Professional Documents
Culture Documents
Global Cybersecurity Outlook - 2023
Global Cybersecurity Outlook - 2023
with Accenture
Global Cybersecurity
Outlook 2023
INSIGHT REPORT
JANUARY 2023
Cover: Artwork created using artificial intelligence,
prompt, art direction and refining by Studio Miko
Images: Getty Images
Contents
Foreword 3
Executive summary 4
1.1 Geopolitics 8
3 A way ahead 25
Conclusion 32
Appendix: Methodology 33
Contributors 34
Endnotes 35
Disclaimer
This document is published by the
World Economic Forum as a contribution
to a project, insight area or interaction.
The findings, interpretations and
conclusions expressed herein are a result
of a collaborative process facilitated and
endorsed by the World Economic Forum
but whose results do not necessarily
represent the views of the World Economic
Forum, nor the entirety of its Members,
Partners or other stakeholders.
Foreword
Awareness and preparation will help
organizations balance the value of new
technology against the cyber risk that
comes with it.
Geopolitical instability, rapidly maturing and translate cyber-risk issues into communication that
emerging technologies, lack of available talent, and C-suites and boards of directors can use effectively.
increasing shareholder and regulatory expectations
represent some of the significant challenges that The outlook, however, need not seem bleak.
concern cyber and business leaders. If the findings There’s hope for better understanding – and more
of last year’s Global Cybersecurity Outlook reflected effective action – in the future. The best leaders
the lingering impact of the pandemic, and the avail themselves of wide-ranging information and
effects of rapid digitalization, this year’s Global listen to all of their stakeholders, understand their
Cybersecurity Outlook reveals concerns about an role and impact, and exercise good judgement to
increasingly fragmented and unpredictable world. achieve the optimum outcomes. These attributes
are no less necessary in cybersecurity than they
Building cyber resilience, globally, has been one of are in any other domain. In this edition of the
the key priorities of the World Economic Forum’s Global Cybersecurity Outlook, we are pleased to
Centre for Cybersecurity since its inception. see improvement in a crucial area – awareness
Inherent in that work is bridge-building – between of cyber-risk issues, at the executive level, has
the public and private sectors, and between cyber gone up. At the same time, this year’s Global
experts and business leaders. This year, when the Cybersecurity Outlook report represents a
Centre engaged its network of global cyber and challenge to leaders – to think more deeply about
business leaders to solicit their insights on emerging cybersecurity and listen more intently to cyber
cyberthreats, we could see both how far we have experts, and to each other, in order to ensure our
come, and how far we have yet to go in helping shared resilience.
93% 86%
believe global geopolitical
instability is moderately or very
likely to lead to a catastrophic
cyber event in the next two years.
Do organizations expect geopolitical risks Do small and large enterprises have different
to affect their cybersecurity strategy? expectations of geopolitical influence?
Number of
employees
6%
8%
<250 to
1,000
48%
21%
8%
1,001 to
10,000
58%
44%
4%
10,000 to
100,000+
35%
29%
50% 0%
What changes will leaders make in response to geopolitical risk? Cyber leaders Business leaders
% of respondents % of respondents
No changes planned 9% 2%
17% 29%
business leaders are substantially more
likely to strongly agree that more
sector-wide regulatory enforcement
would increase cyber resilience.
What will have the most positive Are cyber and privacy regulations effective
influence on an organization’s approach in reducing an organization’s cyber risks?
to cybersecurity in the next 12 months?
Business leaders 5%
Business leaders’ rank Cyber leaders’ rank
29% 44% 10% 12%
Increased use of
3 cloud-based services 1
We are missing critical We have the people and We have training and
people and skills skills we need today skills gaps in some areas
50%
46% 47%
43%
44%
46%
40%
33%
34%
30%
32%
20%
13%
10%
10%
10%
0%
0
2022 2023 2022 2023 2022 2023
News headlines have drawn leadership attention to In many organizations, questions about the
shifts in the cyber landscape. Most business leaders most recent cyber news continue to drown out
are now conscious that new technologies are evolving conversations on the most important initiatives and
quickly and that cyberattackers will exploit this. investments needed to meaningfully reduce cyber risk.
1.1 Geopolitics
This year’s Outlook report reveals that 93% of cyber strategy “moderately” or “substantially”.
cyber leaders and 86% of business leaders think Business continuity (67%) and reputational damage
it is “moderately likely” or “very likely” that global (65%) concern organization leaders more than any
geopolitical instability will lead to a far-reaching, other cyber risk. Leaders intend to respond to these
catastrophic cyber event in the next two years. concerns by strengthening controls for third parties
with access to their environments and/or data
Similarly, 74% of organization leaders say that (73% and 66% respectively) and re-evaluating the
global geopolitical instability has influenced their countries with which they do business (50%).
