《世界经济论坛:2023年全球网络安全展望报告(英文版)(36页).pdf》由会员分享,可在线阅读,更多相关《世界经济论坛:2023年全球网络安全展望报告(英文版)(36页).pdf(36页珍藏版)》请在三个皮匠报告上搜索。
1、Global Cybersecurity Outlook 2023I N S I G H T R E P O R TJ A N U A R Y 2 0 2 3In collaboration with AccentureContentsCover:Artwork created using artificial intelligence,prompt,art direction and refining by Studio Miko Images:Getty Images 2023 World Economic Forum.All rights reserved.No part of this
2、 publication may be reproduced or transmitted in any form or by any means,including photocopying and recording,or by any information storage and retrieval system.Disclaimer This document is published by the World Economic Forum as a contribution to a project,insight area or interaction.The findings,
3、interpretations and conclusions expressed herein are a result of a collaborative process facilitated and endorsed by the World Economic Forum but whose results do not necessarily represent the views of the World Economic Forum,nor the entirety of its Members,Partners or other stakeholders.ForewordEx
4、ecutive summary1 The global cyber landscape1.1 Geopolitics1.2 Emerging technology1.3 Emerging threats1.4 Laws and regulations2 Leadership perception changes2.1 Prioritizing cyber risk in business decisions2.2 Gaining leadership support2.3 Cyber talent management3 A way ahead3.1 Improving communicati
5、on3.2 Reviewing organizational design3.3 Building security culture3.4 Closing the cyber talent gapConclusionAppendix:MethodologyContributorsEndnotes34783032333435Global Cybersecurity Outlook 20232ForewordGeopolitical instability,rapidly maturing and emerging technologies,lack o
6、f available talent,and increasing shareholder and regulatory expectations represent some of the significant challenges that concern cyber and business leaders.If the findings of last years Global Cybersecurity Outlook reflected the lingering impact of the pandemic,and the effects of rapid digitaliza
7、tion,this years Global Cybersecurity Outlook reveals concerns about an increasingly fragmented and unpredictable world.Building cyber resilience,globally,has been one of the key priorities of the World Economic Forums Centre for Cybersecurity since its inception.Inherent in that work is bridge-build
8、ing between the public and private sectors,and between cyber experts and business leaders.This year,when the Centre engaged its network of global cyber and business leaders to solicit their insights on emerging cyberthreats,we could see both how far we have come,and how far we have yet to go in help
9、ing translate cyber-risk issues into communication that C-suites and boards of directors can use effectively.The outlook,however,need not seem bleak.Theres hope for better understanding and more effective action in the future.The best leaders avail themselves of wide-ranging information and listen t
10、o all of their stakeholders,understand their role and impact,and exercise good judgement to achieve the optimum outcomes.These attributes are no less necessary in cybersecurity than they are in any other domain.In this edition of the Global Cybersecurity Outlook,we are pleased to see improvement in
11、a crucial area awareness of cyber-risk issues,at the executive level,has gone up.At the same time,this years Global Cybersecurity Outlook report represents a challenge to leaders to think more deeply about cybersecurity and listen more intently to cyber experts,and to each other,in order to ensure o
12、ur shared resilience.Awareness and preparation will help organizations balance the value of new technology against the cyber risk that comes with it.Paolo Dal Cin Global Lead,Accenture SecurityJeremy Jurgens Managing Director,World Economic ForumGlobal Cybersecurity Outlook 2023January 2023Global Cy
13、bersecurity Outlook 20233Executive summaryHearing is not the same as listening.This aptly characterizes the relationship between cyber and business leaders in many organizations,according to research for the 2023 Global Cybersecurity Outlook study.The significance of cyber risk has certainly been he
14、ard in C-suites and boardrooms.Whether cyber leaders and business leaders understand each other well enough to meet this challenge is,on the other hand,an open question.Overall,the study indicates that business leaders are more aware of their organizations cyber issues than they were a year ago.They
15、 are also more willing to address those risks.Nonetheless,cyber leaders still struggle to clearly articulate the risk that cyber issues pose to their organizations in a language that their business counterparts fully understand and can act upon.As a result,agreeing on how best to address cyber risk
16、remains a challenge for organizational leaders.The 2023 Global Cybersecurity Outlook report presents the results from this years study of cybersecurity and business leaders perspectives on leading cyber issues and examines how they affect organizations around the world.Key findings include:The chara
17、cter of cyberthreats has changed.Respondents now believe that cyberattackers are more likely to focus on business disruption and reputational damage.These are the top two concerns among respondents.Global geopolitical instability has helped to close the perception gap between business and cyber lead
18、ers views on the importance of cyber-risk management,with 91%of all respondents believing that a far-reaching,catastrophic cyber event is at least somewhat likely in the next two years.Following from this,43%of organizational leaders think it is likely that in the next two years,a cyberattack will m
19、aterially affect their own organization.This,in turn,means that in many cases,enterprises are devoting more resources to day-to-day defences than strategic investment.The data protection and cybersecurity concerns created by geopolitical fragmentation are increasingly influencing how businesses oper
20、ate and the countries in which they invest.Business executives acknowledge that their organizations cybersecurity risk is influenced by the quality of security across their supply chain of commercial partners and clients.Leaders intend to respond to these concerns by strengthening controls for third
