The title of this blog post borrows from a recent and deeply insightful article co-authored by Andrea Bonime-Blanc (Founder and CEO, GEC Risk Advisory) and Maya Bundt (Head, Cyber and Digital Solutions, Swiss Re) which featured in the World Economic Forum website.
The thrust of the article is in the notion that organisations should be proactive about reporting on their cyber resilience posture just like other key facets of organisational governance reporting such as financial reporting and ESG reporting. Cyber resilience has to be seen ever more as a key pillar of sustainable business as our societies become more and more digital. A poorly governed cyber posture can easily lead to significant losses for organisations as well as collateral damage to information pertaining to the clients or data-subjects associated with that organisation.
For the last two decades at least, there has been a surge in the severity and frequency of cyber exploits mounted by organised crime groups, or other categories of threat actors, on private sector organisation as well public sector bodies. Time and again the tactics and techniques used in these exploits have hardly changed over the years yet lessons still remain unlearnt. In my personal opinion it is not because the problem is too hard or that the bad guys are getting vastly better than the defenders, it is largely because organisations have either been conditioned not to be strictly accountable for cyber failures or that ‘compliance’ is be-all and end-all for cybersecurity.
During the latter part of my career I have been particularly focused on helping organisations that suffered cyber breaches and I cannot emphasise enough how disconcerting and damaging the experience can be for an organisation and in turn the ecosystem of business partners and clients associated with it. Aside from the immediate technical endeavour to contain the damage and restore operations, or the direct financial losses incurred, there is a very human aspect that often gets forgotten or rarely mentioned in the media. That human side often manifests itself in lost livelihoods, damaged professional reputations, diminished client trust, lowered staff morale/performance, seeding internal business conflicts, bruised or irreparable business reputation, tarnished economic viability, and sometimes even loss of lives or adverse impact on socio-political climate (eg election tampering). The list is extensive, long lasting and far reaching, we simply cannot treat Cyber resilience as something tactical or purely technical like some broken plumbing.
This is why I strongly concur and echo the messages and discerning ideas presented in the article by Andrea and Maya. To quote of one of the paragraphs which stood out for me:
“Cyber resilience is a matter of survival. Sustainable value generation requires companies – and any type of organization, for that matter – to weather shocks to the system and learn from them. In a post-COVID world, these disturbances are more likely than not to affect a company’s digital assets and processes – exactly those assets that have allowed the organization to function during the pandemic. ”
A more detailed white paper titled “Cyber Resilience ESG Reporting” also accompanies the WEF article and can be downloaded from the Swiss Re website <here>
Click the button below to read the source article.