Security Experts:

Connect with us

Hi, what are you looking for?


Cyber Insurance

Can the World Economic Forum’s Cyber Security Principles Advance Cyber Resilience?

A few weeks ago, the World Economic Forum (WEF) met in Davos, Switzerland where an expert working group issued a report “Advancing Cyber Resilience: Principles and Tools for Boards.” It is touted as a first-of-its-kind resource to support board of directors and CEOs on cyber security and cyber resilience strategy.

A few weeks ago, the World Economic Forum (WEF) met in Davos, Switzerland where an expert working group issued a report “Advancing Cyber Resilience: Principles and Tools for Boards.” It is touted as a first-of-its-kind resource to support board of directors and CEOs on cyber security and cyber resilience strategy. The WEF’s principles and tools are designed to help corporate boards and senior management strengthen their organizations’ cyber hygiene and posture. The principles are a response to the increasing threat cyber risks pose to the world economy. Their aim is to provide guidance for managing cyber risks much in the same way that organizations manage enterprise risk. 

Let’s consider whether the proposed principles and tools can improve cyber resilience, and which types of enterprises can benefit most from implementing them.

Traditionally, cyber security has been considered the exclusive domain of IT and security operations departments, which were charged with the purchase and deployment of technology to defend against network intrusions. However, the long line of devastating data breaches at Yahoo!, Cisco, Oracle, SWIFT, and dozens of other established, respected brands is changing roles and responsibilities. The responsibility for the safety, security, and integrity of an organization’s network has increasingly shifted to executive management and boards of directors. 

World Economic ForumOperating in this new environment is not easy. A recent study by the National Association of Corporate Directors (NACD) revealed that over 90% of respondents believe their board’s understanding of cyber security risks still needs to improve. In this context, the WEF report details best practices that boards of directors “can use to smoothly integrate cyber risk and resilience into business strategy so that their companies can innovate and grow securely and sustainably.” The 10 board principles for cyber resilience are supplemented by practical questions board members can use to evaluate their organizations’ cyber hygiene. Furthermore, the document outlines a variety of risk management frameworks that should be considered to manage and minimize an organization’s cyber risk exposure. 

The WEF report’s framework and tools represent a good first step toward elevating cyber security and resilience to the C-suite and board level. It provides practical guidance on principles and steps to assist organizations in transitioning from a compliance, check-box mentality to a pro-active, risk-based approach toward enterprise security. Ultimately, establishing a proper oversight program can help companies streamline board reporting, integrate multi-department activities required to mitigate operational cyber risks, and ensure that reasonable security protocols and procedures are in place. Furthermore, it can help all stakeholders gain a better understanding of which assets might be at risk, how to estimate potential losses, and how best to mitigate threats using new security practices, investments, or cyber security insurance. 

The WEF report also helps boards propagate cyber risk management over cyber security, an approach which has proven to be very effective for defeating today’s sophisticated cyber adversaries. Only when organizations contextualize internal security intelligence with external threat data, and then correlate the findings with business criticality, are they able to focus on the biggest risks to their business. This helps assure timely orchestration of remediation efforts to decrease the window of opportunity for successful cyber-attacks.

In addition, the WEF report provides some valuable building blocks for implementing better cyber security practices. However, it’s not a silver bullet for preventing cyber-attacks and data breaches, since guidelines and regulations are static, and cannot evolve to detect and mitigate morphing threats. Meanwhile, regulatory compliance moves far too slowly to keep up with cyber-attackers. Guidelines can also expose holes in proposed measures, which attackers can use as a blueprint for their attack strategies.

Ultimately, proper security measures and best practices are just one part of the solution. One of the biggest challenges facing organizations is managing the sheer volume, velocity, and complexity of data feeds that must be analyzed, normalized, and prioritized to even stand a chance of detecting a cyber-attack. The Target breach was a good example. Although the company had best-of-breed technology in place that was able to detect the intrusion early on, the alerts were buried in a sea of data, which prevented the security team from connecting the dots and responding in a timely fashion. In fact, a third-party uncovered the breach, after stolen data was posted on the Internet.

Without data automation, it can take months and even years for humans to perform big security data risk analysis and piece together an actionable security assessment. Organizations should focus on finding ways to use technology to overcome the challenges of examining and extracting relevant threat intelligence from their security feeds so that they respond in a timely manner to the most critical risks to their business. The WEF principles and tools are an important first step in this process.

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Risk Management

In this virtual summit, SecurityWeek brings together expert defenders to share best practices around reducing attack surfaces in modern computing.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

CISO Strategy

The question for 2023 and beyond is whether the cyberinsurance industry can make a profit without destroying its market.