Global Cybersecurity Outlook 2025: the risks we all face and how to fight back

Cyberspace is more complex and challenging than ever due to rapid technological advancements, growing cybercriminal sophistication and deeply interconnected supply chains. The World Economic Forum's new Global Cybersecurity Outlook aims to help us navigate these challenges and strengthen cyber resilience.

Akshay Joshi, head of the World Economic Forum's Centre for Cybersecurity talks us through some of the headlines in the Outlook, and two industry experts advise on how to prepare for cyber attacks and how to raise awareness of the risks.

Guests:

Akshay Joshi

Head, Centre for Cybersecurity, World Economic Forum

Keri Pearlson

Executive Director, Cybersecurity, MIT Sloan Research Consortium, MIT - Sloan School of Management

Confidence Staveley

Alumni, Global Shapers Community

Podcast transcript

This transcript has been generated using speech recognition software and may contain errors. Please check its accuracy against the audio.

Keri Pearlson, Executive Director, Cybersecurity, MIT Sloan School of Management: It's highly likely that if your organisation hasn't experienced a cyber incident, it will at some point in the future and you don't want to wait until that incident occurs to then put your cyber crisis communication plan in place

Robin Pomeroy, host. Radio Davos: Welcome to Radio Davos, the podcast from the World Economic Forum that looks at the biggest challenges and how we might solve them. This week, as the Forum publishes its Global Cybersecurity Outlook 2025 - we look at the risks - and what we all can do to fight back.

Akshay Joshi, Head, Centre for Cybersecurity, World Economic Forum: Technology is being deployed both by the good guys as well as the bad guys. A lot of criminal outfits as well are starting to harness AI technologies very effectively.

Robin Pomeroy: The rapid rise in artificial intelligence is just one of several crucial issues covered in the Cybersecurity Outlook.

Akshay Joshi: How do we harness these benefits in a way that does not introduce more risks into the enterprise?

Robin Pomeroy: The head of the Forum’s Centre for Cybersecurity walks us through some of the main findings in this major piece of research, and we hear from two experts working to improve individuals’ and organisations’ defences against potentially devastating cyber crime.

Confidence Staveley, Executive Director, Cybersafe Foundation: We are aiming to reach a million children across Africa to be able to deliver this cybersecurity education.

Keri Pearlson: The major issue for organisations is not how do we keep the bad guys out, but how do we build resilience so that if or perhaps when the bad guys get in, we have a plan in place for responding and recovering.

Robin Pomeroy: Follow Radio Davos wherever you get your podcasts.

I’m Robin Pomeroy at the World Economic Forum, and with this look at the global state of cybersecurity…

Akshay Joshi: Cyber resilience, it's no longer a nice to have.

Robin Pomeroy: This is Radio Davos

Robin Pomeroy: This week we're talking about cybersecurity. To do that, I'm joined by the head of the World Economic Forum's Centre for Cybersecurity, Akshay Joshi. Hi, Akshay. How are you?

Akshay Joshi: Hi, Robin. Nice to see you.

Robin Pomeroy: Nice to see you, too. For anyone who doesn't know what the Centre for Cybersecurity does, what does it do?

Akshay Joshi: The Centre for Cybersecurity was launched by the World Economic Forum in 2018 in response to the growing cyber threats. It's an independent and impartial platform benefiting from the platform provided by the World Economic Forum, and it seeks to bridge the gap between cyber leaders and business executives.

Cybersecurity in today's day and age can no longer be a technical problem. It needs to be dealt with as a strategic priority as any other within organisations. However, leadership has often trailed behind as it pertains to understanding cyber security issues. And given the forum has always been very great at attracting senior leaderships from organisations and nations.

With the Centre for Cybersecurity we've managed to create a community that comprises the senior most cybersecurity leaders across the world and our efforts are constantly aimed towards bridging the gap that exists between these two sets of stakeholders so we can improve the state of cybersecurity globally.

Robin Pomeroy: And you've just published the latest edition of your annual Cybersecurity Outlook. What is the Cybersecurity Outlook? How do you put it together? What is it supposed to do?

Akshay Joshi: In 2022, for the first time, the Centre decided to launch the Global Cybersecurity Outlook. As I mentioned previously, it's really important for senior leadership to be equipped with the right knowledge so as to be able to make strategic decisions about cybersecurity risks facing their organisations.

The Cybersecurity Outlook, which comes out every year, in January, offers senior executives with insights on the most salient issues in cyberspace, and also points their attention towards what should be actions that they need to take to stay ahead of some of the risks that are fanning out in cyberspace.

Robin Pomeroy: So if I was a executive of a company, I could pick up this report and it would really give me an outlook of what's going on around the world, things that might be coming down the pipeline, cyber attacks. It also hints to how I should be preparing for those. Is that right?

Akshay Joshi: That's absolutely correct. That's the objective of the Cybersecurity Outlook. It's produced in a way that is really easy to understand for senior leaders. And it's not produced with a technical bent of mind. It's really looking at cybersecurity from a more business or overall security perspective and is really looking to arm senior leaders with the insights that they need to inform decision making on cybersecurity issues.

Robin Pomeroy: So could you give us a few headlines of the main findings that are in this report.

Akshay Joshi: So one of the biggest things that we've discovered in this version of the report is there is an increasing complexity in cyberspace.

This increasing complexity stems from a multitude of factors. First of all, there is prevailing geopolitical uncertainty. 60% of executives have in some way, shape or form changed their cybersecurity strategy, or it's impacted their cybersecurity strategy overall. So the uncertainty that we are seeing in different parts of the world is having an impact on the cyber realm.