40%
30%
20%
14%
10% 7%
<250
Business leaders 53% 47%
251–1,000
Business leaders 50% 25% 25%
1,001–10,000
Business leaders 36% 55% 9%
10,001–100,000
Business leaders 38% 38% 25%
100,001+
Business leaders 67% 33%
Cyber leaders, business leaders and board Business leaders are often adept at adapting
members have a nearly equal understanding of their organizations to new political realities. This
cyber risks related to geopolitical instability, more makes geopolitical risk an entry point for the
so than with any other source of cyber risk. The wider conversation between security leaders and
tangible and immediate nature of the effects business leaders on how cyberthreats are changing
and pervasive news coverage make it easier for and how cyber risk can affect their organization’s
all three groups to fully appreciate these risks. business continuity planning.
Number of employees
75%
58%
52%
0%
Most respondents, across all sizes of organizations, Separate research undertaken for the World
stated that geopolitical instability had influenced their Economic Forum’s Earning Digital Trust initiative
cybersecurity strategy. Respondents who reported in 2022 suggests that building trustworthy
successful changes in their cybersecurity strategy technology – by focusing on the interplay between
also said they had organizational structures in place cybersecurity, privacy, ethics and transparency,
that supported interaction among cyber leaders, with the aim of protecting all stakeholders’ interests
business leaders across functions and boards of and upholding societal expectations – can aid in
directors. These structures encouraged collaboration this cross-organizational cooperation.3
on digital resilience across business activities.
No changes planned 9% 2%
Update terms and conditions for third parties 46% 13% 33%
2% 88%
Note: 1. AMR = Region of the Americas; 2. APAC = Asia-Pacific; 3. EMEA = Europe, the Middle East and Africa.
Business and cyber leaders are most closely aligned However, respondents did not rank other categories
in their perspectives on emerging technology. of emerging technology significantly lower than the
top three. This suggests that the implementation
Most organizational leaders appreciate that several of new technologies will be undertaken in
fields of emerging technology, such as the use of combination, significantly increasing the complexity
machine learning, are being implemented at speed, of an organization’s digital environment and
used across a widening range of processes and will highlighting the need to embed cyber-risk
affect their organization’s cyber-risk profile. management through all stages of a digital
transformation process.
Respondents said that artificial intelligence (AI) and
machine learning (20%), greater adoption of cloud Organizations must balance the value of new
technology (19%) and advances in user identity and technology and the potential cyber exposure that
access management (15%) will have the greatest comes with it to effectively manage their risk in the
influence on their cyber risk strategies over the coming years.
next two years.
Cyberattackers come in many forms and with since last year, and that the impacts are systemic
different motivations. In cybersecurity terminology, rather than isolated in one target or sector. The
these disparate groups are often bundled together findings for this report indicate that a series of
using the term “threat actors”. In 2022, malicious major global cyber incidents in 2021–2022,
threat actors adapted quickly to exploit changes in such as the exploitation of the widespread Log4j
the political, technological and regulatory landscapes. vulnerability5 forced many organizations to focus
on monitoring and assessing threat information.
In cybersecurity, attackers have a structural Threat data, when viewed from the perspective of
advantage: they need to find only one exploitable an individual organization, contains a lot of “noise”
weakness across an organization. This means and it can take a great deal of time to identify which
attackers have less ground to cover than a threats matter to an organization and what the
defender and the attacker can often adapt faster possible impact might be on operations. Further,
than organizations can defend or recover. several leaders indicated that their monitoring
and assessment cycles shortened drastically from
The threat landscape has become increasingly annually to quarterly, frequently diverting, and
volatile. Professionalized cybercriminal groups have heavily taxing, their cyber resources.
continued to grow and create a higher volume of
new attack types. Volatility is not only risky; the Interview and workshop findings indicate that
time it takes to develop a response creates an organizations which embed cyber-risk management
opportunity cost for an organization’s cybersecurity across multiple parts of their activities, such as risk
experts. Cybersecurity teams sometimes feel forced management, business continuity planning, finance,
to ignore strategically important activities to address product development etc., find it easier to create
immediate tactical issues. the space needed to develop strategic responses to
changes in the threat environment in order to better
In interviews, security leaders shared the belief that protect their assets and make their organization
the variety of attacks has increased significantly more resilient to cyberattacks when they occur.
The way we build regulations for cybersecurity is centralized. The regulations this
system creates are valuable, but the process takes time. It can take two years for
a regulation to be developed. Standardization can take 18 months. A cyberattack
takes seconds. The speed at which emerging technologies are implemented often
outpaces our ability to build security measures around them. We need to go beyond
simple compliance with regulations if organizations are to be cyber resilient.
