Читать книгу Beyond Cybersecurity - Kaplan James M. - Страница 6

“Risk and Responsibility in a Hyperconnected World” has been a theme for the World Economic Forum since 2011. Since the middle of 2012, the Forum has worked with nearly 100 companies to sign the “Principles for Cyber-Resilience.” Adhering to these principles commits companies to recognize that all parties have a role in fostering a resilient digital economy and to develop a practical and effective implementation program. It also encourages executive-level awareness and leadership of cyber-risk management and, where appropriate, it encourages suppliers and customers to develop a similar level of awareness and commitment.2

For the Forum’s 2014 meeting in Davos, it asked McKinsey to help it increase C-suite executives’ level of engagement with cyber-attacks, cybersecurity, and digital resilience across industries, including not only technology and telecommunications, but also financial services, manufacturing, consumer goods, transportation, energy, and the public sector.

Jointly, McKinsey and the Forum decided that the most useful outputs of this project would be a fact-based point of view on the broad strategic and economic implications of cyber-attacks; and a plan for what the full set of players in the cybersecurity ecosystem should do to achieve digital resilience, with a strong focus on how senior executives could address this as a business rather than a technology issue.

We began collecting data in the late spring of 2013, developed and validated our hypotheses through the summer and fall, and shared our findings at the Forum’s Annual Meeting in Davos in January 2014.

The Fact Base

Interviews with more than 18 °CIOs, CISOs, chief technology officers (CTOs), chief risk officers (CROs), business unit executives, regulators, investors, policymakers, and technology vendors provided input into how all the different participants in the ecosystem thought about the overall cybersecurity environment. In addition, surveys of nearly 100 enterprise technology users gave us a clear understanding of business risks, the threat environment, and the potential impact of a range of actions. Finally, more than 60 Global 500 institutions participated in a detailed survey on their cybersecurity risk management practices (Table P.2).

TABLE P.2 Our Research Was Based on Extensive Surveys and Workshops

Scenarios and Economic Impact

Based on insights gleaned in the interviews, we identified more than 20 drivers of how the cybersecurity environment could evolve over the next five to seven years and synthesized those into two macro-level drivers: intensity of threat and quality of response. From there, we derived three future state scenarios: muddling into the future, digital backlash, and digital resilience. Based on input from the interviews and surveys, we estimated how each scenario would affect the adoption of a range of important technology innovations such as cloud computing, enterprise mobility, and the Internet of Things – and what impact this would have on value creation.

Critical Actions to Achieve Digital Resilience

Again, based on the interviews and surveys, we highlighted the most important actions for each participant in the cybersecurity ecosystem, with a particular focus on the actions individual companies would have to take across all their business functions to protect themselves.

Once we defined the scenarios, assessed the economic impact, and identified the critical actions, we reviewed these interim findings with dozens of CIOs, CISOs, policymakers, and other relevant executives. These reviews took place at working sessions in Silicon Valley, Geneva, and Washington, D.C.; at executive roundtables convened by McKinsey; and at the World Economic Forum’s Annual Meeting of New Champions in Dalian, China.

We summarized our findings in a high-level report published on January 26, 20143 and discussed the results in a spirited private session with more than 80 senior executives and policymakers at the Forum’s meeting in Davos. There is already strong evidence that this effort is starting to achieve its objectives. CSO magazine explained that our estimate of a $3 trillion impact is “getting everyone’s attention because it looks not only at direct losses, but also at unrealized value creation as businesses and individuals avoid ‘digitization’ – or the adoption of technology.”4

Since presenting the findings, both McKinsey and the Forum have worked on what it will take to get to digital resilience. Based on its work supporting leading institutions in developing cybersecurity strategies and implementing cybersecurity programs, McKinsey has further validated and fleshed out the actions that individual institutions should take to protect themselves. Meanwhile, the Forum has conducted dozens of working sessions involving hundreds of companies to build support for collaboration among all participants in the ecosystem to get from cybersecurity to digital resilience in this world where $3 trillion is at stake.