Kilian Berz is a senior partner and managing director with the Boston Consulting Group and leads the financial institutions practice globally. He is also the chairman of the Centre for Canada's Future. Walter Bohmayr is a senior partner and managing director and global leader of cybersecurity with the Boston Consulting Group.
Cyberattacks, cyberbreaches, cybercrime. The cyberthreat is growing globally as new and old technologies are increasingly exploited by criminals, terrorists and nation-states. Recent hacks here in Canada remind us that we are not immune to these costly, pervasive and increasingly sophisticated challenges.
Seemingly every week, new breaches become public. Most recently Metrolinx, a major provincially owned transit agency, found themselves a target when foreign hackers breached their firewall. Fortunately, no employee or customer data was accessed, but many other organizations have not been as lucky. The best defence for private- and public-sector organizations against such intrusions is cyberresilience – the capability to protect your business and constituents from cyberthreats and productively function through an attack when it happens.
The need for private- and public-sector leaders to give greater attention to cyberresilience cannot be overstated – particularly as technology is now so central to our organizations. In business, cyberresilience is important to earn the customer trust necessary to provide increasingly personalized products and services as well as flexible, interconnected supply chains. For the public sector, cyberresilience is necessary to increasingly digitize core government services such as tax collection and health care.
For the past two years, the Boston Consulting Group has had the privilege of collaborating with the World Economic Forum to promote cyberresilience. Discussions with senior leaders at this year's Forum in Davos identified three priorities for building cyberresilience:
1. Anchor cyberresponsibility across senior enterprise leadership team
Cyberresilience is not a static "end-state" that can be achieved by purchasing or adopting a set of security controls. Instead, it requires senior leadership to actively anticipate, mitigate and manage dynamic risks to the organization. Cyberresilience is also not purely a "technical problem" to be left exclusively to the IT department. Many breaches today exploit non-technical vulnerabilities – for example, by tricking users into disclosing their legitimate credentials, a technique called "social engineering." As a result, successfully promoting cyberresilience within an organization requires support and active participation from the full leadership team.
2. Drive cyberresilience culture through whole organization
It is not enough to have a leadership team that is actively engaged on cyberresilience. Everyone in the enterprise from front-line teams to the back office to the C-suite are potential targets, and therefore the whole enterprise must engage and build cyberresilience capabilities. Whether it is the use of approved information technology services or education on so-called "spearphishing," an entire organization needs to appreciate the importance of cybersecurity. To achieve this, Davos participants highlighted the importance of connecting cyberresilience to the core purpose of the organization – whether it be building products or managing retirement funds.
3. Actively collaborate on cyber throughout your business ecosystem
Cyberrisk is different because attacks can occur anywhere in an organization, a business partner or along increasingly global and digitized supply chains. For example, a manufacturer whose systems are well defended against cyberthreats can still experience a costly halt in operations if a key supplier is crippled by a cyberattack. Consequently, leaders must ensure that their respective organizations collaborate across boundaries to develop collective immunity to digital threats.
Organizations in the public and private sectors are engaging in increasingly ambitious attempts to extend their security umbrellas. Whether it is participants in a platform business model or large companies with long supply chains, leaders are increasingly concerned about mitigating the security risk in their respective ecosystem. As one leader put it, "My risk is your risk. Your risk is my risk."
Although cyberresilience and the management of cyberrisk are still young disciplines in many organizations, they are gaining speed. Boards and the C-suite are in a unique position to support and accelerate their development – to derisk their organizations and work together make the world a bit safer for business partners and consumers. As a leading global economy, cyberrisks to Canadian organizations will likely only intensify going forward. This is why we, along with the Council of Canadian Innovators and the Centre for International Governance Innovation, with The Globe and Mail as media partner, are organizing the CyberCanada Senior Leadership Summit. By bringing together leaders from the private and public sectors we hope to accelerate Canada's progress toward cyberresilience, which is critical to both protecting our nation's digital assets and capturing the opportunities the digital world offers Canadians.
The CyberCanada Senior Leadership Summit will take place on Feb. 28 and March 1 at the Globe and Mail Centre in Toronto, engaging Canadian corporate board members, C-suite executives and government policy makers on cyberresilience. It aims to provide enterprise leaders with tools and approaches to manage risk and protect assets. The summit is a partnership of the Council of Canadian Innovators, the Centre for International Governance Innovation, Boston Consulting Group's Centre for Canada's Future, and The Globe and Mail.