Hoda Al Khzaimi, Director, Center for Cybersecurity, New York University (NYU),
Abu Dhabi; Founder and Director, (EMARATSEC) Center for Emerging Technology
and Advanced Research in Cyber Security, AI and Cryptology, NYU
The 2023 Outlook shows a significant shift in the are effective in reducing their organizations’ cyber
perception of how regulations affect cyber risk. In risks. This year’s outlook indicates that 73% of
the 2022 report, more than half of respondents respondents agree with the same statement.
did not agree that cyber and privacy regulations
30%
29%
25%
20%
17%
15%
10%
5%
0
0 2 3 4 5 6 7 8 9 10
Strongly disagree Strongly agree
Business leaders Cyber leaders
This is a notable shift in perception of the effectiveness makers and the private sector has elevated the
of cybersecurity and privacy regulations. Some perception of regulations as a critical influence on
elements of cybersecurity regulations, particularly organizations’ cyber resilience.
for organizations operating in more than one
country, remain duplicative and can move resources Business and cyber leaders also support effective
from core cybersecurity work towards activities that enforcement of regulatory requirements: 76% of
aim primarily to demonstrate compliance rather business leaders and 70% of cyber leaders agreed
than to keep an organization secure. that further enforcement would lead to an increase
in their organizations’ cyber resilience. This is not to
These compliance challenges remain; however, in suggest that organizations are actively requesting
the context of mitigating a large-scale cybersecurity more regulatory scrutiny of their own activities, but,
event, regulations are increasingly seen as an rather, that they believe properly enforced regulations
effective measure for moving private-sector resources will raise the quality of cybersecurity across their
towards cybersecurity and resilience activities. sector and their supply chains, which will in turn
make their business less prone to collateral damage
A large increase in cyber incidents, related fines, from attacks on other organizations.
investigations and engagements between policy-
Strongly disagree Disagree Neither agree nor disagree Agree Strongly agree
50%
44%
40% 37%
35%
29%
30%
19%
20%
10%
10%
5% 14%
3%
0
4%
2022 2023 2022 2023 2022 2023 2022 2023 2022 2023
Note: The graph covers responses from both business and cyber leaders.
One leader put it this way: “Public statements Boards’ and business leaders’ awareness of
by government as well as regulation help boards the demand for cyber resources within their
understand the need to assign resources.”6 organizations is increasing. With regards to
regulations, business leaders might fear hefty fines
All leaders still anticipate challenges with applying more than they value – and truly understand – the
a set of continuously expanding and changing contribution regulations make to collaborative cyber
regulations. As an interviewee said, “Regulation policies. Nonetheless, regulations are something to
incentivizes action on cybersecurity but doesn’t which boards actively respond and are a valuable
directly lead to resilience within an organization.”7 starting point for embedding cyber-resilience
techniques across an organization.
FIGURE 10 Cyber and privacy regulations are effective in reducing my organization’s cyber risk
50% Strongly disagree Disagree Neither agree nor disagree Agree Strongly agree
40%
30%
29%
24%
20%
10%
5%
3%
0
2%
Business leaders
10% 37% 51%
Cyber leaders
14% 39% 32% 14%
Note: The question asked “Which of the following describes your organization’s views of cybersecurity?”.
More and more corporate boards now have true cyber experts among their members.
It helps when people at board level are sufficiently cyber-literate to ask pertinent
questions of their security teams but also to bring cyber into strategic business
discussions. Boards also need to understand what a cyber event means for their
organization. Too many business leaders still underestimate the impact a cyberattack
can have on their operations, on their reputation and on their company as a whole.
Maya Bundt, Director, Bâloise Holding; Board member, Swiss Risk Association;
Member of the World Economic Forum’s Global Future Council on Cybersecurity
The 2022 Global Cybersecurity Outlook report edition) of cyber executives agreeing that cyber
highlighted a clear disparity in how business resilience is integrated into their organization’s
executives and cyber executives described the enterprise risk-management strategies.
integration of cyber resilience into enterprise risk-
management strategies. In addition, most business and cyber leaders
also agree that incorporating cyber-resilience
The 2023 survey findings illustrate a narrowing governance into their business strategy is one of
of that perception gap, with 95% of business the most impactful principles when it comes to
executives and 93% (up from 75% in the 2022 cyber resilience.
40%
32%
30%
24%
20% 21%
15%
10%
0
0 1 3 4 5 6 7 8 9 10
FIGURE 13 How do you feel about your organization’s ability to be cyber resilient?
Business leaders
2022
7% 4% 57% 32%
2023
20% 7% 46% 27%
Cyber leaders
2%
2022
14% 73% 12%
2023
13% 4% 54% 29%
I am concerned about my organization’s ability to be cyber resilient I feel we are not cyber resilient
We perform common cyber-resilience practices, but recognize the need for strong growth and improvement I feel confident we are cyber resilient
More frequent communication means more That noted, discussions with Forum partners at CIO
opportunities to align on cybersecurity priorities. level indicate that CIOs whose organizations have
Perhaps as a corollary, organizational leaders who meet suffered a severe or sophisticated cyberattack are
more often are more confident in their organization’s very likely to prioritize security after this experience.
cyber resilience than those who meet less frequently. This suggests that board culture and executives’
familiarity with cyber risk are also important.