21、 parties with access to their environments and/or data and re-evaluating which countries they do business in.However,business leaders are more likely to focuson in-house solutions for cyber-risk management,whereas security leaders place a higher priority on partnerships with other organizations.Many
22、 organizations are undertaking large digital transformation projects.Adding emerging technology to legacy IT increases the complexity of organizations digital environments and therefore their cybersecurity risk.Leaders struggle to balance the value of new technology with the potential for increased
23、cyber risk in their organizations.Cyber executives are now more likely to see data privacy laws and cybersecurity regulations as an effective tool for reducing cyber risks across a sector.This is a notable shift in perception from the 2022 Outlook report.Despite the challenges associated with compli
24、ance,cyber leaders acknowledged that regulation incentivizes much-needed action on cybersecurity.Structured interactions between cyber and business leaders are becoming more frequent 56%of security leaders now meet monthly or more often with their board.This is rapidly narrowing the cybersecurity pe
25、rception gap.However,more needs to be done to promote understanding between business and security teams to support effective action by organizational leaders.Building a security-focused culture requires a common language based on metrics that translate cybersecurity information into measurements tha
26、t matter to board members and the wider business.Changes in organizational structure that embed cyber-risk discussions across a business can also promote more fluid communication and effective cyber-risk management.Ultimately,cyber leaders must present security issues in terms that board-level execu
27、tives can understand and act on.Business leaders,for their part,need to accept more accountability for operational cyber requirements to advance their organizations overall cyber capabilities.Cyber talent recruitment and retention continues to be a key challenge for managing cyber resilience.A broad
28、 solution to increase the supply of cyber professionals is to expand and promote inclusion and diversity efforts.In addition,understanding the broad spectrum of skills needed today can help organizations to expand their hiring pools.A number of promising initiatives are already in place,but these te
29、nd to focus on small cohorts.Time,thought and investment are needed to make cyber-skills development programmes scalable.Global Cybersecurity Outlook 20234Global Cybersecurity Outlook 2023:key findingsFIGURE 186%93%Business leadersCyber leadersBusiness and cyber leaders believe global geopolitical i
30、nstability is moderately or very likely to lead to a catastrophic cyber event in the next two years.Do organizations expect geopolitical risks to affect their cybersecurity strategy?Do small and large enterprises have different expectations of geopolitical influence?Number of employees6%8%1,001 to10
31、,0008%4%35%50%0%48%58%21%44%29%10,000 to100,000+250 to 1,000ModeratelySubstantiallyMinimallyNot at allCyber leadersBusiness leadersWhat changes will leaders make in response to geopolitical risk?72%63%51%47%38%39%34%41%24%49%71%73%9%2%of respondents%of respondentsStrengthen controls with third parti
32、es who process dataStrengthen policies and practices for engaging direct-connection third parties with data accessRe-evaluate the countries with which my organization does businessUpdate terms and conditions for third partiesAdjust information-sharing practicesEstablish and engage with industry work
33、ing groupsNo changes plannedGlobal Cybersecurity Outlook 20235Global Cybersecurity Outlook 2023:key findingsFIGURE 2In comparison with cyber leaders,business leaders are substantially more likely to strongly agree that more sector-wide regulatory enforcement would increase cyber resilience.Business
34、leaders29%Cyber leaders17%Strongly disagreeDisagreeNeither agree nor disagreeAgreeStrongly agreeWhat will have the most positive influence on an organizations approach to cybersecurity in the next 12 months?Are cyber and privacy regulations effective in reducing an organizations cyber risks?Compared
35、 to last year,business and cyber leaders are approaching consensus on the state of their organizations cybersecurity talent.Business leadersCyber leaders29%44%10%12%24%49%16%9%3%Increased use of cloud-based servicesBusiness leaders rankCyber leaders rank31Increased employee awareness about cyberatta
36、cks13Digital transformation initiatives625%020222023202220232022202310%20%30%40%50%Cyber leadersBusiness leadersWe are missing critical people and skillsWe have the people and skills we need todayWe have training and skills gaps in some areas0%10%13%10%33%43%44%46%47%46%32%34%Global Cybersecurity Ou
37、tlook 20236The global cyber landscape1Technologies are now shared across a multitude of organizations.These organizations consequently have common dependencies or weaknesses.Global Cybersecurity Outlook 20237The impact of cybersecurity incidents can cascade from organization to organization and acro
38、ss borders.The risks this creates are potentially systemic,often contagious and frequently beyond the understanding or control of any single entity.1Cybersecurity experts are themselves only beginning to grasp the extent and consequences of the technological interdependencies being created by their
39、organizations digital transformation.These changes range from the important but unexciting,such as increased dependence on shared IT services,to the more exotic,such as the creation of communication services on Earth that depend on“constellations”of software-enabled satellites in space.2 News headli
40、nes have drawn leadership attention to shifts in the cyber landscape.Most business leaders are now conscious that new technologies are evolving quickly and that cyberattackers will exploit this.They understand that geopolitical tension is rising in most regions and that cyberattackers are changing t
