资源描述:
The Cybersecurity Guide for Leaders in Today’s Digital WorldShaping the Future of Cybersecurity and Digital TrustOctober 2019World Economic Forum 91-93 route de la Capite CH-1223 Cologny/Geneva Switzerland Tel. 41 022 869 1212 Fax 41 022 786 2744 Email contactweforum.org www.weforum.org© 2019 World Economic Forum. All rights reserved. No part of this publication may be reproduced or transmitted in any or by any means, including photocopying and recording, or by any ination storage and retri system.1ContentsForeword 4cutive Summary 510 Tenets for Leaders 7Tenet 1 Think Like a Business Leader 8Tenet 2 Foster Internal and External Partnerships 9Tenet 3 Build and Practice Strong Cyber Hygiene 10Tenet 4 Protect Access to Mission-Critical Assets 11Tenet 5 Protect Your Email Domain Against Phishing 12Tenet 6 Apply a Zero-Trust Approach to Securing Your Supply Chain 13Tenet 7 Prevent, Monitor and Respond to Cyber Threats 14Tenet 8 Develop and Practice a Comprehensive Crisis Management Plan 16Tenet 9 Build a Robust Disaster Recovery Plan for Cyberattacks 18Tenet 10 Create a Culture of Cybersecurity 19Conclusion 20Contributors 21Endnotes 22The Cybersecurity Guide for Leaders in Today’s Digital World 23 The Cybersecurity Guide for Leaders in Today’s Digital WorldForeword I am delighted to introduce this important guide, which is the product of a joint collaboration between the World Economic Forum and several of its partners. The cybersecurity challenges confronting all companies in today’s interconnected digital economy have reached new levels of complexity and scale. The threats are propagated via innovative new s of malware, through the compromise of global supply chains and by sophisticated criminal and hostile state actors. These and other characteristics are at the heart of an expanding cyber-criminal economy that is difficult to counter.Cyber is everywhere and it is here to stay. Global companies realize that they can no longer buy their way out of cyber challenges nor find a silver bullet by which to remove the threats. Developing more robust levels of cyber resilience is now the order of the day, and this is as much about developing a new culture and mindset as it is about adopting different processes and technology. The cyber imperative brings new demands on those responsible for running the business of cybersecurity in companies and organizations.This guide is therefore timely and welcome as it charts the key tenets of how cyber resilience in the digital age can be ed through effective leadership and design. From the steps necessary to think more like a business leader and develop better standards of cyber hygiene, through to the essential elements of crisis management, the guide offers an excellent cybersecurity playbook for leaders in this space. Based on my long experience of working in the intelligence and law enforcement communities, as well as my current exposure to the boards and cutive teams of many global companies as a partner of Deloitte Netherlands, all the elements herein are relevant and timely.The recommendation to foster internal and external partnerships is one of the most important, in my view. The dynamic nature of the threat, not least in terms of how it reflects the recent growth of an integrated criminal economy, calls on us to build a better global architecture of cyber cooperation. Such cooperation should include more effective plats for ination sharing within and across industries, releasing the benefits of data integration and analytics to build better levels of threat awareness and response capability for all. Technology solutions and governance models are available to meet this goal, all within strong and responsible conditions of data privacy and security. In this and other priority areas highlighted here we require public- and private-sector leadership to drive this important change. It will take us to a better, more confident cyber future. For the cyber security leaders involved, reading this guide is a great way to start.Rob WainwrightPartnerDeloitte NetherlandsThe Cybersecurity Guide for Leaders in Today’s Digital World 4cutive SummaryCyberattacks are one of the top 10 global risks of highest concern for the next decade, according to the World Economic Forum Global Risks Report 2019, with data fraud and theft ranked 4th and cyberattacks 5th. Globally, their potential cost could be up to 90 trillion in net economic impact by 20301if cybersecurity efforts do not keep pace with growing interconnectedness, according to the Atlantic Council and the Zurich Insurance Group, among others. Although government and corporate leaders are deeply engaged in promoting effective cybersecurity strategies and the global spending on security continues to accelerate, the annual number of cyberattacks globally hit an all-time high last year. There is an abundance of guidance in the cybersecurity community from well-accepted government and industry