Cyber Resilience: rethinking risk management

The rapid pace of technological evolution and dramatic increases in connectivity are sparking discussion about what systemic cyber risks what might look like and how best manage them. In late April, Microsoft partnered with the World Economic Forum Council on Risk and Resilience on a workshop addressing the topics of systemic cyber risk and possible approaches to avert the dangers it poses. The interactive workshop focused on the financial services, transportation and healthcare sectors – given their importance to national economies, national security, the well-being of citizens and the potential impact of any systemic disruption.  The event was the first step in developing a World Economic Forum report on the topic and examined the challenges of building resilience in today’s rapidly evolving technology and threat environments.

Diagnosing the problem

In order to continue to improve resilience to systemic cybersecurity risks, we have to develop a more thorough understanding of what systemic risk really means and the role it has in some of the most important sectors of the economy.  I was fortunate to moderate our initial panel discussion, that was dedicated entirely to exploring the definitions of systemic risk and possible approaches to increasing resilience of the online ecosystems in light of those.  Panelists examined key vulnerabilities, identified single points of failure, and sought to understand the potential systemic consequences inherent in today’s risk environment. Perhaps Phil Reitinger captured it best, that this might be one of the “you know it when you see it” categories. Ultimately, although systemic risk is inherently difficult to describe, there was widespread agreement that without a stronger definition, the term loses all meaning and importance. While a simple way to think about systemic risk is as a cyber risk that rises above the enterprise level, we have to go deeper.

One way to do this is through refining those key characteristics we can agree help define systemic risk, including critical functions, interconnectedness, and contagion. We first must align on what is meant by systemic risk and the threat at hand if we are work cooperatively on what investments will be needed by enterprise and infrastructures to ensure greater cyber resilience.

Building better cyber resilience

As we improve our understanding of systemic cyber risk, the next challenge is taking this knowledge to build better cyber resilience. While this is a complex and long-term challenge, the first step is understanding that there will be no simple technological fix. Solving this issue will require proactive efforts and the adaptability to quickly learn from mistakes.  Moreover, harmonization of approaches – across geographies and infrastructures – will be critical in increasing resilience. Those were the issues raised in the second panel moderated by my colleague, Angela McKay.

Here participants discussed two steps: incentivizing collaboration between those facing or defending against cyberattacks and improving metrics for cyber resilience. To make meaningful progress, partnerships between private and public sectors, including at state and local levels is essential. While those perpetrating cyberattacks frequently actively collaborate and have strong, shared incentives, that is not always the case with the defenders. The panel explored measures that could help entities of all types and sizes refine their enterprise risk management strategies and identify targeted areas for key investment. It was acknowledged that metrics that can succinctly and effectively evaluate organizations’ resiliency to systemic cyber risk will go a long way in helping industry leaders and policymakers develop more rigorous cybersecurity defenses.  The conversation ended with a debate on incentives, in particular around how cultural and organizational change – rather than just technological – can be driven and highlighted challenges related to human resources, cyber-insurance, as well as ratings.

The future of cyber resilience

We are just beginning of what should constitute effective resilience strategies. As we explored during the workshop, we have tremendous opportunity and responsibility to work together on this topic.  This is an issue that can’t be fixed just one company or government, but instead will require focused effort from all parties affected. The workshop was a tremendous opportunity to start this work – as it will take critical investment by enterprise and governments to begin to increase our collective cyber resilience.  Microsoft was pleased to work with the World Economic Forum Council to bring key experts together and hear their perspectives and to help champion these efforts moving forward.

About the Author
Paul Nicholas

Senior Director, Trustworthy Computing

Paul Nicholas leads Microsoft’s Global Security Strategy and Diplomacy Team, which focuses on driving strategic change, both within Microsoft and externally, to advance infrastructure security and resiliency. His team addresses global challenges related to risk management, incident response, emergency communications, Read more »