41、heir targets as a result.Cybersecurity regulations have become a more prominent factor in compliance and board-level conversations across many regions.Although cyber leaders,business leaders and boards of directors are now communicating more directly and more often,they continue to speak different l
42、anguages.News about cyber incidents have often dominated the conversation,rather than discussions about why those incidents mattered to an executives organization and how precisely businesses could help their cyber leaders manage their responses.In many organizations,questions about the most recent
43、cyber news continue to drown out conversations on the most important initiatives and investments needed to meaningfully reduce cyber risk.This years Outlook report reveals that 93%of cyber leaders and 86%of business leaders think it is“moderately likely”or“very likely”that global geopolitical instab
44、ility will lead to a far-reaching,catastrophic cyber event in the next two years.Similarly,74%of organization leaders say that global geopolitical instability has influenced their cyber strategy“moderately”or“substantially”.Business continuity(67%)and reputational damage(65%)concern organization lea
45、ders more than any other cyber risk.Leaders intend to respond to these concerns by strengthening controls for third parties with access to their environments and/or data(73%and 66%respectively)and re-evaluating the countries with which they do business(50%).Geopolitics1.1How likely is it that geopol
46、itical instability will lead to a far-reaching,catastrophic cyber event in the next two years?FIGURE 3010%20%30%40%50%Cyber leadersBusiness leadersNot very likelyModerately likelyVery likely14%7%41%47%46%45%Although cyber leaders,business leaders and boards of directors are now communicating more di
47、rectly and more often,they continue to speak different languages.Global Cybersecurity Outlook 20238Likelihood of geopolitical instability leading to a far-reaching cyber event in the next two years(by number of employees per organization)FIGURE 4Moderately likelyNot very likelyVery likelyBusiness le
48、adersCyber leaders250Business leadersCyber leaders50%25%25%67%2511,000Business leadersCyber leaders55%36%9%13%40%47%1,00110,000Business leadersCyber leaders10,001100,000Business leadersCyber leaders100,001+53%50%42%8%47%33%38%38%52%10%38%25%67%73%27%33%Cyber leaders,business leaders and board member
49、s have a nearly equal understanding of cyber risks related to geopolitical instability,more so than with any other source of cyber risk.The tangible and immediate nature of the effects and pervasive news coverage make it easier for all three groups to fully appreciate these risks.Business leaders ar
50、e often adept at adapting their organizations to new political realities.This makes geopolitical risk an entry point for the wider conversation between security leaders and business leaders on how cyberthreats are changing and how cyber risk can affect their organizations business continuity plannin
51、g.Global Cybersecurity Outlook 20239Geopolitical risk is influencing cybersecurity strategies across all sizes of business surveyedFIGURE 50%20%50%75%2502511,0001,00110,00010,001100,000100,001+Number of employeesNot at all MinimallyModeratelySubstantially5%35%4%52%15%15%38%8%58%14%43%43%Most respond
52、ents,across all sizes of organizations,stated that geopolitical instability had influenced their cybersecurity strategy.Respondents who reported successful changes in their cybersecurity strategy also said they had organizational structures in place that supported interaction among cyber leaders,bus
53、iness leaders across functions and boards of directors.These structures encouraged collaboration on digital resilience across business activities.Separate research undertaken for the World Economic Forums Earning Digital Trust initiative in 2022 suggests that building trustworthy technology by focus
54、ing on the interplay between cybersecurity,privacy,ethics and transparency,with the aim of protecting all stakeholders interests and upholding societal expectations can aid in this cross-organizational cooperation.3 How geopolitical risk has influenced my organizations cybersecurity strategyFIGURE 6
55、Strengthen policies and practices for engaging direct-connection thirdparties with data accessStrengthen controls with third parties who process data Re-evaluate the countries with which my organization does businessEstablish and engage with industry working groupsUpdate terms and conditions for thi
56、rd partiesAdjust information-sharing practicesNo changes plannedBusiness leadersCyber leaders80%60%40%20%20%40%60%80%0%72%63%51%47%38%39%34%41%24%49%71%73%9%2%Global Cybersecurity Outlook 202310The geopolitical events of the past year have significantly influenced cyber strategy and tactical cyberse
57、curity operations across the globe.Efforts are being made to strengthen internal policies and processes as well as to increase the effectiveness of cybersecurity controls with third parties.This suggests that organizational responses to cyber risk being undertaken now will have a positive long-term
58、impact.At the same time,geopolitical tensions might be responsible for a greater volatility in the character of cyberthreats,with more variation in the types of widely available malware,as well as changes in the type of assets or value-creating processes that cyberattackers target.This volatility ha
59、s made it increasingly difficult to think strategically about the operational elements of an organizations internal cybersecurity practices.As noted by one respondent interviewed for this report:“Geopolitics arising from the Russia-Ukraine war have also altered how we think about our threat environm
60、ent.We have needed to spend time and resources on understanding how the threat landscape has changed,whether the difference in the attackers motivation makes us more likely to be targeted,what will be attacked and how it might be attacked.We are now using more resources for active monitoring of the
