One of the time-worn challenges of leadership in cybersecurity is balancing making proactive improvements to security with short term knee-jerk reaction to events. We often see tactical considerations divert attention from tackling longer term strategic issues. But with the COVID-19 pandemic, there’s been a hard reset.
Business leaders have rightly focused on remaining resilient through operational and financial pressures. Only now are some clients taking the time to step back and ask — what does the new reality look like over the coming months and next few years, and how do I prepare for it?
The dust is still settling. But some major themes are emerging. We’re already seeing rapid expansions of digital commerce channels as consumer behaviors shift dramatically.
Enterprises will have to evolve. Working to improve their supply chain resilience, adapt to geopolitical challenges and tensions impacting the global market and adjust to new labor force models and working practices. They’ll have to do all of that in the face of a seismic shock to the global economy and, for many sectors, ongoing liquidity and debt challenges.
The pandemic has also shone a light on the resilience of our businesses as companies struggle to pull together a country-level approach that links together cybersecurity, technology resilience, people, supply chain and property issues — while also focusing on what really matters to the business — critical assets and services. In the wider ecosystem, the pandemic has outlined the need for greater cooperation and collaboration across both public and private domains, as we all tackle the challenges of COVID-19, including ruthless entrepreneurial cyber criminals who exploit the situation for gain.
KPMG professionals have been working with the World Economic Forum’s Center for Cybersecurity on these challenges, helping put together a set of five principles to help cybersecurity leaders prepare for the new landscape. The paper by the WEF, which outlines these principles in more detail, is a collective effort across the WEF C4C’s public and private partners to help clients get through this digital phase shift and transition into the new reality.
- Foster a culture of cyber resilience: Businesses should look to break down barriers between departments, unifying the resilience culture across IT, operational technology and business-facing functions and promoting resilience by design across the enterprise. It can’t just be tick-box compliance. There has to be a sense of collective urgency over cyber needs beyond only the security and privacy functions, and the Board should make itself accountable — ensuring that risks are understood, plans designed and co-ordination is effective.
- Focus on protecting critical capabilities and services: The pandemic revealed how little we know about our critical services and assets, and the best approach to protecting them. Businesses need to re-establish a cyber hygiene culture in the workforce, move to new models of managing access and monitoring activity on critical assets and prioritize investment in cyber automation.
- Balance risk-informed decisions during the crisis and beyond: Cyber risk management needs a top-to-bottom overhaul. The pandemic has proven the old supply chain risk assumptions to be false. Traditional cyber resilience metrics have shown to be an inadequate representation of real risk. Businesses need to revise their approach to supply chains; define practical, meaningful cyber risk metrics; and focus on the risks to operations when designing new digital strategies.
- Update and practice your response and business continuity plans: One of the assumptions underlying most cyber business continuity planning has been that the rest of the ecosystem is operating as usual, and that it’s possible to rely on suppliers and partners for support. The pandemic has forced us to question this assumption. Businesses need to revise resilience planning processes and test them, equipping crisis management teams with the skill sets and experience to manage under intense pressure. They also need to review the definition of a worst-case scenario in the new reality.
- Strengthen ecosystem-wide collaboration: There’s strength in numbers, and the silver lining of the pandemic has demonstrated the need for cooperation. Governments are collaborating to address international cyber threats; major enterprises are pooling threat intelligence; and regulators are seeing the value of transparency and collective action in ecosystem resilience planning. Businesses should think about how to reach out to their industry networks and establish collaborative awareness and intelligence sharing sessions, work together to disrupt criminal activity, and take a systemic approach to risk management as part of the broader community.
Balancing tactics and strategy has never been harder than it is now. This pandemic has been unique in living memory, and certainly during the period that cyber has been part of enterprise leadership consciousness.
Now is the time to think about whether we should do things differently, going forward.