Georges De Moura is the Head of Industry Solutions at the World Economic Forum (WEF)’s Centre for Cybersecurity, based in Geneva. The Centre facilitates global collaboration to address a multitude of systemic cyber security challenges and improve digital trust to safeguard innovation, protecting institutions, businesses and individuals. Its online Platform for Shaping the Future of Cybersecurity & Digital Trust leads a growing effort to champion cyber security as a competitive advantage that creates value and opportunities for public and private organisations, and ultimately for all sectors of society.
The Platform operates through ongoing collaborative action and partnership in the WEF’s public-private network of leaders from business, government, civil society, academia and experts, and has a programme of best-practice white papers, thought leadership guides, as well as a variety of other initiatives.
CYBER SECURITY EUROPE: The WEF’s Cybersecurity Guide for Leaders in Today’s Digital World¹ is intended for senior executives responsible for setting and implementing the strategy and governance of cyber security and resilience in their organisations. As more executives acquire greater responsibility of cyber governance, what impact will it have on the cyber strategies in the 2020s?
GEORGES DE MOURA: The world as a whole has experienced an unprecedented crisis these last months that is causing chaos in the global economy, disrupting supply chains, and transforming our societies. This new reality is accelerating business model transformation at a faster pace than ever before. In October 2019, the World Economic Forum published the Cybersecurity Guide for Leaders in Today’s Digital World and more so recently, the ‘Cybersecurity leadership principles to prepare to the new normal’, to support business leaders with their efforts at integrating cyber resilience into their overall business strategy, and help them shape an appropriate course of action that balances cyber risks with business priorities.
It is imperative that the leaders manage all information risks strategically, working towards a company culture of shared cyber-risk ownership across organisations, and take a strategic approach to cyber resilience. Effective cyber resilience requires a combined and aligned multi-disciplinary effort to move beyond compliance to cohesive business and digital enablement. The WEF now works with several industry communities – such as the electricity, oil and gas, and aviation sectors – to amplify these best practices and also to accelerate their adoption within sectors.
CSE: The Guide for Leaders report notes an escalation in the volume of work involved in following up on security alerts and incidents that cannot be automated, continuing the reliance on humans to carry out security functions.
GDM: The Guide’s Tenet 2 ‘Foster internet and external partnerships’ does encourage the use of external services to provide support for the design, implementation, integration and operationalisation of a variety of cyber security services, for example monitoring, and cope with an increasing shortage of cyber security professionals in the market. Besides, in the current digital economy, businesses will have to allocate limited resources wisely and invest in technologies such as Artificial Intelligence, Machine Learning and Big Data, to automate mundane cyber security processes and minimise the risk of human error.
CSE: To ensure that business in general adheres to regulatory requirements, cyber security leadership teams need to include the legal and compliance executives as the stakeholders within the cyber governance processes. Do you expect to see an increase in appointment of cyber-specific chief officers with a specific responsibility for data protection and cyber risks management – who take the responsibility for workloads that have previously fallen onto the roles of CIOs and CISOs?
GDM:: The CISO – Chief Information Security Officer – role has [already] been elevated to the c-suite in more mature industries such as financial services and defence. As the board’s accountability for cyber security increases, they will appoint a ‘Corporate Officer’ to be accountable for reporting on the organisation’s capability to manage cyber resilience and ensure they have regular access to the board, sufficient autonomy and command.
CSE: Among the Guide’s ‘Tenet 3: Build and Practice Strong Cyber Hygiene’, it recommends that organisations ‘develop a detailed inventory and a configuration management system’ and ‘Secure the Active Directory’. It assumes that these IT security terms will be understood by non-technical executives. Is this the case?
GDM: This report is first and foremost targets any corporate officer accountable for cyber security within the organisation which is often the CISO, but could also be the CIO, CRO or any other relevant c-suite stakeholder. This Corporate Officer is expected to understand some of key technical concepts and help translate them in more business-friendly terms to the non-technical c-suite and other board members. He/She should also ensure that [they] disseminate the information that will help the c-suite and board members make better-informed decisions regarding cyber risks involved and prioritise their investments accordingly.
CSE: The World Economic Forum Centre for Cybersecurity is working with the investment community to develop a set of high-level principles and a standard due-diligence framework that will provide guidance on how investors can evaluate and benchmark their investment portfolio companies and their cyber security preparedness. Can you briefly explain how this initiative came into being and how it will work in practice?
GDM: In July 2019 the WEF published a report covering ‘Incentivising responsible and secure innovation: Principles and guidance for Investors’² , and then in June 2020, a ‘Framework for entrepreneurs and investors’³ , to put these principles in practice. These two reports were the result of a collaboration with a purpose-driven community led by investors and with the aim to amplify and help accelerate the adoption and implementation of the best practices in organisational and product security, particularly for the technology innovation companies.
CSE: A group of private-sector leaders from a number of cyber security vendors, service providers and global corporations, along with Interpol and Europol, agreed to work together with the WEF through 2020 to foster a global public-private alliance to fight against cyber crime. Can you outline the broad aims and objectives of this initiative?
GDM: Cyber crime cannot be systemically addressed without a combined approach that aims to reduce the financial gain and make the risk of prosecution real to offenders. To achieve this, and help benefit organisations across the world, we need to enable better convergence of transnational public-private efforts and resources, since cyber criminals have to date been quite apt to exploit the rather fragmented co-operation efforts between governments and private-sector actors. The WEF launched the Partnership against Cybercrime initiative to identify ways to enable stronger public-private collaboration, improve the effectiveness of cyber crime investigations, and enhance the potential of disruptive actions against cyber criminal infrastructures.
CSE: What is the core ambition here?
GDM: The ambition is to curate a dedicated alliance of cyber security companies, leading law enforcement agencies, IT providers, computer incidence response teams, international organisations, and global corporations that will together take action forward by creating and innovating mechanisms to address the global cyber enforcement gap, and at the same time promote the recommended policies to overcome existing barriers.
CSE: The recent World Economic Forum Cybersecurity Leadership Principles document ‘Lessons learnt during the COVID-19 pandemic’⁴ states that ‘The board must take responsibility of… implementing a comprehensive cyber resilience governance by appointing an accountable officer’. Do you see that responsibility falling to an incumbent CISO, or does this call for a new chief officer — a ‘Chief Cyber Resilience Officer’, as it were?
GDM: The issue is not so much about the corporate officer’s acronym, but more about its scope of responsibilities. The CISO would often be the accountable officer for cyber security across the enterprise and will be the de facto corporate officer accountable for cyber resilience. It is however essential that this stakeholder is empowered to lead this function effectively, has the appropriate resources, reports regularly to the board and is charged with the responsibility for governance of the cyber security strategy across the enterprise.
Interview by James Hayes.