61、threat picture compared to 12 months ago.We focus on our tactical and short-term(three-month)planning and become less detailed in our three-to 12-month planning as the environment is so volatile.”4Regional breakdown of how geopolitical risk influences cybersecurity strategyFIGURE 7Adjust information
62、-sharing practices2%88%AMR1APAC2EMEA3Establish and engage with industry working groupsNo changes plannedRe-evaluate the countries with which my organization does businessStrengthen controls with third parties who process dataStrengthen policies and practices for engaging direct-connection third part
63、ies with data accessUpdate terms and conditions for third parties42%25%33%43%13%38%9%13%2%52%63%45%63%88%67%67%88%79%46%13%33%Business and cyber leaders are most closely aligned in their perspectives on emerging technology.Most organizational leaders appreciate that several fields of emerging techno
64、logy,such as the use of machine learning,are being implemented at speed,used across a widening range of processes and will affect their organizations cyber-risk profile.Respondents said that artificial intelligence(AI)and machine learning(20%),greater adoption of cloud technology(19%)and advances in
65、 user identity and access management(15%)will have the greatest influence on their cyber risk strategies over the next two years.However,respondents did not rank other categories of emerging technology significantly lower than the top three.This suggests that the implementation of new technologies w
66、ill be undertaken in combination,significantly increasing the complexity of an organizations digital environment and highlighting the need to embed cyber-risk management through all stages of a digital transformation process.Organizations must balance the value of new technology and the potential cy
67、ber exposure that comes with it to effectively manage their risk in the coming years.Emerging technology1.2Note:1.AMR=Region of the Americas;2.APAC=Asia-Pacific;3.EMEA=Europe,the Middle East and Africa.Global Cybersecurity Outlook 202311Emerging threats1.3More resources are being thrown at cybercrim
68、e campaigns by criminal groups.Theres a sense that cybercrime is converging with nation-state actors and that this is leading to a higher number of new campaigns being launched as well as attacks that are more clearly tailored to the target organization.The greater the volatility in the threat,the m
69、ore time is being spent on tactical defence by CISOs and their teams.Its important to create the space for strategic development and effective risk management.Derek Manky,Chief Security Strategist and Vice-President,Global Threat Intelligence,Fortinet.Cyberattackers come in many forms and with diffe
70、rent motivations.In cybersecurity terminology,these disparate groups are often bundled together using the term“threat actors”.In 2022,malicious threat actors adapted quickly to exploit changes in the political,technological and regulatory landscapes.In cybersecurity,attackers have a structural advan
71、tage:they need to find only one exploitable weakness across an organization.This means attackers have less ground to cover than a defender and the attacker can often adapt faster than organizations can defend or recover.The threat landscape has become increasingly volatile.Professionalized cybercrim
72、inal groups have continued to grow and create a higher volume of new attack types.Volatility is not only risky;the time it takes to develop a response creates an opportunity cost for an organizations cybersecurity experts.Cybersecurity teams sometimes feel forced to ignore strategically important ac
73、tivities to address immediate tactical issues.In interviews,security leaders shared the belief that the variety of attacks has increased significantly since last year,and that the impacts are systemic rather than isolated in one target or sector.The findings for this report indicate that a series of
74、 major global cyber incidents in 20212022,such as the exploitation of the widespread Log4j vulnerability5 forced many organizations to focus on monitoring and assessing threat information.Threat data,when viewed from the perspective of an individual organization,contains a lot of“noise”and it can ta
75、ke a great deal of time to identify which threats matter to an organization and what the possible impact might be on operations.Further,several leaders indicated that their monitoring and assessment cycles shortened drastically from annually to quarterly,frequently diverting,and heavily taxing,their
76、 cyber resources.Interview and workshop findings indicate that organizations which embed cyber-risk management across multiple parts of their activities,such as risk management,business continuity planning,finance,product development etc.,find it easier to create the space needed to develop strategi
77、c responses to changes in the threat environment in order to better protect their assets and make their organization more resilient to cyberattacks when they occur.Global Cybersecurity Outlook 202312Laws and regulations1.4The way we build regulations for cybersecurity is centralized.The regulations
78、this system creates are valuable,but the process takes time.It can take two years for a regulation to be developed.Standardization can take 18 months.A cyberattack takes seconds.The speed at which emerging technologies are implemented often outpaces our ability to build security measures around them
79、.We need to go beyond simple compliance with regulations if organizations are to be cyber resilient.Hoda Al Khzaimi,Director,Center for Cybersecurity,New York University(NYU),Abu Dhabi;Founder and Director,(EMARATSEC)Center for Emerging Technology and Advanced Research in Cyber Security,AI and Crypt
80、ology,NYUHaving more effective enforcement of regulatory requirements across my sector would increase my organizations cyber resilienceFIGURE 805%10%15%20%25%30%03245678910Cyber leadersBusiness leadersStrongly agreeStrongly disagree29%17%The 2023 Outlook shows a significant shift in the perception o
81、f how regulations affect cyber risk.In the 2022 report,more than half of respondents did not agree that cyber and privacy regulations are effective in reducing their organizations cyber risks.This years outlook indicates that 73%of respondents agree with the same statement.This is a notable shift in
82、 perception of the effectiveness of cybersecurity and privacy regulations.Some elements of cybersecurity regulations,particularly for organizations operating in more than one country,remain duplicative and can move resources from core cybersecurity work towards activities that aim primarily to demon
83、strate compliance rather than to keep an organization secure.These compliance challenges remain;however,in the context of mitigating a large-scale cybersecurity event,regulations are increasingly seen as an effective measure for moving private-sector resources towards cybersecurity and resilience ac
84、tivities.A large increase in cyber incidents,related fines,investigations and engagements between policy-makers and the private sector has elevated the perception of regulations as a critical influence on organizations cyber resilience.Business and cyber leaders also support effective enforcement of
85、 regulatory requirements:76%of business leaders and 70%of cyber leaders agreed that further enforcement would lead to an increase in their organizations cyber resilience.This is not to suggest that organizations are actively requesting more regulatory scrutiny of their own activities,but,rather,that
86、 they believe properly enforced regulations will raise the quality of cybersecurity across their sector and their supply chains,which will in turn make their business less prone to collateral damage from attacks on other organizations.Global Cybersecurity Outlook 202313Cyber and privacy regulations
87、are effective in reducing my organizations cyber risk(year-on-year change in responses to the question,20222023 reports)Cyber and privacy regulations are effective in reducing my organizations cyber riskFIGURE 9FIGURE 10010%20%30%40%50%2023202220232022202320222023202220232022Strongly disagreeDisagre
88、eNeither agree nor disagreeAgreeStrongly agree5%3%19%10%37%14%4%35%29%44%010%20%30%40%50%Cyber leadersBusiness leadersStrongly disagreeDisagreeNeither agree nor disagreeAgreeStrongly agree5%3%29%24%One leader put it this way:“Public statements by government as well as regulation help boards understa
89、nd the need to assign resources.”6 All leaders still anticipate challenges with applying a set of continuously expanding and changing regulations.As an interviewee said,“Regulation incentivizes action on cybersecurity but doesnt directly lead to resilience within an organization.”7 Boards and busine
90、ss leaders awareness of the demand for cyber resources within their organizations is increasing.With regards to regulations,business leaders might fear hefty fines more than they value and truly understand the contribution regulations make to collaborative cyber policies.Nonetheless,regulations are
91、something to which boards actively respond and are a valuable starting point for embedding cyber-resilience techniques across an organization.Note:The graph covers responses from both business and cyber leaders.Global Cybersecurity Outlook 202314Leadership perception changes2Business and security le
92、aders perspectives on the importance of cyber-risk management are converging.Global Cybersecurity Outlook 202315More than 39%of organization leaders agree that“cybersecurity is a key business enabler”.Interestingly,however,when broken down further,this equates to 51%of business leaders and 32%of sec
93、urity leaders giving an affirmative answer.This indicates that perhaps business leaders have leapfrogged security leaders in championing the importance of cybersecurity or it could reflect a lingering perception gap worthy of further research.Leadership views on cybersecurityFIGURE 11Cybersecurity i
94、s a key business enablerCompliance drives our cybersecurity controlsCybersecurity is a necessary cost of doing businessProduct and service differentiationBusiness leadersCyber leaders10%14%39%32%14%37%51%2%Prioritizing cyber risk in business decisions2.1More and more corporate boards now have true c
95、yber experts among their members.It helps when people at board level are sufficiently cyber-literate to ask pertinent questions of their security teams but also to bring cyber into strategic business discussions.Boards also need to understand what a cyber event means for their organization.Too many
96、business leaders still underestimate the impact a cyberattack can have on their operations,on their reputation and on their company as a whole.Maya Bundt,Director,Bloise Holding;Board member,Swiss Risk Association;Member of the World Economic Forums Global Future Council on CybersecurityThe 2022 Glo
97、bal Cybersecurity Outlook report highlighted a clear disparity in how business executives and cyber executives described the integration of cyber resilience into enterprise risk-management strategies.The 2023 survey findings illustrate a narrowing of that perception gap,with 95%of business executive
98、s and 93%(up from 75%in the 2022 edition)of cyber executives agreeing that cyber resilience is integrated into their organizations enterprise risk-management strategies.In addition,most business and cyber leaders also agree that incorporating cyber-resilience governance into their business strategy
99、is one of the most impactful principles when it comes to cyber resilience.Note:The question asked“Which of the following describes your organizations views of cybersecurity?”.Global Cybersecurity Outlook 202316Cyber resilience in my organization is integrated into enterprise risk management strategi
100、esHow do you feel about your organizations ability to be cyber resilient?FIGURE 12FIGURE 91010%20%30%40%Cyber leadersBusiness leaders15%24%32%21%I feel we are not cyber resilientI am concerned about my organizations ability to be cyber resilient20222023Business leaders20222023Cyber leader
101、s7%4%57%32%27%46%7%20%14%13%4%54%29%2%73%12%We perform common cyber-resilience practices,but recognize the need for strong growth and improvementI feel confident we are cyber resilientGlobal Cybersecurity Outlook 202317Not only is there a shift in leaders perception of their priorities,but there is
