Senior Advisor, BCG Platinion
New York
Related Expertise: デジタル/テクノロジー/データ
By Michael Coden, Shoaib Yousuf, Stuart Madnick, and Alex "Sandy" Pentland
Cybersecurity is a $445 billion problem, and some predict that figure could rise to $6 trillion by 2021. The list of companies that have already been hacked, attacked, and breached—suffering business interruptions and intellectual-property losses and exposing their customers to identity theft—reads like a who’s who of the retail, tech, telecom, manufacturing, and financial services industries, among others. The finances, operations, customer data, R&D, intellectual property, and brand reputations of all companies are at risk, which makes cybersecurity a fiduciary responsibility of the board and senior management. Yet in many organizations, top executives and board members still believe that cybersecurity is just an IT issue.
Nothing could be further from the truth; IT alone will never be able to address cybersecurity in a meaningful way. Sustainably addressing cyberrisk requires an organization-wide, cross-functional approach and the integration of cybersecurity and business strategy. Boards and senior management play a pivotal role in creating the organizational and cultural environment for such a joint approach. Top management and board members must recognize the risks involved and take steps to ensure that they are prepared for the day that their company is compromised—because it’s all but certain to happen.
Over the past year, in collaboration with the cyberresilience initiative of the World Economic Forum, BCG, MIT Connection Science, and MIT Sloan’s (IC)3 have worked together to identify, design, and test methods to effectively engage boards and other senior stakeholders on the critical and complex issue of cybersecurity. In addition to the robust principles to be followed and tools to be employed both to help prevent attacks and to deal with attacks that have occurred, we have found one medium that is particularly well suited to boosting the engagement and preparedness of top management and board members: tabletop exercises that simulate cybersecurity events and their fallout in real time.
These exercises can be useful in at least three ways. The first is practicing incident response, business continuity, and disaster recovery plans, as well as decision making under pressure, so that top leadership is not introduced to the far-reaching ramifications of a cyberbreach only when one has just occurred. Second, immersive and interactive exercises can be the most effective (and memorable) method of teaching the basic concepts of cybersecurity. Third, these exercises can be used as a laboratory for developing and testing cost-effective strategies for cybersecurity defense and mitigating the consequences of cyberattacks.
Practicing Incident Response
Military commands play war games (including cyberwar games). Schools and office buildings practice evacuation procedures and fire drills. The goals include improving performance, learning from doing, and saving lives. Captain Chesley “Sully” Sullenberger attributed his successful emergency landing of US Airways flight 1549 in the Hudson River, after the plane lost both engines on takeoff, to the extensive drilling and rehearsal he had undergone in flight simulators.
In similar fashion, by practicing the implementation of incident response, business continuity, and disaster recovery plans in a simulated cyberattack, board members and senior executives can gain a comprehensive understanding of how these attacks unfold, the variety of potential impacts, and their individual roles during a response, including potential interaction with law enforcement, regulatory officials, shareholders, employees, and customers. For this reason alone, such an exercise ought to be an essential part of any cybersecurity program.
Learning by Doing
The most effective way of learning is by doing. Think about kids learning to play soccer, for example. Studies by BCG and MIT have shown that the same theory applies to learning basic cybersecurity concepts. “Doing” via immersion in a simulated cyberattack gives executives a working knowledge of the wide variety of cybersecurity concepts that they need to understand to properly support the cyberresilience of their organization.
Cybersecurity is a complex field. The first step is defining a standard syllabus of subjects that need to be covered, which can include liabilities, mandatory regulations, voluntary guidelines, common threats, assets, methods of protecting assets, risk management, methods of detecting intrusions, forensics, and other key capabilities. The second step is taking teams of executives and board members through immersive scenarios using interactive simulations in which the concepts of the syllabus come into play and the impact of board decisions on the organization's P&L is modeled. For example: What are the liabilities to the company (and to the board members) if the company continues operations in the face of a known cyberbreach? What systems and protections does the company have in place to redress a cyberincursion? What are the legal and regulatory (and common-sense) requirements for notifying customers, shareholders, employees, and other stakeholders?
In our exercises, participating executives may operate as a single collaborative team, or they may be divided into two or more teams that compete to see which obtains a better score and finishes the exercise with the highest profits in its virtual P&L. Using such a hypothetical business case approach, the board and senior management learn cybersecurity concepts by experiencing them, and our research shows that they emerge with an excellent understanding of what otherwise seems like a daunting technical challenge.
Developing a Cybersecurity Strategy
Companies use laboratories to test products and processes before they are put into production. In a similar vein, tabletop exercises enable companies to test, evaluate, and refine cybersecurity strategies and, in so doing, to convert ideas and invention to systematic and scientific discipline.
When executives are immersed in a properly constructed scenario, they see how the cyberdefenses they have built, or plan to build, actually perform, and they see the benefits that can be achieved by investing in further vulnerability prevention, attack detection, attack mitigation, and recovery. By living through a simulation using the company’s own cybersecurity investment plan, the board and senior management can experiment firsthand the impact of each proposed investment, from training to technology. At the end of the exercise, they can consider changes and improvements—and whether a different cybersecurity investment plan might have provided a better outcome. For example, would a greater investment in multifactor authentication, advanced biometrics, or both have negated the attack? Would a larger investment in supply chain cybersecurity have made a difference? What would be the benefit of implementing a company-wide training program over 6 months rather than over 18 months? The goal is tangible output from the workshop, including a roadmap of next steps and a set of action items that optimize investments for cyberdefense.
These immersive exercises allow organizations to focus on how to plan and budget to maximize the business resilience, including the cyberresilience, of the company. Sometimes the best investments may be ones that reduce the consequences of an attack, rather than trying to prevent the attack outright. A properly designed exercise enables board members and senior management to make more informed tradeoffs and decisions on how to best invest in cyberresilience.
Handling cyberattacks is a company-wide concern. Building an effective cybersecurity strategy and culture is an essential competitive differentiator and business enabler. Culture starts with leadership, and leadership starts at the top. Through immersive tabletop exercises, leaders will gain understanding and can start to create in their organizations a culture of cyberresilience.
This article was originally published on the World Economic Forum’s Agenda blog.
Professor of Information Technologies at the MIT Sloan School of Management & Professor of Engineering Systems at the MIT School of Engineering
Director, MIT Connection Science and Human Dynamics Labs