Robin Pomeroy: Why is that? Can you explain or give us some kind of example of how that would be?

Akshay Joshi: So, for example, when you see wars today are not just about physical warfare, you also see the fallout in the cyber realm, right? So, for example, if you see increasing targeting of critical infrastructure or otherwise, it just impacts business decisions in terms of where they would like to operate or what are the vendors that they're working with.

For example, if they're working with a vendor that is based in a region that has an increased level of risk, it invariably impacts your overall risk profile as well.

So it's just to give you a sense that while we are not talking about absolute decisions, but when you look at the sum total of risks facing your organisation, the geopolitics and the impact it has, even on cyberspace, plays a key role in terms of how people make decisions as to how they remain cyber secure.

Robin Pomeroy: And you highlight sort of complexity that you're going to say there are other types of complexity or other things adding to this complex picture?

Akshay Joshi: Certainly there are there are various elements.

So I spoke about geopolitical uncertainty. The second aspect is supply chains. Supply chains are becoming increasingly complex. As a matter of fact, you know, the impact on one particular player within the broader supply chain can have cascading effects across the entire supply chain.

In 2024, for example, we experienced one of the biggest IT outages, which was due to a faulty update to a particular software that had impacts across different sectors of the economy. So it just gives you a sense of how these risks are more and more pervasive.

As a matter of fact, 54% of large organisations believe that supply chain related risks posed the greatest impact to cyber resilience of their organisation.

Robin Pomeroy: So what's driving all this complexity? Is it that the world's getting a more complex place, or is it the cybersecurity itself, the technologies that are available? What are those big drivers that are that are changing this and making this ever more complex?

Akshay Joshi: You know, you raise a really good point. Cyberspace is essentially a reflection of how our society is evolving as well.

Now, if we look at emerging technologies, of course, over the past couple of years, we've seen tremendous advances in AI. So as we see advances in AI, of course organisations are rushing towards adopting these technologies within their environment. In our Global Cybersecurity Outlook report, for example, 66% of executives believe that AI technologies can have the most significant impact on cyber security. But at the same time, 37% of organisations lack adequate processes to safeguard against the risks from AI technologies being adopted.

Robin Pomeroy: So that they're confident or there's a lot of confidence that I can help them make themselves more cyber secure, but also a lot of them are not ready for the risks that are coming from AI.

Akshay Joshi: Absolutely. So I think it's a bit of a paradox if we think about it.

Now, if we look at the adversarial element of it, of course, organisations are rushing to bring in AI technologies, but equally we are starting to see that a lot of criminal outfits as well are starting to harness AI technologies very effectively.

As a matter of fact, 47% of organisations, of respondents, believe that adversarial advancements because of GenAI are a big concern.

So this just gives you a sense of, you know, I think the technology is being deployed both by the good guys as well as the bad guys. And we really need to make sure that we are adopting these technologies in a secure manner so as to provide better cybersecurity for our organisations and also other applications. AI obviously offers tremendous applications beyond cybersecurity as well. But at the same time, you know, how do harness these benefits in a way that does not introduce more risks into the enterprise?

Robin Pomeroy: Well, Akshay, we're going to hear a couple of interviews in this episode of cyber security experts that we were able to speak to during a recent event that you organised here at the World Economic Forum in Geneva, the Cyber Cybersecurity Summit?

Akshay Joshi: Yes, exactly. It's the annual meeting on cybersecurity that we host every year here in Geneva that brings together roughly around 170 of the world's foremost cybersecurity leaders to explore ways to make cyberspace more resilient.

Robin Pomeroy: We did several really good interviews, we're going to hear just two on this episode. Hopefully there'll be more in episodes to come. So the first one, they are both, these two interviews, they are both people working to raise awareness of the problem and help companies and individuals find solutions. The first of these to interviews is Confidence Staveley, who's the CEO of Cybersafe. Tell me something about Confidence.

Akshay Joshi: So Confidence is doing some really, really great work in terms of the skills domain in general in Africa. And with us, you know, she's been an extremely engaged contributor to the Forum's work on the Strategic Cybersecurity Talent Framework. Now, cybersecurity skills is a huge problem across the board, but it's even more grave when you look at developing markets and Confidence's work is really incredible in that regard.

Robin Pomeroy: Let's hear Confidence Staveley. She was interviewed by my colleague Kateryna Gordiychuk.

Kateryna Gordiychuk, World Economic Forum: Why do you think it's not easy for a lot of people to understand cybersecurity best practices or just generally the trends that are happening today? And how in your work are you trying to change that?

Confidence Staveley: I think first and foremost, people don't necessarily see themselves as, you know, people that could be attacked by cyber criminals. And when I'm in people, I mean, as individuals or as businesses of different sizes and in certain sectors, for example, you know, so that detachments from what could be possible and not in the reality of them being moving attacks surfaces is also an issue that we see.

There's also the problem of being too complicated for the average person, both in the communication and the actions to be taken.

So I typically would want to simplify things not just by dumbing them down, but also applying them to the people I'm speaking to at the time. And I find that that changes how people receive the message. So a major challenge in cyber security is also communication and asides, just making it relatable to the people that I'm speaking to. I've also contributed to changing it by mode of delivery.

So a lot of times we think that cybersecurity education must be done in very formal settings. You're sitting in the conference and learning about cybersecurity, or you're demanding for that information by going for courses or something along those lines that you're consuming, maybe online. But I find that we need to, more importantly, mainstream cybersecurity awareness where people are getting entertainment people are spending hours calling through their phones and social media. Why aren't we making cybersecurity awareness something so enjoyable and something in little bits that's actionable that people can take a day to change and improve their security posture?

