23 July 2022

Building a cyber resilience strategy for a geopolitically unstable world

Tomer Saban

As Russia's invasion of Ukraine becomes more entrenched, with important cyber and disinformation components, businesses and other organizations, such as NGOs and universities, must have four critical internal, overlapping cyber-systems in place to build a strong cyber resilience strategy. These relate to governance, culture, risk, and crisis management.

The figure below summarises the thesis of this piece, which is that businesses that have a systematic approach to cyber-risk governance, a culture of cyber-hygiene, cyber-risk management and cyber-crisis management strategies will be able to achieve systematic cyber preparedness and resilience. Vital to surviving and thriving in our tumultuous times.

The four tick boxes for systematic cyber resilience Image: Ⓒ A Bonime-Blanc, GEC Risk Advisory 2022

It is no longer good enough to hope for the best or to ‘acquire' some technical solutions and think of cyber-security as a ‘once and done’ job or something that is optional or siloed. Cyber-security is a multi-system of continuous concern and it's now exacerbated by a global environment of continuous risk and crisis. We are under assault on numerous global fronts – climate, geopolitics, war, infectious disease, humanitarian crises and, yes, cyber and disinformation.

For situational awareness, it is key for businesses and organizations to understand the moment we are living in and the five megatrends that are affecting them in both predictable and unpredictable ways, opening them up to cyber exposure. These trends, more deeply explored in The ESGT Megatrends Manual 2022-2023, are:

1. Geopolitical tectonic shifts catalyzing


2. Climate and war propelling complex risk


3. Technological disruption becoming multidimensional


4. Stakeholder capitalism and ESG intertwining


5. Leadership and institutional trust recalibrating


As the impact of these megatrends squeezes all manner of entities – corporate, social and governmental – a much greater situational awareness that systematically includes a cyber resilience strategy must be the top priority for organizations. Let’s start with a review of where we are:

The cyber geopolitical context

Since Putin’s invasion of Ukraine in February 2022, several major tectonic geopolitical changes have catalysed, not the least of which is how global democracies have upped their game on cybersecurity collaboration both inter-governmentally, as well as in private/public operational collaboration and in the overall sense of unity that NATO and the EU, for example, have experienced.

The fact that no major cyber-attack, along the lines of Not Petya or Colonial Pipeline, has transpired, however, has the danger of lulling business leaders into a sense of complacency that (a) war-related cyber-attacks will not happen because Western nations have it ‘under control’ or (b) the Russians are too distracted or unable to execute high-impact attacks.

Neither is true. Indeed, several cyber-attack trackers prove otherwise – as this one from The Council on Foreign Relations and this one from the Cyber Peace Institute show.

Moreover, several important developments have taken place that demonstrate that business needs to adopt several critical cyber-systems as part of a continuous strategy of cyber and organizational resilience. This means that:

Cyber warfare should be thought of more broadly as including information and disinformation warfare.

Businesses operating in or with Russia will remain prime targets for the rise in hacktivists and anonymous cyber actors taking the side of Ukraine against Russia.

Businesses should be wary of official and unofficial allies of Russia (China, North Korea, hacker groups, etc) who might take advantage to assist the Russian side of this equation against the loose coalition of democratic nations and multilateral alliances assisting Ukraine.

Businesses outside of Ukraine, Belarus and Russia may not have experienced major cyber disruptions relating to the Ukraine war yet, but businesses anywhere should brace themselves for disruptions to essential government and business services in the energy, transportation, and financial sectors.

The role of economic sanctions against Russia may play into the underlying cyber-warfare in ways that are predictable and unpredictable, making businesses on the front lines of implementing some of these sanctions particularly vulnerable.

Four business cyber-system imperatives

In the face of this continuous risk and crisis environment, it is imperative that businesses build overall organizational resilience with the eight elements of the Virtuous Resilience Lifecycle Model shown in the figure below.

The virtuous resilience lifecycle Image: Ⓒ A Bonime-Blanc, Gloom to Boom, Routledge 2020

Building on our work on cyber-organizational resilience and that of the World Economic Forum, NACD and Internet Security Alliance, below is a depiction followed by a description of the four necessary cyber-systems needed to build overall organizational resilience. Companies that get it, get the best chance at organizational cyber-resilience and surviving and even thriving through the global storm.

Where the four cyber systems fit within the virtuous resilience lifecycle Image: Ⓒ A Bonime-Blanc, Gloom to Boom, Routledge 2020

1. Systematic cyber risk governance

Systematic cyber risk governance needs to be a core part of the board’s work. Keeping cyber-security on the agenda of the board and the c-suite with at least quarterly updates is a must in this environment. The figure below summarizes how the board must be the driver of cyber-risk governance, always coordinating with the c-suite for strategy and with frontline cyber-managers for implementation.

The board must drive cyber risk governance Image: Ⓒ GEC Risk Advisory sourced from A Bonime-Blanc, Gloom to Boom, Routledge 2020

2. Systematic cyber hygiene culture

This is the second system-wide element that must be omnipresent in an organization beginning with a systematic and intelligent approach to personnel cyber-hygiene education. A critical part of this system-wide culture is to have a set of coordinated, deliberately constructed and synchronous IT systems designed for coordinated information security measures at every level - network and cloud – as well as for prevention, detection and auditing.

As many experts have pointed out, cyber risk is a business risk and must be part of an enterprise risk management (ERM) system. See the figure below. This is the only way to produce useful and consistent cyber metrics that are part of ERM and cyber-specific dashboards and reports that go to the c-suite and the board. Such metrics are increasingly required for outside stakeholders, such as regulators, too.

A big picture visualisation of enterprise risk management Image: Ⓒ A Bonime-Blanc, Gloom to Boom, Routledge 2020

4. Systematic cyber crisis management

is means making sure that the nuances and bells and whistles of possible cyber exposure are considered in the creation, development, revision and implementation of organizational crisis management teams and plans, business continuity strategies and tactics and data protection and backup considerations. The figure below suggests that for cyber risks and crises (as for others of significant impact and import), cross-functional teams of internal and external experts need to work in close coordination before, during and after the crisis event.

No comments: