Following CEO and Co-Founder Aleksandr Yampolskiy’s attendance at Davos, and SecurityScorecard’s subsequent visit to Geneva to meet with world leaders at WEF Headquarters, Alex spoke this week to another community of WEF members near our headquarters in New York City during the Forum’s New Champions Leadership Dialogue. New Champions companies are mid-sized organizations transforming industries through new business models and market disruptions.
The rise of global cyber risk
In his talk and the interactive discussions that followed, Alex focused on practical advice for how these growing businesses can manage cyber risk and use business-centric tooling and reporting to protect their organizations and elevate the management of cyber risk to the same level as other systemic business risks.
The stakes are high, and the level of urgency clearly must be raised. According to the Forum’s 2023 Global Cybersecurity Outlook, only 19% of cybersecurity leaders believe that their organizations are cyber resilient. More than 90% believe that a far-reaching, catastrophic cyber event is at least somewhat likely in the next two years, and more than 40% of leaders think their own organizations will be materially impacted by a cyberattack in that same timeframe.
Investments in cyber tools and consultants continue to expand, but unfortunately, the risks facing organizations and their ability to measure and quantify how they are responding is only getting worse. It’s important for business leaders and policymakers to ask why this is happening.
What is hindering improvements in global cyber security?
Alex highlighted that three primary factors are driving growing insecurity:
- The complexity of technology infrastructure, where everything is connected to the internet, dramatically increases the attack surface organizations need to monitor and safeguard.
- Continued advancement in the sophistication of adversaries makes it harder for organizations to say ahead of ever-evolving threats.
- Poor risk management only makes it harder for organizations to prioritize where they should spend their time and resources for maximum impact.
Basic security hygiene, third-party risk management, and choosing the metrics that matter most to monitor and report on are vital to rebalancing this security deficit.
Why does managing cyber risk matter?
Boards and leadership teams in both corporate and government environments must implement new strategies to stay ahead of both the threats and continually evolving regulatory requirements. For public companies, the Securities and Exchange Commission is advancing several new regulations that will increase Board reporting and oversight requirements in the cyber domain. At a recent lunch with the New York Economic Club, Cybersecurity and Infrastructure Security Agency Director Jen Easterly highlighted that the time is now for Boards to expect that prospective Directors possess the same baseline level of competency with cyber risk that Boards expect in basic financial acumen.
In the past few weeks since the release of the Biden Administration’s National Cybersecurity Strategy, the Environmental Protection Agency has released new cyber requirements for state water systems, the Transportation Security Administration released new Directives requiring greater reporting from airlines, and the National Credit Union Administration issued new final regulations on reportable cyber events. Washington and state regulators will be implementing new requirements across virtually all sectors of the economy.
Like every other community we engage with, the participants in the WEF dialogue this week were the first to admit they have a long way to go in measuring, communicating, and ultimately reducing their risks. Too often, organizations believe they aren’t big enough to warrant attention from hackers. Yet we know that cyber adversaries seek to exploit vulnerabilities at every level. Small organizations are connected to mid-sized organizations, and those organizations are connected to hundreds and thousands of other businesses.
Addressing common weaknesses in cyber security
Weakness in one organization is a gateway to multiple other attack vectors. In our most recent research with the Cyentia Institute, we found that 98% of organizations globally have a relationship with at least one entity that’s suffered a breach. More than 50% of organizations have indirect relationships with at least 200 fourth-party organizations that have suffered breaches.
During our session, Alex and the participating CEOs focused on how to improve Board reporting, how to prioritize and measure the most impactful metrics, and how to ensure that technical organizations translate cyber threats to business impacts and vice versa. There was also agreement that partnerships, internally and externally, are vital to ensuring the right resources are applied and the right outcomes measured. We know from our work with thousands of organizations across the globe that, to yield results, the journey must be continuous and data-driven.
SecurityScorecard and the World Economic Forum
SecurityScorecard has partnered with the World Economic Forum since 2020, when we were selected as a Technology Pioneer, joining well-known organizations and technologies like Google, Palantir, Twitter, and Spotify. Recently, we “graduated” from the Tech Pioneer community to their global unicorn partners, and now are active members in the Forum’s Innovators Community.
Given SecurityScorecard’s role as the world’s leading cyber risk ratings and resilience company, we have engaged most deeply with the WEF’s Center for Global Cybersecurity. This team includes 100 leading global cyber committees committed to using WEF’s platform to make the world safer and driving progress in global cyber resilience.
Engagements like Alex’s recent talk reinforce WEF’s operating ethos, “Committed to Improving the State of the World.” We leave discussions like these invigorated to use our expertise to do the same.