And for me, I'm just really dedicated to looking at how we can use instruments of entertainment, for example. Pop culture is one, you know, Afrobeats culture is one. If we can use these instruments of lifestyle that we currently even consume to then mainstream cybersecurity awareness and education, I think that would be very game changing. And that's what one of the key things I'm really passionate about.

Kateryna Gordiychuk: How do you sort of use this in some of your campaigns of looking at cybersecurity with entertainment, with an eye for learning something curious as opposed to just very serious fact that one must know?

Confidence Staveley: I think a edutainment is one key thing we need to do more of, because sometimes is necessary that education doesn't just become something you go to, it's something that comes to you. And so for us, it's just really leveraging that in our campaigns.

For example, we created Africa's first Afrobeats cybersecurity awareness song. And first and foremost, if it sounds like you're dancing somewhere at a party, but then you're hearing about two factor authentication, you're hearing about passport length and safety.

Accept our marketing cookies to access this content.

These cookies are currently disabled in your browser.

We need to teach people cyber hygiene more often. And then using edutainment is one of the key ways that we've seen that is lead to actionable things can be passed on to people. We've been able to do this through the song.

I spoke about the local form of the campaign song in one of our campaigns that really reach 20 million people, and we saw how that really helped in terms of supporting people during and post Covid when there was so much increase in cyber attacks of citizenry.

And also we see how very entertaining short videos on social media, something called skits can be used as well. We have our favourite entertainers that we consume a lot from, from the very stupid things you can think about. So even very mindful, logical things that you want to consume. So why not use those comedians, for example, why don't you use those actresses that people already love?

And so those are some of the key things we've been able to inject in our campaigns for children. You know, African children love folktales. And it's the way we grew up. We have also been able to use those folktales and the story settings to then be able to share cybersecurity occasion with children. And we've had that in all of our companies across Cybersafe because we believe that cybersecurity education shouldn't be something that we do outside of the psychology of human interaction, because those two key things need to meet confidence.

Kateryna Gordiychuk: It's very clear that you're so passionate about cybersecurity. How did your journey start and why has it been such an important subject for you?

Confidence Staveley: My journey was a sheer string of happenstances. I stumbled into technology the very first place I was, I'd been, so I'd been a medical doctor for so long that I thought he was going to be my boss and had bought from my parents until I took a gap year between going to college and finishing high school and took that gap year. And that was when I got exposed to computers for the first time, learned how to program.

I just knew this is where I had to be. So I sold it to my parents using cardboard papers as my means of doing a presentation because at the time I couldn't afford a laptop. And I think this experience has also really shaped how I designed programs. And then I got exposed to computers, loved it, sold to my parents that I wanted to do technology, went on to do an advanced diploma, a software engineering, got a BSc in IT and Business information systems. And then it was doing my master's in IT management that I took a course in cryptography that didn't let me down the rabbit hole of information security.

But then I clearly saw that since everything around us civilisation was wrapped around technology. I wanted to be one of those who protect it because protecting the technology we are consuming is not a matter of just protecting that technology. It's now a matter of protecting our civilisation.

And I use this analogy quite a lot. I see you bought a nice car, for example, and you gave it to your child. Would you give it to your child without teaching your child how to drive? For example, knowing where the brakes are, knowing how to change the oils in the car, for example. Very basic things. But what we're doing is we have technology in our hands. Innovation is growing at a very rapid pace, but we're not showing people and organisations what where the brakes are and how to apply them for their safety.

So as much as we want to get the benefits of technology, we must also be very conscious of the risk and in that way will be able to have the protective mindset and the tools to then protect ourselves. And that's why I'm really passionate about this field.

Kateryna Gordiychuk: I'd love to ask you a bit about your campaigns. There's so many, and they're all targeting different groups of people that have their unique vulnerabilities to cybercrime, for example. Tell me a bit about Shine Your Eye. How did it start and who is it aimed at?

Confidence Staveley: Shine Your Eye was really targeted at older citizens, and so for us, it was really ensuring that we're able to speak to them and speak in their language and use a tools that will be helpful to them, put them in gangs and simplify how they have to protect themselves. And so that's what the Shine Your Eye campaign was really about.

We got funding to then create the tools, create campaign and then reach over 100,000 people that are senior citizens. And we've been able to reach them across eight African countries that really typically are in the crosshairs of cybercriminals and also have a lot of money in savings to lose.

I mean, just like my mother, my mother was a victim of cybercrime. And she just took a phone call from someone pretending to be from her bank. And then that was it all. And I saw second hand very distressing. And how really backed that experience to be. And I want less and less older people to be victims of cybercrime. And that's why Shine Your Eye exists.

Kateryna Gordiychuk: That must have been so distressing for your family to experience. What was going through your mind? Did you have any mechanisms to protect yourself and your mom and your family?

Confidence Staveley: I felt in that moment that I had failed by my mom a bit, and that's a thing. As a cybersecurity professional, you're you're thinking about cybersecurity from the lens of protecting enterprises, the enterprises you work for, right?

But cybersecurity is more than that, right? We need to not put people and users of technology on the back burner. We need to ensure that we're centring them in both preventive and responsive education.

There's not enough around what you should do if something bad happens. Enterprises are not putting enough focus on that for the use of the technology or the uses of the services that are delivering through technology.

