Last July, the World Economic Forum (WEF), published a white paper entitled: The Cyber Resilience Index: Advancing Organizational Cyber Resilience. If decision-makers seem to be abreast of the matter, it appears it is not yet the case for a majority of the population. In an interconnected and interdependent world, cyber resilience is one of these issues that lifts up doctrinal and philosophical conversations while calling for strong political will.
By Corentin Dionet
Cyber resilience has been defined by the WEF as: “An organization’s ability to transcend, anticipate, withstand, recover from and adapt to any stresses, failures, hazards and threats to its cyber resources within the organization and its ecosystem”1. In order to tackle this issue, the structure has concocted a Cyber resilience framework (CRF) and a Cyber resilience index (CRI). The first tool, a guide built around six principles, along with several practices, consists of: “Cultivating a culture of resilience; Regularly assessing and prioritizing cyber risk; Establishing and maintaining core security fundamentals; Incorporating cyber-resilience governance into business strategy; Encouraging systemic resilience and collaboration and Ensuring design supports cyber resilience”. The second one helps measuring an organization’s performance in terms of cyber resilience.
Establishing a culture of cyber resilience
Russia’s unprovoked invasion of Ukraine has been a catalyst for many trends regarding the European security architecture. One of them is the emergence of cyber resilience as a priority for many around the globe, and especially European Union member states. “With the tensions in geopolitics and rise of cyber-criminal activities, cyber resilience must be an integral part not only to technical systems but in the organizational culture and the daily way of working” Algirde Pipikaite, who leads Strategic Initiatives at the Centre for Cybersecurity of the World Economic Forum, explains.
The consequences of an attack can be far-reaching, particularly for a company. Reputational damages and costs induced can sometimes be very difficult to recover from. That is what cyber resilience can try and prevent: “The mindset of quick and smooth recovery of business operation when a cyber-attack occurs is of vital importance. The reward for making cyber resilience part of the ethos is greater opportunity to take healthy risks, innovate and responsibly capture the value of tomorrow’s digital economy” develops the expert.
Acculturate the different actors
Nonetheless, the vast majority of actors and structures must be convinced and swayed to invest in cybersecurity and cyber resilience. Business owners of small and medium size businesses and low-level administrations are still often unaware of the risks. “Our main goal must be to acculturate our administrations, our companies and our business owners to the
1 World Economic Forum (July 2022) : « The Cyber Resilience Index: Advancing Organizational Cyber Resilience »
importance of protecting their information networks. Spreading this message in order to kindle awareness and understanding is paramount. But in order to be understood, we need to gain in clarity, by enabling the creation of a one-stop shop for cybersecurity issues, both at the national level and the regional echelon, to make it easier for citizens to identify their privileged interlocutor” says Philippe Latombe, a French MP committed to the topic.
Even though the French government has prioritized cybersecurity within the scope of its national strategy, attributing last year 1 billion euros of investment to accelerate the development of the cybersecurity sector in the country and increase protection levels for public institutions, the MP regrets: “We are too few carrying these topics inside the Parliament. There has been a loss of skills with the departure of knowledgeable colleagues on these matters after the last election. I am working on identifying conversation partners on these issues, in order to build a transpartisane working group and spread the message that cyber resilience and cybersecurity are important. The executive power must take possession of the matter, they are not doing it enough at the moment”.
Information networks, closed for business?
At the moment, there is often a gap in perception between decision-makers and cyber experts regarding the level of preparedness of their structures to a potential cyberattack. “To provide an equal level of understanding and evaluating cyber risks, we need to have frameworks and tools to equip cyber leaders to communicate prevailing cyber risks, and their impact, to senior business leadership. Our hope is that the CRF and CRI will play this crucial role in closing the existing gap” Algirde Pipikaite announces. Still, the lack of qualified personnel and talents in the cyber ecosystem makes life harder for administrations and businesses looking to protect themselves from an interconnected and interdependent world where cyberattacks on information networks are commonplace.
“The main purpose of developing the CRI with the global community was to provide a unique, strategic blueprint to different industries to improve transparency and visibility and enable greater levels of trust. We all are only as secure as the weakest link is across the ecosystem, that is why cyber resilience is not a standalone issue just in one organization but rather should be seen as an important part across the industries and regions”, the expert unveils.
“We lack a global vision”
So, is being able to close your information systems the answer? “Building information systems able to function open or close is a technical must. Imagine our network as a fortified castle, there should be one entry and one exit: the drawbridge. We need to ensure that there is no other entry or exit point in our castle. At the beginning, Russia and China were threatening to close their network, and it was a defensive weapon. It became an offensive one, because we do not know how the global economy would function without these countries. There could be an economic and political black-out” points out Philippe Latombe.
“Being able to close our network should not mean being eager to do so. Giving our state administrations autonomy and control by building or acquiring a built network should be a
priority. Nowadays, American solutions are favored by most of France’s companies because they are easy to use, but we have French solutions and a viable ecosystem. They need use cases and orders from both our public and private sector to stay at the state of the art. We lack a global scheme and vision. I was hoping for the creation of a Digital Ministry, with a state secretary specialized on cybersecurity who would be charged to create and enforce a cyber resilience plan”, the French MP concludes.
Last May, the World Economic Forum launched the Cyber Resilience Pledge aimed to mobilize global commitment towards strengthening cyber resilience across industry ecosystems and has gathered over 40 oil and gas players from over 20 countries. A transnational initiative that echoes the widely spread discourse stating the necessity to bring together strategic actors in order to enhance global cybersecurity.