While never underestimating the effect of cyber risks and the protection of infosecurity, WEF’s new report Partnering for Cyber Resilience stresses the need for overall resilience in protecting the company. Cyber resilience, it says, “is defined as the ability of systems and organizations to withstand cyber events, measured by the combination of mean time to failure and mean time to recovery.” This is more than just adding more firewalls and anti-virus software.
Cyber resilience can only be achieved by taking an holistic view of risk, and by sharing risk information with other companies. This report is both a roadmap and a commitment for companies to move through WEF’s five stage resilience maturity model, from ‘unaware’ to ‘networked’. The latter is where “organizations are highly connected to their peers and partners, sharing information and jointly mitigating cyber risk as part of their day to day operations.”
“Just as security professionals say that security should be built into applications from the ground up and not bolted on afterwards,” says Frank Coggrave, EMEA general manager of Guidance Software, “so WEF is saying that companies need resilience built into their fabric and not just added on with security products.” The latter is important, but should not be treated in isolation.
But Coggrave does see one problem with this approach. “The emphasis on interconnectivity and interdependence, which the report highlights from the outset, means that everyone is dependent on the weakest link. This could prove challenging, as, whilst many organizations take the threat of cyber security seriously, unfortunately, many don’t.”