And for me, that's exactly how I felt. I felt I had not given enough information to my mother, for example. I had not inoculated her mind enough. And that's what happens. We forget. Usually the people that hold this information for ourselves and for the enterprises we serve. And for me, it was that sort of moment where I felt like I had missed the mark.

Kateryna Gordiychuk: There's lots of different ways of cyber crime to exist, right? It's not just about sort of you're clicking on the link and it's more about playing with people's emotions. That is that it becomes so personal. How can we protect people, young people, but also older people, everyone from that sort of risk?

Confidence Staveley: I think there are many ways to do it. First and foremost is to acknowledge that we are different, we have different influences and just getting the information about how our personalities can then impact our responsiveness or our susceptibility to set in attack types and persuasion types, because we see that most of the attacks still today, majority of them start with social engineering, which is just deception in very simple terms.

So really just understanding how your personality, for example, drives that and then getting the knowledge to protect yourself. So that's something that both as individuals and as corporate organisations that needs to be prioritised and it's not something that needs to be done. Just one off, you know, it needs to be reinforced. It needs to be reiterated, it needs to be refreshed. So when the are new, very widespread attack types or attack modes, that information needs to also be communicated as well. And people need to sift that information. I believe that this is some of the key ways that we can protect people and organisations.

Kateryna Gordiychuk: What about Cybersmart Child? That's another campaign that's targeting kind of the other end of the spectrum, very young kids. How is that campaign going and why is it important for you to focus on that population, too?

Confidence Staveley: I mean, we're putting devices in children's hands these days. Sometimes children less than ten years old should be able to do their homework in the assignments.

And we find that cyber criminals are targeting them as well for grooming for 6000 and for all sorts of attacks. And these children typically believe what they see acceptable or otherwise, that who you're talking to may not be who you think it is. And so even when we think we don't have them on social media, for example, because they're not old enough children not getting on social media actively, children are getting on dating sites, for example. Should it not clicking on popups for example that common? Yeah, computers from tools that are pirated that we install on their laptops for example for them to have to do their homework or other things. Learning activities on the smart devices.

Children are increasingly being abused. Children are increasingly being in harm's way. Children are taking their lives because of, you know, 613 I spoke to you about earlier. Sometimes the pictures that are released of children and those children actually, but the actual pictures of these children, you know, superimposed on air generated images, for example. So all of those things and even the changing dynamics of how air is coming in to really help with these cybercrimes has made it super important for us to really prioritise children's education as it has to do with cyber. But more importantly is a key thing I want to communicate, which is it's not flat education for children. The way you will talk to a six year old is from from the way you talk to a teenager. Right. And many steps in between as well. So recognising that, recognising how to communicate those best practices and do it in a way that catches the attention of children as fleeting as the attention span is, is very key in the way cyber education should be delivered. And we've been able to do that in a small way because in doing that there are limitations as to how you can do cyber education and the funding challenges as well around this. But we've we started off very strong.

We are aiming to reach a million children across Africa to be able to deliver this cybersecurity education.

Kateryna Gordiychuk: Are there any real life examples or stories that have stayed with you throughout the years of how people have been affected by this knowledge you've given them?

Confidence Staveley: Talking about stories. There's so many one too many to share. There's one that I absolutely love and really just shows the power of giving young women opportunities.

There's a story of Fela Osideko in Nigeria who didn't have any form of digital education. She didn't know how to use computers, and she came through our doors and Cyberghost program. And then we taught how to use computers as she went on. And she made this promise to herself that she was going to be the best graduating fellow in our program. This young woman actually became the best graduating fellow because she put in so much work. So she went from not being able to use computers to being able to provide penetration testing services to companies.

And she was quickly hired immediately after the program, even though she didn't have a degree. This was a person who had to support her family by working a job that paid her about $10 per month. And then she took the skills, were able to give her, got into a job and then increased earning. She's now able to support her family and herself, and she is exactly doing what she loves to do. She is finding vulnerabilities, for example, that could cost companies hundreds of thousands of dollars per year in terms of losses.

She's also come back to mentor the program that she benefited from. So I see how that is a full circle moment. And it makes me so proud because it also confirms that when women have access, which is the biggest barrier to them coming into cyber security, they will make the best out of it and they will come out shiny. And it's just for us to put our money where our mouth are. And some programs like Cybergirls Fellowship.

Robin Pomeroy: Confidence Staveley, CEO of Cybersafe.

She had a lot of interesting things to say about the way cyber attacks can often depend on your personality. She's talking about individual, cyber attacks on individuals. Young people can be targeted in a certain way. Older people in a different way. And the work she's doing seems to have targeted advice and help for those people.

And that's a big deal, isn't it, how we're, all of us, potential victims of a cyber attack of some kind. And it can depend on who we are, what our personality is, what our job is, what applications we're using. It's very different from that for all of us, isn't it?

Akshay Joshi: It is very different. And as a matter of fact, you know the ones. It's vulnerable populations that I worry about the most.

It's imagine if there is a pensioner who gets scammed into making investments using the proceeds from their pension into a scam. It's what happens. You know, I think the ripple effects are pretty significant. At one level, you experience a certain degree of shame. You don't want to talk about it because, you know, I think how are you going to be perceived by different people? Which is why you often don't tend to report.

Once you once the cybercriminals understand that you are vulnerable, you often get follow up requests or we can help you recover if you were to only do that. So it's not a one time effort for the most part, whereby this scam there can be a series of scams that follow as a consequence and you just go with it in the hope that this is what will allow you to recover what you've lost.