102、a shift in reported behaviours among cyber leaders.More than half(56%)of cyber leaders meet with business leaders monthly,or more frequently,to discuss cyber-focused topics.More frequent communication means more opportunities to align on cybersecurity priorities.Perhaps as a corollary,organizational
103、 leaders who meet more often are more confident in their organizations cyber resilience than those who meet less frequently.Of respondents who meet at least monthly,36%are confident that their organization is cyber resilient.Only 8%of those respondents report that their organizations either are not
104、cyber resilient or that they are concerned about their organizations ability to be cyber resilient.Meeting frequently is one of many ways to boost the priority given to cyber risk in business decisions.A common theme in workshops and interviews was an increasing trend for chief information security
105、officers(CISOs)to report directly to the chief executive officer.One interviewee noted,“I think business executives really need to think about organizational design.In certain cases,CISOs are still reporting to CIOs chief information officers.Thats sometimes an inherent conflict of interest,”because
106、 chief information officers,when budgeting,might deprioritize security in favour of more functionality.That noted,discussions with Forum partners at CIO level indicate that CIOs whose organizations have suffered a severe or sophisticated cyberattack are very likely to prioritize security after this
107、experience.This suggests that board culture and executives familiarity with cyber risk are also important.Overall,it is a case of creating the right incentives regardless of the reporting line.Another interviewee stated,“You have a business-unit executive who has to trade-off functionality and secur
108、ity.They have limited budget and they get no credit for security.”Dealing with these conflicts is fundamentally a task for executive leadership,and a strategic question for corporate boards of directors.Ultimately,cyber resilience will require the adoption of better governance practices including th
109、ose developed by the World Economic Forum,the National Association of Corporate Directors(USA)and the Internet Security Alliance in their 2021 Principles for Board Governance of Cyber Risk.8In the 2022 edition of this report,39%of respondent organizations had been affected by a third-party cyber inc
110、ident.To put it another way,they were“collateral damage”after their operations were disrupted by cyberattacks on companies from whom they bought or to whom they sold services.9Third-party organizations that have direct connections with an organization or that process organizational data are a primar
111、y concern to all surveyed organizational leaders.Some 90%of respondents are concerned about the cyber resilience of such third parties.Supply-chain risk is an indicator of the risk that is shared across a particular sector,sectors or countries and it is something that regularly affects important eve
112、ryday services.For example,in February 2022,a cyberattack on commercial satellite services in Ukraine caused electricity-generating wind farms to shut down across central Europe.10 In July 2021,supermarkets in Sweden were forced to close their doors after a cyberattack on IT services provider Kaseya
113、,based in Florida,USA.11 In both cases,the rolling flow of disruption across sectors was the result of a dependency on another organizations services and the outcome of a service breakdown was unpredictable.Supply-chain risk are confident that their organization is cyber resilient.36%Global Cybersec
114、urity Outlook 202318Compared to my own organizations cyber resilience,I perceive our third-party organizations(who have direct connections,processes,or data)to beFIGURE 14Far less resilientSlightly less resilientEqually as resilientSlightly more resilientFar more resilientBusiness leadersCyber leade
115、rs5%3%8%28%47%14%12%29%27%27%These incidents show how the technologies that support businesses,infrastructure and societies are increasingly interdependent and vulnerable.This is because,as noted by the Forums Global Future Council on Cybersecurity in 2022,“technological and comparative advantages c
116、an incentivize different organizations,often from different sectors,to rely on the same third-party hardware,software or service provider.Many firms,for instance,might have a reliance on poorly maintained open-source projects,or on the same cloud company or domain name services(DNS)provider.This con
117、centrates risk when a shared service or commonly used technology is disrupted by cyberattackers.”12Larger firms typically have small and medium organizations in their supply chain and consider them as critical partners.When these critical partners are taken out of action through the technical or fin
118、ancial fallout from a cyber incident,the entire ecosystem,including the larger organizations,is negatively affected.At the World Economic Forums Annual Meeting on Cybersecurity in November 2022,the difference between the capabilities of larger and smaller organizations was raised as a point of conce
119、rn by cybersecurity experts working across sectors and regions.Smaller firms were more likely to suffer from a lack of the trained cybersecurity experts needed to manage internal risk.Cross-sectoral resilience measures,such as cyberthreat information sharing,were of less value due to the same cyber
120、skills and capacity issues.Participants at the same meeting argued that it can be more difficult to hold the attention of the boards in small and medium-sized organizations because for them cyberattacks,while perhaps more likely to test the survival of a smaller organization,are episodic and potenti
121、ally more easily forgotten than they are for larger firms that suffer regular attacks.Added to this,smaller organizations do not often have the capacity to respond to incidents and are more likely to be economically paralysed by a major attack.This should make preparation for cyberattacks on supplie
