Today at the World Economic Forum annual meeting in Davos, a number of global CEOs announced the ‘Cyber Resilience Pledge’, a collective action to champion a unified approach to growing cyber risks, particularly as they impact critical infrastructure. The pledge, initially signed by major oil and gas businesses, has broad implications for many other industries.
Organizations signing the pledge commit to working together and taking meaningful action to mitigate cyberattacks. The pledge consists of the following six principles to guide businesses as they adopt cyber resilience practices:
- Cybersecurity is a strategic business enabler
- Understand the economic drivers and impact of cyber risk
- Align cyber-risk management with business needs
- Ensure organizational design supports cybersecurity
- Incorporate cybersecurity expertise into board governance
- Encourage systemic resilience and collaboration
It is encouraging to see the issue of cyber resilience being taken seriously by CEOs and boards, and a more unified approach to responding to cyber risk is certainly a positive development. However, for these kinds of pledges and initiatives to be successful, leaders must address the fundamental issues that hinder a genuinely effective response.
All too often we see a frustrating disconnect between boards and their Chief Information Security Officers (CISOs), which leads to ineffective prioritization of cyber threats and exacerbates business risk. Our 2022 Voice of the CISO report found that only 51% of CISOs globally believe their board sees eye-to-eye with them on the issue of cybersecurity.
Often this comes down to communication. CISOs should report directly into the CEO, not the CIO, if cybersecurity is to be effectively prioritized. But equally, CISOs need a better understanding of the board’s business perspective so that both speak the same language.
To contend with the complexities of today’s threat landscape, organizations must bring cybersecurity expertise directly to the board level. The trend is already clear: Boards in Australia must oversee cyber resilience under Australian Prudential Regulation Authority (APRA) regulations, and earlier this year the U.S. Securities and Exchange Commission proposed a rule requiring disclosures of board cybersecurity expertise and board oversight of cybersecurity risks for all U.S. public companies.
If there is one positive we can take from a year of headline-grabbing cybersecurity incidents, it’s that boardrooms worldwide have awakened to today’s cyber risks. With the prospect of significant downtime, disrupted operations and impacts on business valuations weighing heavily on the minds of the board as the result of a cyber breach, hopefully over the next 12 months we will see this awareness turn into action.
For the latest CISO news and resources, check out the Proofpoint CISO Hub.