So I really worry about the vulnerable populations, the elderly who are obviously increasingly digital, but at the same time, you know, may not have the same awareness as it pertains to what is good hygiene in cyberspace, but equally I am quite concerned about children as well who may not have the maturity in terms of how to interact with technologies.

So I think these are, it's a pretty broad gamut, but in general, I think these vulnerable populations can really have very, very significant impacts if basic cyber hygiene does not exist.

Robin Pomeroy: Confidence was talking about going to the places those people are and communicating with them in a language they understand, I thought was very interesting.

Now, she lives in Africa. And I think you mentioned just before we heard that clip about cyber inequity. And this was a big theme of your last year's report, and that is that inequity, inequality between regions, between big and small companies. Can just tell us something about cyber inequity and why that's an important thing to you?

Akshay Joshi: Absolutely. Cyber inequity, we tend to apply three lenses as we are looking towards cyber inequity.

The first one is the classic one, the big organisation versus the small organisation lens, right? And here if we are looking at small organisations, this year in the Global Cybersecurity Outlook, 35% of small organisations report as being not resilient. This is a 7X increase as compared to 2022, so it's gone up pretty significantly.

If we look at the large organisations, it's roughly halved, so most of them are investing a lot more effort into ensuring that they are more resilient and therefore, you know, the ones reporting that they are not cyber resilient has gone down significantly. So that's the big versus the small.

The second lens is really the mature markets versus, you know, the developing markets per se. And here, if we look at it, research reveals that in Europe and North America, for example, it's a mere 15% of the respondents who lack confidence in their nation's ability to respond to cyber threats. These numbers are significantly larger as you look towards Latin America or Africa, for example. So this is the this is the second lens to cyber inequity.

The last is the sectoral inequities. So we all know that financial services tends to be really, really mature as it pertains to cybersecurity for good reason. They're managing all of the finances have to be really, really top notch over there. But then you have a lot of other sectors that are arguably very, very important, but at the same time, you know, not as cyber resilient.

The public sector, for example, 87% of respondents from public sector organisations report having moderate to critical skills gaps, you know, to defend against the increasing cyber risks.

So these are three lenses that we tend to take towards understanding cyber inequity. And I spoke a bit about, you know, the prevailing cyber complexity. Now inequity in itself, viewed under these three lenses is pretty significant. If you superimpose prevailing complexity, it's a different ballgame altogether. So we believe that prevailing complexity exacerbates cyber inequity.

Robin Pomeroy: I love the fact that that you're pulling these figures out of your brain.

Akshay Joshi: I hope I'm quoting the right ones, to be honest.

Robin Pomeroy: People can check. They can mark your work work against the report, which is available online. Very impressed by that.

Another thing in this year's report is about skills, and this is something we talk a lot about on Radio Davos, at the World Economic Forum in general, the future of jobs, the future of skills. And there's a talent shortage in this area. Tell us something about that and what the report reveals.

Akshay Joshi: So the cyber talent gap is one of the most significant impediments towards achieving cyber resilience, as reported by a number of organisations globally.

Our research reveals that this gap has grown by 8% as compared to last year, with 2 in 3 organisations reporting moderate to critical gap in terms of essential cyber skills.

Now this is pretty significant because the risks are ever increasing. We spoke previously about how new technologies are being harnessed by cyber criminals, resulting in more targeted attacks, you know, more sophisticated techniques. And at the same time, there is a growing deficit in terms of cyber capabilities that are available to the organisation. So all in all, it has pretty significant impacts on cyber resilience of the organisation as a whole.

The World Economic Forum Centre for Cybersecurity has been actively addressing this issue over the past year. In fact, following recommendations from senior leaders, we put the first ever Strategic Cybersecurity Talent Framework that provides steps, a pretty robust approach towards bridging the cyber skills gap and provides really good recommendations in terms of how individuals can enter and thrive in the cyber security workforce.

Robin Pomeroy: I mean, whose responsibility is that? Is that companies, schools, universities, governments, and who has to make changes there that means there are all the people available to do these important jobs.

Akshay Joshi: You know, I would say that it's it's all of the entities you mentioned. I think there are concrete actions that each and every stakeholder needs to take.

Now, let's take the example of curriculum. You know. A lot of the regular programs don't necessarily have a cyber security component to that. So you can think about cybersecurity in two layers. One is cybersecurity, education and awareness for the wider population. The second is targeted curriculum to train the next generation of cybersecurity professionals. Right. So I think efforts need to be invested in both of these domains.

Another key element is the industry as a whole. So. Is there a positive narrative associated with a career in cybersecurity? Has the industry done enough to make cybersecurity a really aspirational career option? As far as I'm concerned, I think the mission that a cybersecurity professional serves is pretty profound. You're helping safeguard the benefits of digitalisation for all, which is an extremely tall order.

But at the same time, I don't believe, as of today, this mission is as apparent to an aspirant in the job market.

So there's a lot that needs to be done to build this narrative. There needs to be an abundance of curriculum and pathways.

Once we have people who join the cybersecurity workforce, we need to build dedicated career trajectories for them so that they can go on to take more specialised domains.

And while we do all of this, we need to bear in mind that cybersecurity is an extremely stressful occupation. For example, when most of us tend to take a little bit of downtime around the end of year period is when scamsters tend to be most active, which means that the threat profile of an organisation is significantly high, which in turn further means that the cybersecurity professionals don't really get a chance to unwind, as most of us do. And therefore, you know, I think the wellbeing aspects of cybersecurity professionals also need to be given due consideration.