Of respondents who meet at least monthly, 36%
are confident that their organization is cyber Overall, it is a case of creating the right incentives
resilient. Only 8% of those respondents report that regardless of the reporting line. Another interviewee
their organizations either are not cyber resilient or stated, “You have a business-unit executive who
that they are concerned about their organization’s has to trade-off functionality and security. They have
ability to be cyber resilient. limited budget and they get no credit for security.”
Meeting frequently is one of many ways to boost Dealing with these conflicts is fundamentally a task
the priority given to cyber risk in business decisions. for executive leadership, and a strategic question
36%
A common theme in workshops and interviews was for corporate boards of directors. Ultimately,
an increasing trend for chief information security cyber resilience will require the adoption of better
officers (CISOs) to report directly to the chief governance practices – including those developed
are confident that executive officer. by the World Economic Forum, the National
their organization Association of Corporate Directors (USA) and the
is cyber resilient. One interviewee noted, “I think business executives Internet Security Alliance in their 2021 Principles for
really need to think about organizational design. Board Governance of Cyber Risk.8
Supply-chain risk
In the 2022 edition of this report, 39% of countries and it is something that regularly affects
respondent organizations had been affected by a important everyday services.
third-party cyber incident. To put it another way,
they were “collateral damage” after their operations For example, in February 2022, a cyberattack on
were disrupted by cyberattacks on companies from commercial satellite services in Ukraine caused
whom they bought or to whom they sold services.9 electricity-generating wind farms to shut down across
central Europe.10 In July 2021, supermarkets in Sweden
Third-party organizations that have direct connections were forced to close their doors after a cyberattack on
with an organization or that process organizational data IT services provider Kaseya, based in Florida, USA.11
are a primary concern to all surveyed organizational
leaders. Some 90% of respondents are concerned In both cases, the rolling flow of disruption across
about the cyber resilience of such third parties. sectors was the result of a dependency on another
organization’s services and the outcome of a
Supply-chain risk is an indicator of the risk that service breakdown was unpredictable.
is shared across a particular sector, sectors or
Business leaders
5% 12% 29% 27% 27%
Cyber leaders
8% 28% 47% 14%
3%
Far more resilient Slightly more resilient Equally as resilient Slightly less resilient Far less resilient
At the World Economic Forum’s Annual Meeting are more likely to be economically paralysed by
on Cybersecurity in November 2022, the difference a major attack. This should make preparation for
between the capabilities of larger and smaller cyberattacks on suppliers a part of cyber-resilience
organizations was raised as a point of concern by measures and business continuity planning.
cybersecurity experts working across sectors and
regions. Smaller firms were more likely to suffer from Leaders from larger organizations, those with more
a lack of the trained cybersecurity experts needed to than 1,000 employees, were more likely to report
manage internal risk. Cross-sectoral resilience measures, incidents where they were negatively affected by
such as cyberthreat information sharing, were of less a cyber incident originating from their suppliers,
value due to the same cyber skills and capacity issues. service providers or business partners (39% of larger
organizations affected) than smaller organizations
Participants at the same meeting argued that it can with fewer than 1,000 employees (25%).
be more difficult to hold the attention of the boards
in small and medium-sized organizations because In addition, larger organizations were less likely to
for them cyberattacks, while perhaps more likely report their third parties as being equally resilient
to test the survival of a smaller organization, are as themselves (23%). Small to medium-sized
episodic and potentially more easily forgotten than enterprises, those with fewer than 1,000 employees,
they are for larger firms that suffer regular attacks. were more likely to consider those third parties to be
equal in their cyber-resilience capabilities (38%).
Added to this, smaller organizations do not often
have the capacity to respond to incidents and
Cyber insurance is another way for organizations to improve the cyber resilience of the insured party. If
mitigate the damage from cyber incidents. a smaller organization has an incapacitating cyber
incident, with subsequent upstream effects on
Similar to supply-chain risk, organizational size was larger organizations, it will not have the resources to
a determining factor in whether an organization was respond, nor will it receive assistance in its post-
likely to have cyber insurance. Smaller organizations attack recovery in the form of an insurance payout.
were more likely to report they did not have cyber
insurance (48%) than larger organizations (16%). In the absence of insurance, organizations would do
well to focus on initiatives that support ecosystem
This shows a critical gap in the cyber resilience resilience. By increasing the level of protection
of the entire ecosystem. Cyber insurance often across their supply chain, organizations will enhance
comes with required actions that are likely to the cyber resilience of their own operations.
FIGURE 15 Has your organization submitted a claim using your cyber insurance policy
in the past two years?
