Post-Image

WEForum Cybersecurity Outlook 2023

The World Economic Forum released its cybersecurity outlook for 2023 and I decided to take a read. You can read the full report here. Written in conjunction with Accenture, the report dives into some commonly talked about areas of cybersecurity. Let’s have a look at some of the report’s conclusions.

The initial section of the report focuses on “the global cyber landscape” and how that is affecting the companies that were surveyed for the report. It is clear from the results that many companies are starting to become aware of potential weaknesses within their supplier landscape, particularly as it relates to direct data access from partners and as it relates to doing business with suppliers/partners in certain countries.

[Source: World Economic Forum, Global Cyber Security Outlook Report 2023]

What I found interesting, however, is that many companies don’t really seem to have a good response to dealing with the perceived threat. This might be a result of how the survey was conducted, but many organizations stated that their plan was to “strengthen policies and practices for engaging direct-connection third parties with data access”. I mean, of course you would! Knowing how many companies (at least in North America) handle this, they already need to strengthen their policies/practices.

At the end of the first section, they start to talk about laws and regulations. This has been an area of interest for me for quite some time. You can read some of my thoughts on Bill C-27 and Bill C-26. I’ll be honest, I wasn’t really surprised by the results in this section.

The one key question was “Having more effective enforcement of regulatory requirements across my sector would increase my organization’s cyber resilience”. Quite a few organizations agreed with that, but not in the way you would think. While they think enforcement is necessary, the believe enforcement (by the government, presumably) of their supply chain is important, not necessarily on themselves. Here is the key part:

“This is not to suggest that organizations are actively requesting more regulatory scrutiny of their own activities, but, rather, that they believe properly enforced regulations will raise the quality of cybersecurity across their sector and their supply chains…”

Well of course it would. I would be curious how the results here were broken out across regional boundaries, but the source data was not released (at least as far as I know).

The middle section focused on “leadership perception changes”, and, at the outset, I had a hard time believing most of the results in this section. The first key graph was about leadership views on cybersecurity.

[Source: World Economic Forum, Global Cyber Security Outlook Report 2023]

Again, I think this can come down to poor survey techniques. Effectively, three of the options above are the same. In most organizations, compliance drives the cybersecurity agenda. By being compliant, a company can open itself up to other markets and larger customers, or cybersecurity becomes “a key business enabler”. Rackets like SOC2 certification are a great example of this. Remaining compliant becomes a “necessary cost of doing business” as you are generally required via contract to maintain your compliance certifications. When the above question is looked at in this lens, it starts to make more sense. 90% of business leaders and 86% of security leaders think that compliance drives their cybersecurity programs, and they’d be right.

The last section of the report talks about “a way ahead”. Most of the advice here has been in-vogue for the past few years in cybersecurity circles. Communicating better, reviewing organizational design, and working on cybersecurity culture are all important things that companies should be doing. The most important in my mind is culture. We must stop doing cybersecurity because of a perceived “return on investment” and start doing it because it is the right thing to do, and we should protect the data of others like we would want our own protected. Unfortunately, that sentiment hasn’t made it into most MBA programs.

In conclusion, I think the report had so much more potential than it actually delivered. To have a stage to survey, like the WEF has, they could have done so much more and probed beyond the surface to really understand how cybersecurity is being viewed in the business world. Comically, I believe the biggest message here is don’t hire Accenture to do your surveys or your cybersecurity. Now obviously take that with a grain of salt, but the tone of the report matches what we see on a regular basis across all industries. Most organizations are only doing the minimum cybersecurity programs they can get away with, from a regulatory and compliance point of view. They agree that if everyone matured their cybersecurity practices, their industries, therefore the world, would be better off as a result. What will it take to get traction on this? Well, business and security leaders want to see enforcement over everyone but themselves. Now doesn’t that sound an awful lot like projection…

 

About Shamir Charania

Shamir Charania, a seasoned cloud expert, possesses in-depth expertise in Amazon Web Services (AWS) and Microsoft Azure, complemented by his six-year tenure as a Microsoft MVP in Azure. At Keep Secure, Shamir provides strategic cloud guidance, with senior architecture-level decision-making to having the technical chops to back it all up. With a strong emphasis on cybersecurity, he develops robust global cloud strategies prioritizing data protection and resilience. Leveraging complexity theory, Shamir delivers innovative and elegant solutions to address complex requirements while driving business growth, positioning himself as a driving force in cloud transformation for organizations in the digital age.

Share This Article

Comments