Robin Pomeroy: Confidence, in the first interview we heard, she really gave the idea of this is a mission. This isn't just about ticking boxes. This is about protecting even the mother she talked about. You know, it's a real mission for her. And I think that is a very attractive thing. We all like to hope our jobs make some kind of difference and you're saying this industry does.

But let's say for the second of our two interviews that from the recent cybersecurity meeting you held here. This is someone who's got practical tips for companies on how to improve their cybersecurity, but also their cyber resilience and what to do in the event of a cyber attack. Tell us about Keri Pearlson.

Akshay Joshi: Keri Pearlson is the executive director of cybersecurity at MIT Sloan. She's been an extremely engaged contributor in our work and has worked very actively to towards the work that we do on cyber resilience. Recently, we launched a paper on unpacking cyber resilience, where we where we are trying to help leaders understand cyber resilience in business terms, as opposed to a lot of the technical definitions that are out there. We're trying to position it as the ability of an organisation to minimise the impact of cyber incidents on its goals and objectives. And that's extremely straightforward, right?

So Keri has been very active in terms of working with boards, really putting forward incredibly powerful pieces in terms of how boards should be exercising their responsibilities, etc.. So really glad that we have her perspectives here.

Robin Pomeroy: So let's hear from Keri Pearlson.

Keri Pearlson: Cybercrisis communication plan is a bit different than just a general crisis communication plan.

Many organisations have a business continuity plan or some sort of crisis plan of what they're going to do in the event of a disruption to their business. And there are all sorts of disruptions besides cyber disruptions.

But it turns out that there are some unique factors to a cybersecurity incident.

In our research we uncovered some specific things that managers can do to really be ready in the event of a cyber crisis.

For example, in a cyber crisis, the event usually unfolds. You don't know everything that's going on right at the beginning of the crisis, unlike, say, a hurricane or a tornado or an earthquake where the damage is done. And now you have to recover from that kind of damage.

In a cyber incident, you may not know everything for days, weeks, months, maybe even longer. Sometimes the bad guys have been in your system for a long time and they're just deploying whatever the malware is, creating some sort of cyber incident. So you have to communicate with your stakeholders with incomplete information.

Number two, often our first reaction, our first thoughts about what we want to say are wrong. In fact, in one example, a company called the situation a cyber incident. Turns out it wasn't a cyber incident and there were consequences to the word incident. There were legal ramifications. There were responses from these other stakeholders to a cyber incident that ended up would have been irrelevant if they hadn't called it a cyber incident at the beginning.

There's a tendency to want to share a lot of information, even if you don't know that information. You want to assure your stakeholders that everything is perfect and fine and that they're going to be fine. But you don't really know that yet, so you need to be careful what you say.

So in the moment, there's a lot of stress, there's a lot of tension, there's a lot of urgency. It's really important to have thought through ahead of time what are you going to say in a cyber crisis that will help you when or if the situation actually arises?

Kateryna Gordiychuk: Why is it important to tailor responses based on a stakeholder that an organisation wants to be in touch with?

Keri Pearlson: So there are different reasons why you might want to handle different stakeholders differently in a cyber crisis.

Let's just be very specific about customers. For example, you may have some customers that are very large. They may be a significant portion of your business and you want to handle them more carefully with maybe a C-level executive reaching out to them, you may want to connect with them C-level to C-level versus lower level to lower level.

You may want to assure them that their business impact for them is different than they may be thinking it is upfront, and that can only happen with a one on one conversation. It's about keeping the trust going that you have with your customers.

There may be other segments of your customers where you're not as significant in their operations and a social media post or a letter, an email or some other kind of communication might be sufficient to let them know what's going on.

So you want to have thought through that before the crisis occurs. You don't want to wait till there's a cyber crisis to then decide who are you going to contact, what resource do you need to contact them, how are you going to contact them.

Number two, when there's a cyber crisis, first of all, normal modes of communication might not be working. If your email is corrupted or you can't send emails, then you and that's your plan. Then you're in trouble. So you need to have plan B and plan C in mind also just in case.

But there are also opportunities to use creative ideas in reaching out to your stakeholders.

In one example, we had a hospital was impacted by a cyber incident, was unable to make appointments and was unable to call people because their phone list was locked up. They couldn't even call their potential patients or their current patients to tell them what was going on. They couldn't reach out to them under normal channels, so they took out an ad to let patients know that the traditional mechanisms weren't working and that their systems were down. And not to worry, if you couldn't make an appointment right now, they would be back. But it wasn't that they didn't want your business or they didn't want you to be able to reach your medical provider, but they just had to find a different creative way to reach their constituency.

Kateryna Gordiychuk: So what I'm hearing is really preparation is such an important piece to this, doing practice rounds, doing tests. How should companies and organisations approach this?

Keri Pearlson: Yes, I think that's a really good point. So it's really important for organisations to have prepared for a cyber crisis communication. Another opportunity is to actually practice what you might be doing in a cyber crisis for communications.

So one of the tools we advocate in our findings from our research is really to do tabletop exercises or other kinds of fire drills where you think about we're in the middle of a cyber crisis, how are we going to communicate with, pick your constituency, your customers, your suppliers, and then you do the what if? Well, what if that mode of communication is down? How are we going to communicate with them and using that the opportunity to practice as a way to think through the different alternatives you might have if there was a cyber crisis.

Kateryna Gordiychuk: When there is a crisis, there's of course a lot of shifting of resources as well as human resources. What impact does this have or might this have on this communication strategy? How can a company make sure that they actually have people doing this job instead of, well, doing the fixing or doing the non-communication bit of the crisis?