<250
employees 4% 52% 37% 7%
251–1,000
employees 38% 46% 15%
1,001–10,000
employees 4% 8% 58% 15% 15%
10,001–100,000
employees 5% 57% 14% 24%
100,001+
employees 7% 14% 21% 57%
Yes, and the claim was not successful Yes, and the claim was successful No, we have not submitted a claim
We currently do not have a cyber insurance policy I do not wish to disclose this information
The shifts in perception and actions described of organizational cyber resilience. This year’s outlook
above illustrate a closing gap between cyber indicates that a third of all cyber leaders still ranked
leaders and business leaders in their perceptions gaining leadership support as the most challenging
of leadership support. aspect of managing cyber resilience. A majority,
94%, of respondents believe, however, that their
The 2022 Global Cybersecurity Outlook report board of directors has a duty of care when it relates
highlighted how cyber leaders perceive leadership to cybersecurity.
support as a primary challenge in the management
The security staff deserves the same level of trust that you would
put in other business leaders. You may not know exactly what is
coming, but you should be able to trust that the security leader is
directionally right and you understand what their priorities are.
Remko Vos, Chief Executive Officer, CUJO
Organizational leadership has begun to listen to been helped by the interlocking committees that
the concerns of cyber leaders. One interviewed give several board members quite a bit of exposure
executive explained, “Boards’ understanding of to questions of digital transformation, information
their responsibility and duty of care has improved. security, business continuity and cyber resilience.”13
In larger or regulated firms, this awareness has
40%
34%
30%
29%
20%
10%
0
0 1 2 3 4 5 6 7 8 9 10
A primary challenge for cyber executives is shifting and business leaders must learn to effectively
from gaining board support to enabling impactful board translate their cyber risks into enterprise risk, and
action. Multiple interviewees brought up the disconnect into the right operational and tactical measures to
between how cyber risks are communicated to boards mitigate those risks.
and how boards interpret and translate those risks
in the context of overall enterprise risk. Here, the Forum’s Principles for Board Governance of
Cyber Risk offers common principles on which cyber
While boards appear to be more cyber aware leaders and business leaders can build. In order to
than before, the questions they are asking about shrink the board-level understanding of cyber risk,
cybersecurity imply that they may not have fully security leaders should help their boards to:
grasped the effect of cyber risk on enterprise risk.
In addition, many continue to struggle to determine – Understand the economic drivers and impact
which questions are best suited to assessing of cyber risk – by reporting cyber risk in
information provided by their cybersecurity teams financial, economic and operational terms, not
and enabling informed and risk-based decisions. just in technical terms
As one interviewee stated, “Being able to clearly – Align cyber-risk management with business
describe the key operational risks and, as part of needs – by identifying how cyber-risk
this, the key cyber-related risks, and then having management and resilience help to meet
the link between these risks and the operational or business objectives
technical controls is important. This allows business
leaders to gauge whether they know what their For corporate directors, and business leaders,
Cybersecurity
risks are and whether the organization is doing the the principles counsel them to:
and business right thing to protect itself.”14
leaders must – Incorporate cybersecurity expertise into board
learn to effectively The difficulties cyber leaders report in governance
translate their communicating with business leadership
cyber risks into demonstrate a comprehension gap between – Encourage systemic resilience and
enterprise risk. security issues and business impacts. Cybersecurity collaboration15
Cyber talent recruitment and retention continues among both groups most likely indicate increased
to be a substantial obstacle for all organizations, awareness of the talent gap rather than a worsening
as seen in both the 2022 and 2023 Global of the talent problem.
Cybersecurity Outlook reports. The perception gap
between business and cyber leaders, however, has More than half of organization leaders in industries
narrowed significantly, signalling alignment on the that provide or make heavy use of technology
realities of the cyber labour market. services (including those in the information
technology and telecommunications industries)
The 2022 Outlook report found that 10% of cyber reported they have the skills needed today. In
leaders indicated they lacked the critical people contrast, the industries that reported a lack of
and skills needed to deal with a cyberattack. No critical people and skills were mainly critical
business leaders indicated that deficit. infrastructure industries – including energy utilities
– and the public sector. The scale of the challenge
Reponses to the same question in this year’s in critical infrastructure, where specialized skills are
Outlook report show that 10% of business leaders often needed, is a concern. It will be difficult for
and 13% of cyber leaders feel that they have many companies to solve the talent gap on their
critical gaps in skilled personnel. The increases own and solutions are likely to require partnerships.
FIGURE 17 Does your organization have the skills needed to respond to and recover from a cyberattack?
We are missing critical We have training and skills Not sure We rely on third parties We have the people and
people and skills gaps in some areas or external resources skills we need today
50%
44%
46%
40%
34%
32%
30%
20%
13%
10% 10%
10%
5% 5%
1%
Telecommunications
In this year’s Cybersecurity Outlook research, having the people and skills needed today to
59% of business leaders and 64% of cyber respond to cyberattacks. The level of shared
leaders ranked talent recruitment and retention understanding on this topic makes it more likely
as a key challenge for managing cyber resilience. that steps can be taken to solve the challenge of
Additionally, less than half of respondents reported creating and retaining cyber talent.
