Home Technology & Digitalisation How organisations can use vulnerability to create cyber resilience

How organisations can use vulnerability to create cyber resilience

Organisations that will emerge as market leaders in the digital economy will have leaders that prioritise and cultivate a culture of cyber resilience
Senior Manager, Security at Accenture
Chairman of ISO/IEC JTC 1/SC 27 Information security, cybersecurity and privacy at the International Organization for Standardization

Too often, there is an inappropriate level of trust between organisations in the digital ecosystems we depend on. The dynamic is born from institutional aversion to loss, fear of condemnation, fragile confidence, and lack of cyber resilience.

The World Economic Forum’s Global Cybersecurity Outlook 2022 report, developed in collaboration with Accenture, found that:

  • Only 19% of cyber leaders feel confident that their organisation is cyber resilient
  • 58% of respondents feel their partners and suppliers are less resilient than their own organisation
  • 88% of respondents are concerned about the cyber resilience of Small and Medium-Sized Enterprises (SMEs) in their ecosystem.

It doesn’t have to be this way. If organisations can overcome such self-limiting stigma, each will gain from the collective wisdom and combined capability of its partners. Doing so is a necessary foil for the cascading consequences that occur when fragile, interconnected ecosystems break down, as so many recent events have demonstrated.

Cyber collaboration and shared wisdom

For organisations to move past this protracted mistrust, they must exploit a different kind of critical vulnerability from what cyber professionals are used to—the vulnerability of an organisation to be truly seen. They must embrace the willingness to be transparent within their organisation and ecosystem about shortcomings in cyber resilience posture. They should set realistic expectations about exposure and provide clear information about the systemic consequences of disruptions. They should be forthcoming about experiences with disruptive events and share lessons learned as a result.

Cyber resilience is what takes over when security prevention measures falter. In the digital economy, the ability to transcend cyber disruption distinguishes market champions. Organisations that turn vulnerability into strength will have the confidence to take healthy risks.

Turning institutional vulnerability into organisational strength is not easy to do. Fortunately, the World Economic Forum’s newly-released Cyber Resilience Index Framework – developed in collaboration with Accenture – presents the six principles to cultivate a culture of resilience:

  • Regularly assess and prioritise cyber risk
  • Establish and maintain core security fundamentals
  • Incorporate cyber resilience governance into business strategy
  • Encourage systemic resilience and ecosystem-wide collaboration
  • Ensure design supports cyber resilience
  • Cultivate a culture of resilience

Two principles in particular—cultivating a culture of cyber resilience and encouraging systemic resilience and collaboration—have long been under-valued. Both these principles provide organisations with a starting point to turn vulnerability into cyber resilience. The principles are put into practice as follows:

Cultivate a culture of resilience

Employees are empowered to understand and embody cyber resilient behaviours. This principle has the following practices:

  • Earn trust through accountability and transparency: Management regularly, clearly, and openly communicates the cyber resilience strategy, practices, operations, successes, and failings. This builds and maintains knowledge, trust, openness, and ownership over organisational success.
  • Cyber resilient aware leadership: Leadership has the expertise and power to manage the organisation’s cyber resilience according to best practices and is incentivised to advance its expertise with changes in the landscape.
  • Leadership drives culture: Leadership sets the tone and puts the organisational mechanisms in place to drive a culture of capability and accountability for cyber resilience at every level of the organisation.
  • Champion employee behaviour: Employees understand the defined cyber resilience objectives, feel responsible for the organisation’s cyber resilience, and are empowered to exercise cyber resilient behaviour in their daily interactions without fear of punishment.
  • Provide continuous training: Employees are taught cyber resilience concepts and best practices, the importance of cyber resilience and its role in daily responsibilities. They continuously exercise these lessons, which evolves with the cyber resilience landscape. Furthermore, they get prompt feedback on their actions.

Encourage systemic resilience and ecosystem-wide collaboration

The organisation understands the interdependencies within its ecosystem, engages with other organisations, and fulfils its role in maintaining the resilience of the entire ecosystem. This principle has the following practices:

  • Trust through knowledge, accountability, and transparency: The organisation maintains transparency in its practices, operations, successes, and failings with its ecosystem partners and shares best practices to build a more resilient collective.
  • Ecosystem-wide collaboration: Management creates a culture of collaboration and sets strategic objectives for knowledge and information sharing. So too, it identifies, understands, and mitigates cyber risks in the ecosystem. The organisation also actively collaborates with industry peers and policymakers.
  • Ecosystem-wide cyber resilience capabilities: The organisation continuously improves collective cyber-resilience capabilities alongside other members of the ecosystem to share knowledge, raise awareness and boost the overall standards of practice. This increases the collective capabilities of all members of the ecosystem, appropriately balancing innovation, preparedness, protection, response, and recovery.

These principles and practices promote the kind of cyber vulnerability that organisations and ecosystems need. It’s not just about creating a more capable ecosystem, either. It’s about the opportunity to gain a sustainable competitive advantage. The organisations that quickly adopt resilience through confident vulnerability quickly emerge as leaders in their industry and set the standard for their ecosystem.

ISO 31000:2018 emphasises the fact that risk is the “effect of uncertainty on objectives” and that, despite conventional thinking, that effect can be positive as well as negative. Amid the Fourth Industrial Revolution, systemic interdependence creates both downside costs of cyber risk and holds a much greater upside value. On both sides, the effect of resilient organisational behaviour on the future is more than the sum of its parts. The organisations that will lead us into the digital future are those that are not only vulnerable enough to admit they can’t do it alone but are also confident and savvy enough to realise that it’s better for businesses to not even attempt it.

This article was first published on the World Economic Forum and can be read here.

Print Friendly, PDF & Email
Michael Rohrs
Senior Manager, Security at Accenture

Michael Rohrs is a senior manager at Accenture and is also a fellow of Centre for Cybersecurity at the World Economic Forum. Prior to this he was the head of Cyber Consulting for Control Risks’ Americas division.

Andreas Wolf
Chairman of ISO/IEC JTC 1/SC 27 Information security, cybersecurity and privacy at the International Organization for Standardization

Andreas Wolf is not only the chairman of ISO but is also a technical consultant (sealants & adhesives) for A&S SciTech Consulting. Prior to this, he as member of the editorial board at ASTM International and a senior industry scientist at Dow Corning GmbH.

You may also like