Why Should Boards Care About Cyberresilience? Because $445 Billion Is at Stake

The World Economic Forum interviewed board members from a variety of multinational corporations and discovered that cyberrisk has made a drastic climb to the top of leaders’ agendas and claims significant board attention today.

Another analysis by the Forum confirms the necessity of this attention, estimating that cyberattacks cost the global economy $445 billion—far more than most countries’ GDP. Experts estimate that cybercrime alone cost the average US company $15 million a year in 2015. And as the threat increases, so too does the sum that businesses stand to lose.

It’s because of this growing risk that many companies are starting to take the concept of cyberresilience—which essentially means the capability to protect oneself against cyberattacks and to recover from them when they occur—very seriously.

To find out more, we spoke with two experts who have been working on the Forum’s Advancing Cyber Resilience Project, Stefan Deutscher of BCG and Christopher Leach of Hewlett Packard Enterprise. Both regularly advise boards of global organizations on their cyberresilience strategy.

You both work with clients on cyberresilience. How relevant is this topic to global organizations?

Stefan: You can’t overestimate the importance of addressing cyberresilience. In today’s world, every organization is or is becoming a technology organization. The digitization of products, production, and value chains is transforming industries and making every organization dependent on highly connected technology. That’s bringing numerous benefits, but it also makes companies increasingly vulnerable.

Christopher: At the same time, attackers are becoming more sophisticated, more resourceful, and better organized. They continually change their tactics. That’s why cyberresilience is so important today. The companies that succeed in the future will be those that have successfully balanced the need to manage risk with the opportunities offered by digital.

Some people say that cyberattacks may slow down the adoption of new technology and therefore stymie economic growth and other societal benefits. Do you see any indication of this in your work?

Christopher: Successful cyberattacks are growing in number and impact. This leaves decision makers with the feeling that cyberrisk is not controllable, which reduces their willingness to introduce new technology.

Stefan: Just think of the economic or societal benefits of telemedicine for an aging population, or those of connected cars. Recent breaches drive uncertainty among leaders about how fast these new technologies can be adopted. Attacks on connected vehicles, for example, and the associated cost of recalls may have implications for the speed of further innovation.

What is the state of cyberresilience in organizations in general?

Stefan: Current cyberresilience capabilities range in maturity. That’s because they are still mainly seen as a cost—not as risk control, not as a strategic opportunity, and not as a source of competitive advantage. In many cases, there is a conflict of interest between resilience requirements and business opportunities. Executives tend to prioritize business opportunities.

Christopher: In many cases, the problem is even simpler: cyberrisk is not fully understood by senior executives and therefore difficult for them to act on.

What will it take to overcome these hurdles and make cyberresilience a strategic priority?

Stefan: We believe it requires a push by an organization’s board to balance the interests of both cyberresilience and the business. And it fits nicely into the board’s supervisory role of business risk in general. Cyberrisk should be considered a regular business risk—an important one, though. Boards are able to establish the right KPIs and anchor cyberresilience in the organization’s incentive system.

Christopher: Boards are in a perfect position to encourage and orchestrate the right dialogue on cyberresilience. They can include all business units in the process and also involve other organizations up and down the value chain. Moreover, it is in their best interest to balance the short-term needs of their business with the long-term strategy required by the shareholders.

Cyberresilience sounds quite technical to many executives and boards. What are boards supposed to do, and are they equipped for this additional responsibility?

Christopher: This is an understandable concern, but let me put it in perspective. There are, indeed, technical and nontechnical aspects to it. The technical ones are important, especially when looking at new technologies such as big data and the Internet of Things, both of which are being increasingly used across industries and society.

But the good news is that from a board’s perspective, the other nontechnical aspects are more relevant. As an example, the chief information security officer is often left out, or engaged too late, in innovation and technology deployments. If cyberresilience is built into the life cycle of any new business initiative, the benefits can far outweigh any perceived “speed” issues.

Stefan: Boards lack a tool set to address these nontechnical aspects of cyberresilience. There is no common language shared by boards and no set of principles advising boards on what to look for—although it is being developed as part of the Forum’s Advancing Cyber Resilience project. The idea of these principles is that they’ll ensure that the right organizational framework exists and that the board engages in risk discussions with the executive team.

This piece was authored by Daniel Dobrygowski at the World Economic Forum in collaboration with BCG and Hewlett Packard Enterprise. It was originally published on the Forum’s Agenda blog.