threat intelligence and conducting forensic analysis.
Naturally, cybersecurity as a business function is not the same as cybersecurity as an organization. A company may decide to consolidate all or most risk management, influencing, and delivery activities into a single cybersecurity group or distribute them among several organizations.
Although institutions must protect themselves, they do so in the context of a broader digital ecosystem (Figure P.1), which includes:
● Business customers. Given the need to connect corporate networks to ease collaboration, business customers are a source of risk and vulnerability for many companies. Attackers may use a customer’s IT environment as a way into a supplier’s network. Equally, business customers worry about how their suppliers protect data. Both situations can create stringent security expectations and requirements for many companies.
● Retail customers. Consumers are not yet as sensitized to the risk of cyber-attacks as businesses, but their expectations about how companies should protect their data are starting to influence their buying decisions.
● Business suppliers. Suppliers such as law firms, accounting firms, banks, and business process outsourcing providers will handle a company’s most sensitive data at some point. In addition, like business customers, suppliers can provide an entry point for attackers, given the interconnection of corporate networks.
● Technology suppliers. Vendors are a source of both risk and risk remediation. Any technology a company buys may have security flaws that create vulnerabilities attackers can exploit. However, technology vendors also offer products and services that enable companies to reduce risk by eliminating vulnerabilities, analyzing cyber-attacks, and otherwise protecting their corporate technology environments.
● Government agencies. The public sector – in the form of different types of agencies or ministries in each jurisdiction – plays multiple roles that affect the cybersecurity environment. It investigates attacks and prosecutes attackers. It regulates private companies, sometimes requiring specific protections or retaining the right to approve a company’s cybersecurity strategy. It may also adjust civil law, provide subsidies, perform research, share intelligence, disseminate know-how, or provide capabilities with the objective of reducing the economic damage from cyber-attacks.
● Civil society groups. There is a huge range of civil society groups that participate in the digital ecosystem, from industry associations to standards-setting bodies and advocacy groups.
● Insurers. Cyber-insurance is in its early days, but even today carriers can enable companies to transfer some risks related to cyber-attacks in return for cash premiums.
FIGURE P.1 Companies Face a Wide Range of Cybersecurity Risks
Senior executives sometimes ask chief information officers (CIOs) and CISOs when cybersecurity will be solved – when the risk of cyber- attack will go away and they can stop worrying about it. Sometimes they draw an analogy with commercial aviation. At the dawn of the jet age, there were some horrifying crashes. Now, while airlines continue to pay obsessive attention to safety, the cab ride to the airport is typically the most dangerous part of air travel.
Indeed, driving may be a better analogy for cybersecurity. A vastly wider group of people undertakes a vastly wider set of activities using a vastly wider range of vehicles than is the case with commercial aviation. As a society, we could choose to reduce automotive fatalities to almost zero by increasing the driving age to 30 and reducing the speed limit to 25 miles per hour, but that would have a devastating impact on the value of personal transportation.
Or take financial risk. A banking CEO would never ask when she can stop worrying about market and credit risk. She understands that her institution is in the business of accepting these risks in exchange for economic returns. Therefore, her business depends on understanding market, credit, and other risks and managing them appropriately in the context of potential returns.
Given increasing digitization, rapid technology innovation, and attackers that may be beyond the reach of law enforcement, the world economy cannot expect to eliminate the prospect of cyber-attacks anytime soon. Companies and economies can, however, aspire to achieve a state of digital resilience in which:
● Companies understand the risks of cyber-attacks and can make business decisions where the returns justify the incremental risks.
● Companies have confidence that the risks of cyber-attack are manageable, rather than strategic – they do not put the company’s competitive position or very existence at risk.
● Consumers and business have confidence in the online economy – the risks to information assets and of online fraud are not a brake to the growth of digital commerce.
● The risk of cyber-attack does not prevent companies from continuing to take advantage of technology innovation.
It is in this context that the World Economic Forum and McKinsey & Company have collaborated to understand how to help both companies and countries reach their aspirations.
BACKGROUND AND APPROACH
“Risk and Responsibility in a Hyperconnected World” has been a theme for the World Economic Forum since 2011. Since the middle of 2012, the Forum has worked with nearly 100 companies to sign the “Principles for Cyber-Resilience.” Adhering to these principles commits companies to recognize that all parties have a role in fostering a resilient digital economy and to develop a practical and effective implementation program. It also encourages executive-level awareness and leadership of cyber-risk management and, where appropriate, it encourages suppliers and customers to develop a similar level of awareness and commitment.2
For the Forum’s 2014 meeting in Davos, it asked McKinsey to help it increase C-suite executives’ level of engagement with cyber-attacks, cybersecurity, and digital resilience across industries, including not only technology and telecommunications, but also financial services, manufacturing, consumer goods, transportation, energy, and the public sector.
Jointly, McKinsey and the Forum decided that the most useful outputs of this project would be a fact-based point of view on the broad strategic and economic implications of cyber-attacks; and a plan for what the full set of players in the cybersecurity ecosystem should do to achieve digital resilience, with a strong focus on how senior executives could address this as a business rather than a technology issue.
We began collecting data in the late spring of 2013, developed and validated our hypotheses through the summer and fall, and shared our findings at the Forum’s Annual Meeting in Davos in January 2014.
Interviews with more than 18 °CIOs, CISOs, chief technology officers (CTOs), chief risk officers (CROs), business unit executives, regulators, investors, policymakers, and technology vendors provided input into how all the different participants in the ecosystem thought about the overall cybersecurity environment. In addition, surveys of nearly 100 enterprise technology users gave us a clear understanding of business risks, the threat environment, and the potential impact of a range of actions. Finally, more than 60 Global 500 institutions participated in a detailed survey on their cybersecurity risk management practices (Table P.2).
TABLE P.2 Our Research Was Based on Extensive Surveys and Workshops