122、rs a part of cyber-resilience measures and business continuity planning.Leaders from larger organizations,those with more than 1,000 employees,were more likely to report incidents where they were negatively affected by a cyber incident originating from their suppliers,service providers or business p
123、artners(39%of larger organizations affected)than smaller organizations with fewer than 1,000 employees(25%).In addition,larger organizations were less likely to report their third parties as being equally resilient as themselves(23%).Small to medium-sized enterprises,those with fewer than 1,000 empl
124、oyees,were more likely to consider those third parties to be equal in their cyber-resilience capabilities(38%).Creating cyber resilience across a supply-chainGlobal Cybersecurity Outlook 202319Has your organization submitted a claim using your cyber insurance policy in the past two years?FIGURE 15No
125、,we have not submitted a claimYes,and the claim was successfulYes,and the claim was not successful250 employees2511,000 employees1,00110,000employees10,001100,000employees100,001+employeesWe currently do not have a cyber insurance policyI do not wish to disclose this information4%4%5%7%14%21%57%57%1
126、4%24%8%58%15%15%38%46%15%52%37%7%Cyber insurance is another way for organizations to mitigate the damage from cyber incidents.Similar to supply-chain risk,organizational size was a determining factor in whether an organization was likely to have cyber insurance.Smaller organizations were more likely
127、 to report they did not have cyber insurance(48%)than larger organizations(16%).This shows a critical gap in the cyber resilience of the entire ecosystem.Cyber insurance often comes with required actions that are likely to improve the cyber resilience of the insured party.If a smaller organization h
128、as an incapacitating cyber incident,with subsequent upstream effects on larger organizations,it will not have the resources to respond,nor will it receive assistance in its post-attack recovery in the form of an insurance payout.In the absence of insurance,organizations would do well to focus on ini
129、tiatives that support ecosystem resilience.By increasing the level of protection across their supply chain,organizations will enhance the cyber resilience of their own operations.The role of cyber insuranceGlobal Cybersecurity Outlook 202320Gaining leadership support2.2Security executives gain by ar
130、ticulating a story to their board that aligns with corporate and business priorities.Boards should be presented with a cyber posture that resonates with customers and authorities expectations,and helps address sectorial ecosystem challenges.Christophe Blassiau,Senior Vice-President Cybersecurity&Glo
131、bal Chief Information Security Officer,Schneider ElectricThe shifts in perception and actions described above illustrate a closing gap between cyber leaders and business leaders in their perceptions of leadership support.The 2022 Global Cybersecurity Outlook report highlighted how cyber leaders perc
132、eive leadership support as a primary challenge in the management of organizational cyber resilience.This years outlook indicates that a third of all cyber leaders still ranked gaining leadership support as the most challenging aspect of managing cyber resilience.A majority,94%,of respondents believe
133、,however,that their board of directors has a duty of care when it relates to cybersecurity.The security staff deserves the same level of trust that you would put in other business leaders.You may not know exactly what is coming,but you should be able to trust that the security leader is directionall
134、y right and you understand what their priorities are.Remko Vos,Chief Executive Officer,CUJO Cybersecurity and the boards duty of careOrganizational leadership has begun to listen to the concerns of cyber leaders.One interviewed executive explained,“Boards understanding of their responsibility and du
135、ty of care has improved.In larger or regulated firms,this awareness has been helped by the interlocking committees that give several board members quite a bit of exposure to questions of digital transformation,information security,business continuity and cyber resilience.”13 Global Cybersecurity Out
136、look 202321My organizations board of directors is able to uphold a duty of care when it comes to cybersecurityFIGURE 891010%20%30%40%Cyber leadersBusiness leaders29%34%A primary challenge for cyber executives is shifting from gaining board support to enabling impactful board action.Multip
137、le interviewees brought up the disconnect between how cyber risks are communicated to boards and how boards interpret and translate those risks in the context of overall enterprise risk.While boards appear to be more cyber aware than before,the questions they are asking about cybersecurity imply tha
138、t they may not have fully grasped the effect of cyber risk on enterprise risk.In addition,many continue to struggle to determine which questions are best suited to assessing information provided by their cybersecurity teams and enabling informed and risk-based decisions.As one interviewee stated,“Be
139、ing able to clearly describe the key operational risks and,as part of this,the key cyber-related risks,and then having the link between these risks and the operational or technical controls is important.This allows business leaders to gauge whether they know what their risks are and whether the orga
140、nization is doing the right thing to protect itself.”14 The difficulties cyber leaders report in communicating with business leadership demonstrate a comprehension gap between security issues and business impacts.Cybersecurity and business leaders must learn to effectively translate their cyber risk
141、s into enterprise risk,and into the right operational and tactical measures to mitigate those risks.Here,the Forums Principles for Board Governance of Cyber Risk offers common principles on which cyber leaders and business leaders can build.In order to shrink the board-level understanding of cyber r
