finally, for executives and boards of directors, it can be a valuable guide for their fiduciary understanding of a problem that all organizations face and will only grow in import in the future. I am frequently invited to speak to boards of directors about their cybersecurity situations and outlook, and, while I frequently draw upon my own experience and the experiences of our customers around the world in those conversations, I’m thankful to be able now to share the excellent insight and perspective of this book as well.
Preface
Progress for the world economy depends on tens of trillions of dollars in value being created from digitization over the next decade. Institutions are moving from having pockets of automation to using pervasive connectivity, massive analytics, and low-cost scalable technology platforms to achieve fundamentally different levels of customer intimacy, operational agility, and decision-making insight. In banking, this means opening accounts and approving mortgages in minutes rather than days or weeks. In insurance, better underwriting and fairer pricing based on massive analytics. In airlines and hotels, it means more transparency and less hassle for travelers.
When “everything is digital,” private, public, and civil institutions become more dependent on information systems. In such a hyperconnected world, online and mobile capabilities increase these institutions’ vulnerability to attack by sophisticated cyber-criminals, political “hacktivists,” nation-states, and even their own employees. As a result, the success of continued digitization hinges on consumers and companies trusting that financial records, patient data, and intellectual property will remain confidential, valid, and available when required in the face of increasingly determined cyber-attacks.
Protecting institutions from cyber-attacks is therefore critical to continued economic development, which led the World Economic Forum and McKinsey to collaborate to raise the visibility of cybersecurity among C-suite executives at the Forum’s 2014 Annual Meeting in Davos.
We agreed that two outputs would be critical: a fact-based point of view on the broad strategic and economic of implications of cyber- attacks, and a plan for what the full set of players in the cybersecurity ecosystem should do to achieve digital resilience, with a strong focus on how senior executives could address this as a business rather than a technology issue.
Based on interviews, surveys, and working sessions involving executives at several hundred institutions, our research yielded four findings.
First, without dramatic changes both in the way institutions protect themselves and in the external support they receive, the risk of cyber-attack will reduce trust and confidence in the digital economy – reducing the value created by $3 trillion in 2020. To counter this, the world’s institutions will have to achieve a state of digital resilience. Only then will they be able to capture the value of a hyperconnected world despite the risk of operational disruption, intellectual property loss, public embarrassment, and fraud that cyber-attacks create.
Second, although there is a high degree of consensus on the practices required for digital resilience, companies are not putting them in place fast enough. Digital resilience requires companies to integrate cybersecurity deeply within their business processes and information technology (IT) environment. Unfortunately, to date, most companies continue to treat cybersecurity as a control function, which causes increasing friction between the need to protect their valuable information assets and digital processes on the one hand and the need to extract value from technology investments on the other. Even the largest and best-funded institutions design their cybersecurity programs backwards, starting with technology controls rather than business risks, and failing to drive the broader organizational and business process change required.
Third, in order for companies to achieve digital resilience, they will need to improve the collaboration between their cybersecurity team and the business, increase the entire IT organization’s focus on resiliency, and dramatically upgrade the skills and capabilities of the cybersecurity function. Only the CEO and the rest of the senior management team can drive organizational change of this scale.
Finally, although nobody can protect companies from cyber- attacks but themselves, regulators, law enforcement, defense/security agencies, technology vendors, and industry associations will all have important roles to play in creating an ecosystem that enables digital resilience. Although there is much less consensus on how the broader digital ecosystem should evolve than on the actions individual companies should take, increased collaboration across the public, private, and not-for-profit sectors will be critical.
SETTING THE CONTEXT FOR DIGITAL RESILIENCE
Thinking about digital resilience requires an understanding of cyber-attacks and cybersecurity and how they fit into the digital ecosystem.
In an increasingly digitized economy, all the world’s important institutions depend on “information assets,” structured and unstructured information such as customer data, intellectual property, and business plans, as well as on online processes that include everything from customer servicing to vendor payments. Cyber-attacks compromise information assets to further attackers’ personal, economic, political, or national-strategic objectives. While the popular press has focused on a few examples of cyber-attacks, typically theft of intellectual property and credit card information, companies have to take a broader range of potential risks into account (Table P.1).
TABLE P.1 Companies Face a Wide Range of Cybersecurity Risks
Cybersecurity1 is the business function of protecting an institution from the damage caused by cyber-attacks in the face of constraints such as other business objectives, resource limitations, and compliance requirements. It has three facets: risk management, influencing, and delivery.
Cybersecurity is first and foremost a risk management function– there is no way to prevent all cyber-attacks from happening. As one chief information security officer (CISO) puts it, “My job isn’t to reduce risk. My job is to enable the business to take intelligent risks.”
If a company launches a new mobile servicing platform for customers, it is taking a risk – the mobile platform creates a new way for attackers to get at company data. But it is also seeking a return: it hopes the platform will improve revenues per customer. As a risk manager, the CISO helps business leaders make intelligent decisions about the risk of cyber-attack by answering questions such as:
● What are the risks associated with a new mobile platform? Does the business return justify the incremental risks?
● How can the mobile platform be designed to yield the best possible customer experience (and therefore business impact) at the lowest risk of losing data to a cyber-attack?
Cybersecurity is also an influencing function. The decisions CISOs make in tandem with business leaders on the right mix of risk and return lead to far-ranging actions across different parts of the organization: procurement teams have to negotiate security requirements into contracts; managers must limit the distribution of sensitive documents; developers have to design secure applications and write secure code. Cybersecurity necessarily involves a wide variety of stakeholders, some of whom need to be guided by compliance, some by less rigid and more persuasive measures.
Finally, cybersecurity is a delivery function that includes managing both technologies such as firewalls, intrusion detection, malware detection, and identity and access management, and also activities that are focused primarily on protecting information