Keri Pearlson: Well, balancing resources in a crisis is a big issue. And so I think cyber crisis planning is very important.

And we often talk about tabletop exercises and fire drills as a way to do your planning. You put your business continuity plan in place, you stress test it for other kinds of crises, and then you stress test it also for cyber crisis.

And one organisation we looked at, they had a crisis plan, not just a communication plan, and they had it on their computers and their computer experienced malware which put ransomware on their system and locked everything up and encrypted all their files. And where do you think the plan was? Well, it was encrypted with everything else in their system. So if they had done a tabletop exercise or they prepared ahead of time, they might have noticed. Hopefully they would have noticed that one non digital copy could have been the saviour for their crisis communications.

Turns out in the case I just described, the point person was an administrative assistant who happened to have printed out the cyber crisis plan and so she had a copy of it on paper. Everybody had laughed at her because she printed everything out on paper. But when the crisis occurred, she was ground zero, not the person you would have expected to be in the role of the owner, if you will, of the crisis plan.

So, yes, resources shift in a crisis, a particularly a cyber crisis. And if you can plan ahead and think through how are these resources going to shift, you can identify the gaps in your staffing plans and maybe have other staff on board.

I should also say that depending on the kind of cyber crisis that you experience, the people you rely on, the external companies you rely on may or may not be available. If it's a cyber crisis, for example, that hits your whole industry and you're not the biggest player in the industry, or you haven't put relationships in place with some vendors who might help you recover, they may not be available at the last minute. They may be helping other people that are also experiencing a similar crisis.

That would be something you could identify if you had done a tabletop exercise or some sort of planning exercise.

Kateryna Gordiychuk: As you were giving this example, I was also thinking that very often in big organisations we we put so much trust in this one specific way of doing things, usually digitally. And what if that specific method is completely blocked and then maybe there isn't a trusted way for us to reach even our colleagues or stakeholders. So it begs the question, well, maybe we should diversify ways in which we're working so that when we are at risk, we don't have to rely on this one specific way of of dealing with crisis.

Keri Pearlson: I think it's really important to have multiple ways of working and multiple ways of communicating with all of your stakeholders, but particularly with your employees. Because if there's a cyber crisis and this isn't all that much different than a physical crisis or other kind of crisis, but if there's something that brings down your normal modes of working, you want to have alternative modes so that the business doesn't stop just because the crisis is unfolding.

Again, I think preparation is the key here. So if you aren't actually able to use the normal modes of working, everybody comes in the office, the office is closed, computers are down, the network is down. You don't have your normal ways of communicating. Then you want a culture where people know what it is they're supposed to do and how they're supposed to continue on.

And often we don't even think about that. We figure that if there's a cyber crisis, the cyber team will take care of it. Maybe some external vendors will come in and help us. Maybe the government will come in and help us. We don't actually think through the whole organisation and what might be down and what they should or shouldn't do in the event of a cyber crisis.

Kateryna Gordiychuk: What did some of the things that people don't know about cyber threats and cybersecurity?

Keri Pearlson: So there are all types of cyber incidences that could occur from many different sources. Not every cyber incident occurs because a bad guy decided to attack your company today, put a ransomware software into your system and all your systems are locked up.

Oftentimes malware is somehow inserted into a system. It could be because a supplier unwittingly logged into your systems and they had some sort of malware on their system that was transitioned over to your system. It might be because some employee clicked on a link or a phishing email that they shouldn't have clicked on and that introduced malware into the system. So malware can get into the systems in a number of different ways. And sometimes it can be in your system a long time before you even know it's there.

So thinking through the different ways that cyber vulnerabilities are present themselves in your business and thinking about ways that you might notice them and building multiple layers of defence so that you have different ways to recognise if something's in your system, different policies in place, different procedures.

And one of the tools that I think is most useful for organisations is building a culture of cybersecurity. Many organisations, people think that cybersecurity incidents are handled by the cyber department. Maybe even your IT leaders. But it turns out that every single person in an organisation can play a role in helping keep the company more resilient, more secure. For example, if you see something, say something. If you see a phishing email, come across your desk, report it. Don't just not click on it. Report it to to your cyber people or to whoever the designated person is. If you notice that one of your colleagues is leaving files open, that somebody might inadvertently see that they shouldn't assign, say something to them, say it nicely, but say something to them. It's not inappropriate to help everybody around you be as secure as you are.

And that starts to talk about the values, attitudes and beliefs that organisations put in place to raise the awareness and change the behaviours that people in the organisation do that help keep them secure.

So I personally believe that everybody in the organisation can play an important role in keeping the company resilient and cyber resilient cyber secure. And that's another tool that many organisations are starting to put in place as ways to combat the way that malware might propagate in their organisation.

Keri Pearlson: Let me talk just a minute about resilience. So I think today the major issue for organisations is not how do we keep the bad guys out, but how do we build resilience so that if or perhaps when the bad guys get in, we have a plan in place for responding and recovering.

You could put forth a vision of wouldn't it be amazing if we had a cyber incident and nothing bad happened? We didn't lose money, we didn't lose our operations. We didn't have to shut down. Our reputation was intact. It'd be awesome if that happened. Well, that's not reality today. Reality today is if you have a cyber incident, there's probably going to be damage. But a resilient company would have put in many mechanisms in place so that they could respond more quickly. It doesn't mean they're not protected. It means that they've thought through the response and recovery piece of a cyber incident just as much as they thought through the protection and detection piece of a cyber incident.