standards for ination security globally, including ISO, NIST and many others. Yet the application of the guidance continues to fall short of what is required to ensure effective defense against cyberattacks. The World Economic Forum Centre for Cybersecurity has worked with its partners to consider the current barriers to the adoption of these practices in an effort to provide some key essentials to organizations wishing to improve their ability to defend against attacks.This guide is intended for senior cutives who are responsible for setting and implementing the strategy and governance of cybersecurity and resilience in their organization. Cybersecurity is everyone’s responsibility in an organization, not solely of the Chief Ination Security Officer. It is essential that key stakeholders in the C-Suite, such as Chief Ination Officers, Chief Technology Officers, Chief Digital Officers, Chief Financial Officers and other company cutive officers understand their responsibilities as it relates to cybersecurity.We have strived to make this work relevant to small companies as well as to large, while recognizing that some of the elements prescribed may be more pertinent to larger companies with a range of integrated systems, functions and processes. This guide is but one piece of a wider portfolio of work conducted by the World Economic Forum Centre for Cybersecurity and our partners. For example, the Board Tools and Principles for Advancing Cyber Resilience published by the World Economic Forum in 2017 set the tone at the strategic level, and cutives in smaller organizations may also wish to refer to the Global Cybersecurity Alliance Toolkit for Small Businesses.Looking at the barriers to adoption of cybersecurity best practices, it is apparent that current approaches make it difficult to implement comprehensive best practices across the full extent of the digital and operating environments in organizations. Second, security tools and processes are often set up once and then forgotten, consequently quickly Top 10 risks in terms ofLikelihood Extreme weather eventsFailure of climate-change mitigation and adaptationNatural disastersData fraud or theftCyberattacksMan-made environmental disastersLarge-scale involuntary migrationBiodiversity loss and ecosystem collapseWater crisesAsset bubbles in a major economy12345678910Top 10 risks in terms ofImpactFailure of climate-change mitigation and adaptation12345678910Weapons of mass destructionExtreme weather eventsWater crisesNatural disastersBiodiversity loss and ecosystem collapseCyberattacksCritical ination infrastructure breakdownMan-made environmental disastersSpread of infectious diseasesFigure 1 – Global Risks Report 20195 The Cybersecurity Guide for Leaders in Today’s Digital Worldbecoming redundant in a continuously evolving threat landscape. Systems must be updated continuously to keep pace with the flow of business activity if they are to protect effectively against newly discovered vulnerabilities. Third, although organizations have many tools in place to automate security tasks, the tools often can’t be used in concert in a fully automated fashion. This results in a complex landscape of security tools, gaps and vulnerabilities and, ultimately, in the inability to deploy a holistic automated approach. Lastly, another major challenge is the sheer volume of work involved in following up on security alerts and incidents that cannot be automated. There is important reliance on humans to carry out security functions, in particular to assess the more strategic implications of alerts and incidents. The shortage of cybersecurity talent, however, means this capability is often under-resourced. To offset these challenges, organizations need to consider outsourcing some of the more advanced, complex and onerous services to service providers, depending on their risk profile, to improve their coverage and service level agreements.The role of an organization’s cyber resilience leaders is to support the mission of their organization by ensuring that cyber risks are managed at an acceptable level. It is unrealistic for any organization to expect that their role is to achieve faultless security, or even that this could be possible. No enterprise is immune to cyber threat and organizations need to assume that a breach will happen. The end goal is resilience, the ability to quickly and efficiently identify and minimize the impact of an incident to allow an organization to continue its mission as effectively as possible.In the digital age, organizations must continuously adapt their cybersecurity measures in proportion to the growing number and the sophistication of threats they face. According to a survey conducted in 2018 by Willis Towers Watson and the Economist Intelligence Unit EIU2of 452 large-company board members, C-Suite cutives and directors with responsibility for cyber resilience, one-third of the companies surveyed had