We are missing critical people and skills We have the people and skills we need today We have training and skills gaps in some areas
50%
46% 47%
43%
44%
46%
40%
33%
34%
30%
32%
20%
13%
10%
10%
10%
0%
0
2022 2023 2022 2023 2022 2023
The role of the chief information security officer (CISO) is one of the
most dynamic careers. We secure entire organizations as they evolve
with new technologies in an increasingly digital environment. This
means the CISO has a role in supporting the transformational change
of a business’s technology, culture and organizational structures.
Daniel Bariusso, Chief Information Security Officer, Banco Santander
In this year’s report, 17% of security executives Survey responses for this report indicate that the
expressed concern about the level of cyber increased concern among business executives
resilience in their business. This was up slightly could also be driven by regulatory demands for
from 13% of security executives the year before. increased board-level accountability for cyber-risk
17%
Conversely, the increased level of awareness of management. For example, in late 2022 the United
cyber risk among business executives led to a States Securities and Exchange Commission (SEC)
marked increase in concern, from 16% to 27%. created rules that make cyber-risk reporting and
of security executives This might be due to a better understanding business resilience planning a vital component of
are concerned about
the level of cyber
by business leaders of the damage that can be effective board management.16
resilience in their done to their business operations, commercial
business.
relationships and reputation by a major cyberattack.
Lost in translation?
Security leaders and business leaders sometimes It has also proven difficult to quantify and assess
have difficulty translating cyber-risk information into cyber risk. Costs are often expressed in “average”
mitigating actions in their organization. Security terms when referring to a breach, but this may
leaders who reported they were successful in not be appropriate for an individual organization
translating risk to mitigation regularly demonstrated assessing its own risk.
a capacity to make technical data comprehensible
and relevant for organizational leaders. Many organizations have too many assets on their
network to identify the key risk points, or even to map
The difficulty in translating cyberthreats to operational their assets. This makes it difficult to assess where
risk is a barrier to collaboration between security and how much money should be spent. Without a
executives and business leaders. Commonplace way to clearly map risks to value-creating assets or
terms such as “ransomware” can be explained processes, as well as a plan of action arising from
to boards more easily, but mapping cybercrime this, it is hard to quantify and justify the resources
campaigns or threat actors to the targeting of that should be allocated to mitigating them.
particular assets and resources is complicated.
FIGURE 20 What cyber risk are you most concerned about when it comes
to your personal cybersecurity?
Identity theft
1 1
Cyber extortion
2 3
(e.g. ransomware)
Critical infrastructure
3 4
breakdown (e.g. essential
goods and services) due
to a cyberattack
Geopolitical instability
5 4
and cyberwar
Blackmail due to
compromised 6 6
personal data
Falsified or stolen
6 7
medical data
1 2 3 4 5 6 7 7 6 5 4 3 2 1
It can be useful to find a shared starting point for When considering personal risks, organizational
the conversation between security and business leaders and security executives are most concerned
executives on cyber risk. about becoming victims of identity theft (ranked
first) or cyber extortion and theft of data or money
As mentioned earlier in this report, business (ranked second and third by each cohort). So there
leaders are often well-practised in adapting their are shared reference points at the macro level
organizations to geopolitical change. The research (geopolitics) and the micro level (personal digital
for this paper also indicates that security leaders security) that can be an entry point to a discussion
and organizational leaders share the same concerns on organizational and business cybersecurity.
about their personal cybersecurity.
During the World Economic Forum’s Cybersecurity respond to the question, ‘What is the return?’ That
Outlook Series of workshops in 2022, participants is something we struggled with in cybersecurity.
noted the difficulty of translating investment in How do I know this is a good investment across the
cybersecurity into clear returns for the board, with myriad of things that I could potentially be invested
one representative participant saying, “The three in? How can we improve at making effective metrics
things board members are interested in are risk, to help boards make better-informed decisions?”17
opportunities and investment in cost. In cybersecurity, Effective metrics are ones that a board can translate
we talk about the cost a lot, but we need to better directly into informed decisions to drive the business.
Boards need to Cyber leaders should actively work to close the while the environment can’t be made less complex,
understand the communication gap with their non-technical boards need to understand the strategic essence
strategic essence audiences so that the relevance of their of the message being received from security teams
of the message recommendations is understood and incorporated and what that means for corporate governance and
from security into risk-management strategies. investment decisions in security and elsewhere.”18
teams and what
The challenge was clearly described by a business Effective communication is the basis for success in any
that means
executive interviewee: “Cyber leaders remain, in cyber-resilience programme. Cybersecurity leaders
for corporate general, weak at presenting the cybersecurity should use less technical jargon when speaking with
governance problem in terms that board-level executives can business leaders. Boards of directors should help
and investment understand and act on. It’s also true that boards cybersecurity leaders understand what assets and
decisions in need to have questions they can ask to assess processes must be prioritized for protection. Boards
security and what their cyber leaders are telling them. However, should then make themselves accountable for these
elsewhere. the message from cybersecurity experts is still priorities once they are set because cybersecurity
too technical and the data they are providing is resources are rarely sufficient to effectively defend all
too ‘scattered’. Lots of data [is] flying around and, parts of an organization all of the time.
