One of the time-worn challenges of leadership in the cybersecurity space is making proactive improvements to security with short-term knee-jerk reactions to events. But with Covid-19, there has been a hard reset.
Business leaders have rightly focused on remaining resilient through operational and financial pressures. Only now are some businesses taking a step back and asking: What does the new reality look like over the coming months and the next few years, and how do I prepare for it?
The dust is still settling. But some major themes are emerging. We are already seeing rapid expansions of digital commerce channels as consumer behaviours shift dramatically. Enterprises will have to evolve, improving their supply chain resilience, adapting to geopolitical challenges and tensions impacting the global market, and adjusting to new labour force models and work practices. They will have to do all of that in the face of a seismic shock to the global economy and, for many sectors, ongoing liquidity and debt challenges.
The pandemic has also thrown light on the resilience of businesses as companies struggle to pull together a country-level approach that links together cybersecurity, technology resilience, people, supply chains and property issues while also focusing on what really matters to the business – critical assets and services. In the wider ecosystem, the pandemic has outlined the need for greater cooperation and collaboration across both public and private domains, as we all tackle the challenges of Covid-19, even ruthless entrepreneurial cybercriminals who exploit the situation for their gain.
KPMG professionals have been working with the World Economic Forum’s (WEF) Center for Cybersecurity on these challenges, putting together a set of five principles to help cybersecurity leaders prepare for the new landscape. The paper by the WEF, which outlines these principles in more detail, is a collective effort across the WEF C4C’s public and private partners, to help clients get through this shift in the digital phase and transition to a new reality.
Foster a culture of cyber resilience
Businesses should look to break down barriers between departments, strengthening and promoting resilience across IT, operational technology and business-facing functions. It cannot just be tick-box compliance. There has to be a sense of collective urgency over cyber needs beyond the security and privacy functions, and the board should make itself accountable, ensuring that risks are understood, plans are designed and coordination is effective.
Focus on protecting critical capabilities and services
The pandemic has revealed how little we know about our critical services and assets, and the best approach to protecting them. Businesses need to re-establish a cyber hygiene culture in the workforce, move to new models of managing access and monitoring activity of critical assets, and prioritise investment in cyber automation.
Balancing risk-informed decisions during the crisis and beyond
Cyber risk management needs a top-to-bottom overhaul. The pandemic has proven the old supply chain risk assumptions to be false. Traditional cyber resilience metrics have proven to be an inadequate representation of the real risk. Businesses need to revise their approach to supply chains; define practical, meaningful cyber risk metrics; and focus on operational risks when designing new digital strategies.
Update and practise response and business continuity plans
One of the assumptions underlying most cyber business continuity planning has been that the rest of the ecosystem is operating as usual, and that it is possible to rely on suppliers and partners for support. The pandemic has forced us to question this assumption. Businesses need to revise resilience planning processes, test them, and equip crisis management teams with skill sets and experience to manage under intense pressure. They also need to review the definition of a worst-case scenario in the new reality.
Strengthen ecosystem-wide collaboration
There is strength in numbers, and the pandemic has demonstrated the need for cooperation. Governments are collaborating to address international cyberthreats; major enterprises are pooling threat intelligence; and regulators are seeing the value of transparency and collective action in ecosystem resilience planning. Businesses should think about how to reach out to their industry networks and establish collaborative awareness and intelligence sharing sessions. They should work together to disrupt criminal activity and take a systemic approach to risk management as part of the broader community.
Balancing tactics and strategy has never been harder than it is now. This pandemic has been unique, certainly during this period when cyber is a part of the enterprise leadership consciousness. Now is the time to think whether we should do things differently, going forward.