experienced a major cyber incident that disrupted their operations, and cutives cite the size of the financial and reputational risk as the most important reason for board oversight. While about 45 of the North American businesses had confidence in restoration after a breach, this number decreased to 30 for European and only 21 for Asian businesses. To compound this issue, it was reported that on average, only 1.7 of total revenue was spent on cyber resilience.The following tenets are the fundamentals that an organization must implement in order to embed cybersecurity in the corporate DNA and as part of a comprehensive cybersecurity programme in the rcise of due diligence for cyber resilience. They take into account existing guidance and standards and are intended to serve as a practical guide to cyber resilience for cutives when assessing the management of cyber risks in their organization. The Cybersecurity Guide for Leaders in Today’s Digital World 610 Tenets for LeadersTenet 1Think Like a Business LeaderTenet 2Foster Internal and External PartnershipsTenet 3Build and Practice Strong Cyber HygieneTenet 4Protect Access to Mission-Critical AssetsTenet 5Protect Your Email Domain Against PhishingTenet 6Apply a Zero-Trust Approach to Securing Your Supply ChainTenet 7Prevent, Monitor and Respond to Cyber ThreatsTenet 8Develop and Practice Comprehensive Crisis Management PlanTenet 9Build a Robust Disaster-Recovery Plan for CyberattacksTenet 10Create a Culture of Cybersecurity7 The Cybersecurity Guide for Leaders in Today’s Digital WorldTenet 1 Think Like a Business LeaderIn the context of the Fourth Industrial Revolution, almost every business is transing itself by adopting leading technologies and innovative data-driven business models. In this massive, unprecedented wave of digital transation, cybersecurity operations are a vital element of every business’s success. Today a cybersecurity leader’s responsibilities include educating the board and the cutive leadership on the importance of cyber risk management. While the cybersecurity industry has a tendency to instill fear to sell products, cybersecurity leaders should focus on positioning cybersecurity as an integral component of their business strategy and success.Over the past decade, the role and significance of cybersecurity within an organization – in general, and that of the cybersecurity leaders in particular – have evolved immensely. Cybersecurity leaders are business leaders, first and foremost, and thus have to position themselves, their teams and operations as business enablers.Transing cybersecurity from a support function into a business-enabling function requires a broader view and a stronger communication skill set than was required previously. As an integral part of today’s business success, cybersecurity has a direct influence on business reputation, stock value, revenue, brand equity, customer relations and a product’s time to market, among other parameters. Consequently, leaders in the digital age must – Foster transparency and trust– Develop the critical thinking, creativity and problem-solving skills not only of the cybersecurity team but of the entire organization– Possess strong business acumen to translate the technical risks into business strategy risks, so that a non-technical audience can understand the potential threats to business operations – Understand the business and industry they are in, both to grasp the cyber threats unique to the organization, as well as to use language familiar to the Board and other cutives within the organization– Be proficient in speaking business language when communicating about cybersecurity to influence senior management and the Board of Directors– Align the objectives of the cybersecurity strategy with the business strategy The World Economic Forum Centre for Cybersecurity is seeking to change the cyber narrative, which until now has been primarily driven by fear, by highlighting the positive opportunities for building trust in digital transation. The Cybersecurity Guide for Leaders in Today’s Digital World 8Tenet 2 Foster Internal and External PartnershipsCybersecurity is a team sport. By providing vehicles for dialogue and decision-making, internal partnerships enable ination security teams to become more agile and responsive to business needs. The number of potential partnerships has grown and will continue to grow as the scope of ination risk broadens to include a range of privacy and regulatory concerns as well as traditional security threats. The time to develop such partnership is before a crisis, not after a cybersecurity breach.Today, ination security teams need to partner with many internal groups in their conduct of a variety of functions, including risk management decisions, incident response and monitoring. A cybersecurity leader needs to develop a shared vision, objectives and KPIs with business cutives to ensure that time-to-market timel
展开阅读全文