So it might mean things like putting exercises in place so they plan. It's sort of like going to the gym. You go to the gym to build muscles. Well, if you never go to the gym and build muscles, when the time comes for you to have those muscles, you may have a problem. If you think you're going to be cyber secure, but you never put in place the plans or the activities or the exercises to build those response and recovery muscles, then you're not going to be very resilient when the time comes if you have a cyber incident.

So I think we need a mind switch. We need a mind change, a mindset. Instead of focusing most of our resources on being protected. We need to think about building protections, but also devoting a significant amount of resource to the response and recovery.

Because I think it's highly likely that if your organisation hasn't experienced a cyber incident, it will at some point in the future and you don't want to wait until that incident occurs to then put your cyber crisis communication plan in place or your tabletop exercises in place or your phone list of who's going to call whom. Or switching your resources around so that people know what their role is.

I think we make our best decisions when we're not under stress. If you've put in place the steps and the thoughts of what it would be to respond to a cyber crisis, then you have a much better chance of responding quickly and maybe even responding. That brings you to a higher level of operation than you were at before because you've practised this. And you know what you need to do and what's in place to get you back to at least operations, if not even better.

Robin Pomeroy: That was Keri Pearlson of MIT, the Massachusetts Institute of Technology.

Regulations. This is something you bring up in your report, The Cybersecurity Outlook. And the fragmented nature. Companies, particularly big multinational companies, have a lot of jurisdictions and regulations to deal with. Why is fragmentation of regulation such a problem and what might be done to improve things?

Akshay Joshi: Regulations. You know, I think it's on the one hand, most people across the board believe that regulations play a pretty significant role in terms of embedding baseline cyber resilience. In the absence of regulations, the incentives are not quite aligned towards investing in cyber resilience, right? So they play a very, very important role.

But when you are thinking about fragmentation as a whole, it has significant costs for organisations who say that it it can cause really, really big challenges as it pertains to maintaining compliance. 76% of CISOs who we polled at the annual meeting on cybersecurity actually believe that the fragmentation of regulations across different geographies has significant implications to compliance.

Robin Pomeroy: Remind us what a CISO is.

Akshay Joshi: A chief information security officer.

Robin Pomeroy: There's kind of good news and bad news in the report. One thing is possibly good news is that cyber resilience is becoming the competitive advantage. So I think what that means is if a company gets this right, it's a more valuable proposition to its customers. Tell us something about that.

Akshay Joshi: So absolutely. You know, as we were talking about cyber resilience, it's no longer a nice to have. I think organisations across the board need to invest in it.

If we're looking at supply chains that are increasingly more interconnected, you're only as strong as the weakest link in the chain. I know this is a cliched phrase, but it is really, really true because of the impacts we see across the entire chain. When one of the players is targeted. Right. So you need to ensure that you're looking at not just your own preparedness, you need to look at the preparedness of the ecosystem as a whole.

And this entails several measures. For example, you need to be looking at vetting processes for all the players that you choose to do business with, right? So there are very stringent vetting processes that a lot of organisations undertake when they decide to do business.

For example, Salesforce a couple of years ago actually said that they will not work with any organisation that does not have multifactor authentication. Simple step, but at the same time can be a significant boost for cyber resilience overall.

So I think it's really, really important for organisations to think about how they're making the requisite investments, because even though organisations don't necessarily compete on cyber security, like you rightly said, if cyber security is done right, it has the ability to be a competitive differentiator.

Robin Pomeroy: And it's so interesting what Keri Pearlson was saying about kind of stress testing the resilience of a company to cyber attacks. What would you do? Even to the point, as she mentioned, of did you print out your plan? Because if someone's locked up your computers, you won't be able to see your plan if that's where it is. Do you think companies are doing these stress tests and in the same way that we should all be doing fire drills and making sure the fire alarms, What do you think that's happening? Is it happening enough? And is that part of what you're doing here is to try and get companies to do that kind of thing.

Akshay Joshi: Look, we touched upon the element of inequity, right. So inequity also pans out in terms of the measures that organisations take towards preparing for when a crisis hits.

So the large organisations that choose to believe that the vast majority of them are understanding the gravity of cyber risks, are doing drills from time to time, tabletop exercises, etc. in terms of how do you do things.

Let's take a simple example, right? You started talking about the computers getting locked out in certain live instances when I spoke with the executives who had been impacted, they said that one of the basic things was that because we have all our phone numbers linked to the organisation's directory, the moment the infrastructure shuts down, you no longer have access to the phone numbers as well, or you don't know the phone numbers of different people that you need to reach out. So this goes towards telling you how much of preparedness needs to happen, how we need to have these fallback measures, etc., and invest in crisis and crisis training as a whole.

But if you're thinking about some of the smaller organisations, I would argue again, going back to the inequity dimension, maybe not a lot of consideration is being given to preparing for when these risks go live, right? So I think there's a lot that needs to be done.

Robin Pomeroy: Akshay Joshi, head of the Centre for Cybersecurity at the World Economic Forum. Thanks for joining us on Radio Davos.

Akshay Joshi: Thank you very much.

Robin Pomeroy: The Global Cybersecurity Outlook 2025 is available now to download - link in the shownotes.

Please follow Radio Davos on your podcast app of choice, especially if you want to stay in touch with what’s happening this year at the Annual Meeting 2025 in Davos - you can get loads more on that at wef.ch/wef25 and across social media using the hashtag #WEF25

This episode of Radio Davos was written and presented by me, Robin Pomeroy with reporting by Kateryna Gordiychuk. Editing was by Jere Johansson. Studio production by Taz Kelleher.

We will be back next week, but for now thanks to you for listening and goodbye .