Business leaders
10% 29% 22% 39%
Cyber leaders
9% 37% 12% 42%
Organizational structures play an important role report directly to CEOs. Another respondent opined
in embedding cyber-risk management across that by having the CISO report directly to the CEO,
an organization. They shape the frequency and budgeting conflicts between security initiatives and
quality of cyber-risk discussions, and can create technology enablement might be avoided.20
opportunities for improved clarity, context and
understanding between security and business As observed in the 2023 Global Cybersecurity
teams. As one participant at the World Economic Outlook survey results, only 25% of all respondents
Forum’s 2022 Cyber Outlook Series of workshops indicated that the most senior cybersecurity
highlighted with regard to organizational and executive in their organization reports directly to the
reporting structures: “I report to the CEO, which is a CEO. However, other security executives pointed to
huge advantage; we have portfolio companies where the importance of the chief information officer (CIO)
cybersecurity is still in IT. Not having direct reporting as a champion for cybersecurity across a business.
to the board is a big disadvantage. Reporting should There is no single approach to making this work,
come from the person responsible for it.”19 but it is important that security executives have
access to senior business leadership.
That participant was not alone in their opinion that
the most senior cybersecurity executives should
A security culture starts with awareness and one security executive interviewed for this report
includes everyone. Increased employee awareness identified their organization’s human resources team
about cyberattacks was cited by cyber leaders as being considerably more likely to open suspicious
who took part in the survey as the most positive attachments than other parts of the organization.
influence on an organization’s cyber-resilience Further investigation revealed that staff in this team had
approach in the next 12 months. An organization’s no secure portal in which to access job applications
cyber capabilities grow with its employees’ from external candidates and were thus required to
understanding of cyber risks and their personal role open large numbers of resumés that arrived as email
and responsibility in helping to manage them. attachments. The volume of attachments processed
by this team increased the likelihood of a malware-
Organizational leaders should consider pushing infected attachment being opened. This allowed
more accountability for operational cyber the security executive to make an organizational
requirements onto business leaders. As an recommendation, that the human resources team
example of how this can change an organization’s be provided with an online portal for job application
security culture, one interviewee explained that submissions to reduce the risk of opening malicious
their organization previously granted cybersecurity files that could severely damage the wider company.
control exceptions without considering how those
exceptions could increase their cyber risk. To This high-value consultative approach can be
address this, it is establishing a new executive taken when boards give security executives the
committee to review exceptions. “Now if you need time and space to step away from their daily role of
an exception, you will have to come in front of the surveillance and response to act as an adviser to
CTO, CIO and CISO to defend your case ... the the rest of the organization.
business might not immediately be ready for the
The cybersecurity mitigation controls and the path forward, but now Where possible, security should be focused on
I am looking for a mindset shift. When you need to higher-order topics that are more specialized than
team, if used
stand in front of three executives, your preparations basic operations. Cyber leaders should contribute
thoughtfully, have to be completely different. We need this to cybersecurity requirements that business units can
can provide vital drive cultural shifts towards security.”21 incorporate into their key performance indicators
insights that help (KPIs), after which all leaders must demand real
embed cyber-risk The cybersecurity team, if used thoughtfully, can enforcement, real consequences and real incentives
methodologies in provide vital insights that help embed cyber-risk to achieve the agreed-upon KPIs. Meaningful
an organization. methodologies in an organization. For example, incentive structures make change happen.
People think that cybersecurity is something that’s highly technical. Yes, some
roles require deep technical expertise, but cybersecurity is a vast domain and
making an organization cyber resilient also requires generalist roles that need
a broader skillset, from education and awareness to policy writing, governance
and others. We need more people in the both the technical and generalist roles.
Bobby Ford, Senior Vice-President and Chief Security Officer, Hewlett Packard Enterprise
As indicated in the previous section, talent New and inventive projects are being launched
recruitment and retention continue to be a key every year. A significant number of organizations
2.27m
Shortfall between
challenge for managing cyber resilience. The shortfall
between supply and demand for cybersecurity
understand that cybersecurity touches on many
areas of their activity and making an organization
experts was estimated at 2.27 million in 2021.22 cyber resilient requires a wide range of skill sets.
supply and demand
for cybersecurity Respondents to the surveys as well as participants
experts in 2021 Currently, organizations are competing for talent by in the interviews and workshops consistently argued
paying more to the same small pool of people. This that the academic and professional disciplines that
exacerbates the staff shortage by creating a high lend themselves to cyber-resilience skills are much
turnover of cybersecurity experts from company to broader than many people realize and are certainly
company. Paying more is a stopgap that will not not limited to computer science or engineering. The
solve the longer-term problem. soft skills for cyber roles can come from disciplines
such as economics, law, psychology, sociology,
More needs to be done to increase the flow of communications and media studies.
cybersecurity talent into the workforce. This has
been a consistently difficult problem to solve, but
it is also an area with possibilities for real progress.
