Building a cyber resilience strategy for a geopolitically unstable world

As Russia's invasion of Ukraine becomes more entrenched, with important cyber and disinformation components, businesses and other organizations, such as NGOs and universities, must have four critical internal, overlapping cyber-systems in place to build a strong cyber resilience strategy. These relate to governance, culture, risk, and crisis management.

The figure below summarises the thesis of this piece, which is that businesses that have a systematic approach to cyber-risk governance, a culture of cyber-hygiene, cyber-risk management and cyber-crisis management strategies will be able to achieve systematic cyber preparedness and resilience. Vital to surviving and thriving in our tumultuous times.

It is no longer good enough to hope for the best or to ‘acquire' some technical solutions and think of cyber-security as a ‘once and done’ job or something that is optional or siloed. Cyber-security is a multi-system of continuous concern and it's now exacerbated by a global environment of continuous risk and crisis. We are under assault on numerous global fronts – climate, geopolitics, war, infectious disease, humanitarian crises and, yes, cyber and disinformation.

For situational awareness, it is key for businesses and organizations to understand the moment we are living in and the five megatrends that are affecting them in both predictable and unpredictable ways, opening them up to cyber exposure. These trends, more deeply explored in The ESGT Megatrends Manual 2022-2023, are:

1. Geopolitical tectonic shifts catalyzing

2. Climate and war propelling complex risk

3. Technological disruption becoming multidimensional

4. Stakeholder capitalism and ESG intertwining

5. Leadership and institutional trust recalibrating

As the impact of these megatrends squeezes all manner of entities – corporate, social and governmental – a much greater situational awareness that systematically includes a cyber resilience strategy must be the top priority for organizations. Let’s start with a review of where we are:

Since Putin’s invasion of Ukraine in February 2022, several major tectonic geopolitical changes have catalysed, not the least of which is how global democracies have upped their game on cybersecurity collaboration both inter-governmentally, as well as in private/public operational collaboration and in the overall sense of unity that NATO and the EU, for example, have experienced.

The fact that no major cyber-attack, along the lines of Not Petya or Colonial Pipeline, has transpired, however, has the danger of lulling business leaders into a sense of complacency that (a) war-related cyber-attacks will not happen because Western nations have it ‘under control’ or (b) the Russians are too distracted or unable to execute high-impact attacks.

Neither is true. Indeed, several cyber-attack trackers prove otherwise – as this one from The Council on Foreign Relations and this one from the Cyber Peace Institute show.

Moreover, several important developments have taken place that demonstrate that business needs to adopt several critical cyber-systems as part of a continuous strategy of cyber and organizational resilience. This means that:

In the face of this continuous risk and crisis environment, it is imperative that businesses build overall organizational resilience with the eight elements of the Virtuous Resilience Lifecycle Model shown in the figure below.

Building on our work on cyber-organizational resilience and that of the World Economic Forum, NACD and Internet Security Alliance, below is a depiction followed by a description of the four necessary cyber-systems needed to build overall organizational resilience. Companies that get it, get the best chance at organizational cyber-resilience and surviving and even thriving through the global storm.

Systematic cyber risk governance needs to be a core part of the board’s work. Keeping cyber-security on the agenda of the board and the c-suite with at least quarterly updates is a must in this environment. The figure below summarizes how the board must be the driver of cyber-risk governance, always coordinating with the c-suite for strategy and with frontline cyber-managers for implementation.

This is the second system-wide element that must be omnipresent in an organization beginning with a systematic and intelligent approach to personnel cyber-hygiene education. A critical part of this system-wide culture is to have a set of coordinated, deliberately constructed and synchronous IT systems designed for coordinated information security measures at every level - network and cloud – as well as for prevention, detection and auditing.

As many experts have pointed out, cyber risk is a business risk and must be part of an enterprise risk management (ERM) system. See the figure below. This is the only way to produce useful and consistent cyber metrics that are part of ERM and cyber-specific dashboards and reports that go to the c-suite and the board. Such metrics are increasingly required for outside stakeholders, such as regulators, too.

This means making sure that the nuances and bells and whistles of possible cyber exposure are considered in the creation, development, revision and implementation of organizational crisis management teams and plans, business continuity strategies and tactics and data protection and backup considerations. The figure below suggests that for cyber risks and crises (as for others of significant impact and import), cross-functional teams of internal and external experts need to work in close coordination before, during and after the crisis event.

Also read about the biggest risks facing the world from 2023's Global Risks Report.