the business risks caused by technology vulnerabilities. What protections existed were focused on defending the perimeter of the corporate network, and IT security organizations’ role was to manage tools such as remote access and antivirus software. Managers and frontline employees faced few consequences for violating security policies, and insecure application code and infrastructure configurations were pervasive.
Since then, most technology executives tell us that they have made significant progress in establishing cybersecurity as a control function. There are now true cybersecurity organizations with significant budgets and headed by chief information security officers (CISOs). They have locked down desktops and laptops to prevent end users from unwittingly introducing vulnerabilities into the environment; they have introduced architecture standards; and they review processes to identify and remediate security flaws in new applications.
Establishing cybersecurity as a control function was a necessary step that dramatically reduced risk for a great many institutions, but it is less and less tenable as the threat of cyber-attacks continue to rise (Figure E.1). It places the responsibility for security primarily with the cybersecurity team. It is backward-looking and tries to protect against yesterday’s attacks. It depends on manual interventions and checks and double checks, and has limited scalability. It seeks to inspect security in, just as old-school manufacturing processes futilely sought to inspect quality in. Most importantly, it increases the tension between cybersecurity and the innovation and flexibility craved by the business.
To achieve digital resilience, companies need to undergo fundamental organizational changes, including integrating cybersecurity with business processes and changing how they manage IT. Specifically, there are seven hallmarks of digital resilience:
There are three important points about this list:
The seven levers are discussed in Chapters 3 through 7. Chapter 3 looks at how to prioritize business risks and put in place different levels of protection for the most important information assets. Chapter 4 provides a perspective on how to incorporate cybersecurity considerations into business decision making and how frontline users can help protect information assets. Chapter 5 shows how cybersecurity must be built into the broader IT environment. Chapter 6 describes integrating intelligence, analytics, and operations into active defenses that can respond quickly to emerging threats. Chapter 7 covers the use of war gaming to build incident response skills across business functions.
Cybersecurity has several characteristics that make it tough for large, complicated institutions to address in an integrated way. Cybersecurity is pervasive—it touches just about every business process, which means that many cybersecurity decisions have a far-reaching market and strategic impact, requiring senior management engagement. Conversely, getting the right level of senior engagement is also tough: the language is arcane, cybersecurity teams often lack the skills to interact with senior executives, and few tools exist to quantify cybersecurity risk or mitigation.
Too many companies put programs in place that avoid these inherent challenges rather than address them. They conduct mechanistic assessments that may not unearth the real issues. They fail to consider the full range of risk reduction mechanisms. They approach the task of achieving digital resilience as a technology program focused on compensating controls rather than as a business strategy and operations program with significant technology implications. Perhaps worst of all, they neglect to engage senior business leaders effectively.
An effective cybersecurity program that will make rapid and sustained progress toward digital resilience must be designed from the start around three principles:
This implies an ambitious agenda, and companies may be inclined to walk before they run. Unfortunately, attackers will not patiently wait for cautious companies to improve their cybersecurity capabilities in this incremental manner—companies must act in a proactive and determined fashion now.
While companies must upgrade their own capabilities, technology executives told us that individual institutions could not be left to fend for themselves and that governments, private institutions, and civil society should work together to build a resilient digital ecosystem.
There was a wide range of views about the value and feasibility of the specific actions governments could take, but a set of potential aspirations did emerge. Countries should create national cybersecurity strategies that have clear lines of accountability among public- sector agencies and provide support and assistance to the public and civil sectors. Law enforcement, prosecutorial, and judicial functions should increase their familiarity with and expertise in cybersecurity issues so that they can better combat cyber-crime. Finally, countries should prioritize cybersecurity issues in bilateral exchanges in order to create transparency into motivations, constraints, and objectives for actions in this field.
Equally critically, industry associations and voluntary groups will have to enable companies to share intelligence, disseminate best practices, align on how to address challenging issues, and eventually create shared utilities to provide important cybersecurity functions.
At the same time, financial institutions and insurance companies could support progress by creating markets for pricing the risk of cyber-attacks.
The final two chapters of the book discuss how leaders can advance the cause of digital resilience. Chapter 8 describes how companies can design and launch a cybersecurity program that will sustain progress. Chapter 9 addresses the role played by the broader set of players in the digital ecosystem—including regulators, vendors, and others—in facilitating the path to digital resilience.
● ● ●
Sustaining the pace of innovation and growth in the global economy in the face of determined cyber-attacks will require dramatic change. Companies must make the transition from managing cybersecurity as a control function to implementing the practices required to protect information assets into their business processes and their entire IT environment. In addition, regulators, technology vendors, and law enforcement must collaborate with companies to create an ecosystem that facilitates digital resilience. Changes of this scale and complexity cannot be achieved without the active engagement and participation of the most senior business leaders and policymakers.