A broad solution to increase the supply of cyber Diversity and talent pipelines can be further
professionals is to expand and promote inclusion improved if organizations build relationships with
and diversity efforts within cyber recruitment. civil society organizations such as Girls Who Code
Underrepresented groups in cybersecurity such as in the US and Africa Teen Geeks in South Africa.
women, people of colour and those with informal It’s also possible to open the recruiting process by
educations have been continually discouraged from focusing more on skills and experience rather than
technical careers through societal expectations and four-year degrees.
perceptions of cybersecurity work culture.
As cyberthreats evolve and expand, so must the
This is not a simple solution. As a first step, it talent pool that engages with them. As argued in
requires broadening the narrative about who can October 2022 by experts from the Tech for Good
work in cybersecurity so that people with non- Institute, the Tifa Foundation and the United Nations
technical backgrounds, as well as those outside University Institution: “Designing and implementing
of the traditional education system and from appropriate cybersecurity solutions … demands
underrepresented groups, understand that there are non-technical competencies such as business,
currently roles for them as well and that it is possible management, legal, policy and diplomacy.”24 The
to retrain for technical roles in the near future. need for these competencies grows as “socio-
technical threats such as social engineering and
Many cybersecurity roles can be learned on the job online abuse are increasingly prolific”.25
or through apprenticeships. Democratizing access
to cybersecurity career paths has the potential to Social inclusion and diversity issues should not
be a social good, supporting reskilling of sections be decoupled from the discussion of cyber talent
of the workforce. development. Many skills projects are successful
because they focus on diversity of professional or
However, capitalizing on the increased interest lived experience. Diversity is not a “nice-to-have”
in cybersecurity is also likely to require greater addition to a cyber-skills programme but something
collaboration between organizations. Even high- that is likely to influence the programme’s success
quality apprenticeship and training programmes and also strengthen the cyber resilience of an
run by individual organizations, such as the Absa organization to the highest degree. Employing
Cybersecurity Academy in South Africa,23 have a range of people with diverse opinions,
encountered difficulties scaling to large numbers. backgrounds, experiences and identities leads to
Both security leaders and business leaders focus can help overcome the tendency to focus less
needed to adapt and change their mindsets to on cyber response and more on cyber resilience.”28
make this possible.
Yet, the 2023 Global Cybersecurity Outlook study
When we compare this year’s findings with the illustrated that time is both the most valuable asset
2022 edition of this report, business leaders are and a stubborn adversary in this regard. The results
more aware of the threat landscape and cyber indicated that the tenure for cyber leaders is often short
leaders made more frequent appearances before and the turnover of cyber talent is high. Furthermore,
their board of directors. Both groups have a clearer the dynamics of the threat landscape frequently
view of the strengths and weaknesses of their focus attention on tactical defence at the expense of
organizations’ cyber capabilities, and cyber issues extended strategy, horizon planning and investment.
are more integrated into enterprise risk management
and now receive more board-level support. Jacky Fox, Europe Security Lead for professional
services firm Accenture, put it this way: “One of the
However, the study also revealed that cyber and biggest barriers to cyber resilience in many organizations
business leaders still have a great deal of work to do is time. Business leaders broadly understand they
to truly understand each other, articulate the risk cyber need to become more cyber resilient, but they can’t
issues pose to their business and translate that into snap their fingers to make it happen. They know
meaningful management and mitigation measures. there is a journey to travel to make their organizations
As the cyber landscape promises to become cyber resilient, but time is not on their side.”
more complex in the coming years, it is critical that
organizations work to resolve this now if they are to Breaking that cycle will require concerted
build systemic cyber resilience for the long term. communication and a coordinated risk-driven
improvement effort across the C-suite. In a cyber
Fortunately, building long-term capability is in the environment with such interconnected systemic
interest of all executives. As one leader stated, implications, this is imperative for all public- and
“There is value in providing business leaders with private-sector organizations. Encouragingly, it is
access to cyber-issue information. Business leader also a message that is recognized consistently in
roles such as CRO, BoD and CEO evaluate risks the Global Cybersecurity Outlook year after year
over a long time frame, and this long-term strategic and by leaders across the globe.
Akshay Joshi
Head of Industry and Partnerships,
Centre for Cybersecurity, Switzerland
Luna Rohland
Early Careers Programme, Centre for Cybersecurity,
Switzerland.
Acknowledgements
Harim Jung Editing and design
Data Analyst, Climate Change Data
Visualisation Org, South Korea
Laurence Denmark
HyoJin Park Designer, Studio Miko
Creative Producer, World Economic Forum,
Switzerland Sophie Ebbage
Designer, Studio Miko
Campbell Powers
Data Fellow, World Economic Forum, Alison Moore
Switzerland; Salesforce, USA Editor, Astra Content
Giovanni Salvi
Data Intelligence Manager,
World Economic Forum, Switzerland
Nicolas Siegenthaler
Video Producer, World Economic Forum,
Switzerland