142、isk,security leaders should help their boards to:Understand the economic drivers and impact of cyber risk by reporting cyber risk in financial,economic and operational terms,not just in technical terms Align cyber-risk management with business needs by identifying how cyber-risk management and resil
143、ience help to meet business objectivesFor corporate directors,and business leaders,the principles counsel them to:Incorporate cybersecurity expertise into board governance Encourage systemic resilience and collaboration15 Cybersecurity and business leaders must learn to effectively translate their c
144、yber risks into enterprise risk.Global Cybersecurity Outlook 202322Cyber talent management2.3Cyber talent recruitment and retention continues to be a substantial obstacle for all organizations,as seen in both the 2022 and 2023 Global Cybersecurity Outlook reports.The perception gap between business
145、and cyber leaders,however,has narrowed significantly,signalling alignment on the realities of the cyber labour market.The 2022 Outlook report found that 10%of cyber leaders indicated they lacked the critical people and skills needed to deal with a cyberattack.No business leaders indicated that defic
146、it.Reponses to the same question in this years Outlook report show that 10%of business leaders and 13%of cyber leaders feel that they have critical gaps in skilled personnel.The increases among both groups most likely indicate increased awareness of the talent gap rather than a worsening of the tale
147、nt problem.More than half of organization leaders in industries that provide or make heavy use of technology services(including those in the information technology and telecommunications industries)reported they have the skills needed today.In contrast,the industries that reported a lack of critical
148、 people and skills were mainly critical infrastructure industries including energy utilities and the public sector.The scale of the challenge in critical infrastructure,where specialized skills are often needed,is a concern.It will be difficult for many companies to solve the talent gap on their own
149、 and solutions are likely to require partnerships.Does your organization have the skills needed to respond to and recover from a cyberattack?FIGURE 17010%20%30%40%50%Cyber leadersBusiness leadersWe are missing critical people and skillsWe have training and skills gaps in some areasNot sureWe rely on
150、 third parties or external resourcesWe have the people and skills we need today10%13%34%32%5%5%44%46%1%10%Global Cybersecurity Outlook 202323The cybersecurity skills gap by industryFIGURE 1872%67%60%50%50%25%20%15%14%We have the people and skills we need today(by industry)We are missing critical peo
151、ple and skills(by industry)Information technologyEnergy utilitiesInsurance and asset managementPublic sectorBanking and capital marketsProfessional servicesCybersecuritySoftware and platformsTelecommunicationsIn this years Cybersecurity Outlook research,59%of business leaders and 64%of cyber leaders
152、 ranked talent recruitment and retention as a key challenge for managing cyber resilience.Additionally,less than half of respondents reported having the people and skills needed today to respond to cyberattacks.The level of shared understanding on this topic makes it more likely that steps can be ta
153、ken to solve the challenge of creating and retaining cyber talent.The message is getting through(year-on-year alignment in business and security views on the skills gap)FIGURE 202220232022202310%20%30%40%50%Cyber leadersBusiness leadersWe are missing critical people and skillsWe have the
154、people and skills we need todayWe have training and skills gaps in some areas0%10%13%33%43%46%44%34%32%47%46%10%Global Cybersecurity Outlook 202324A way ahead3Boosting cyber resilience starts with improving communication between cyber and business leaders.Global Cybersecurity Outlook 202325Improving
155、 communication3.1The role of the chief information security officer(CISO)is one of the most dynamic careers.We secure entire organizations as they evolve with new technologies in an increasingly digital environment.This means the CISO has a role in supporting the transformational change of a busines
156、ss technology,culture and organizational structures.Daniel Bariusso,Chief Information Security Officer,Banco SantanderIn this years report,17%of security executives expressed concern about the level of cyber resilience in their business.This was up slightly from 13%of security executives the year be
157、fore.Conversely,the increased level of awareness of cyber risk among business executives led to a marked increase in concern,from 16%to 27%.This might be due to a better understanding by business leaders of the damage that can be done to their business operations,commercial relationships and reputat
158、ion by a major cyberattack.Survey responses for this report indicate that the increased concern among business executives could also be driven by regulatory demands for increased board-level accountability for cyber-risk management.For example,in late 2022 the United States Securities and Exchange C
159、ommission(SEC)created rules that make cyber-risk reporting and business resilience planning a vital component of effective board management.16Security leaders and business leaders sometimes have difficulty translating cyber-risk information into mitigating actions in their organization.Security lead
160、ers who reported they were successful in translating risk to mitigation regularly demonstrated a capacity to make technical data comprehensible and relevant for organizational leaders.The difficulty in translating cyberthreats to operational risk is a barrier to collaboration between security execut
161、ives and business leaders.Commonplace terms such as“ransomware”can be explained to boards more easily,but mapping cybercrime campaigns or threat actors to the targeting of particular assets and resources is complicated.It has also proven difficult to quantify and assess cyber risk.Costs are often ex
162、pressed in“average”terms when referring to a breach,but this may not be appropriate for an individual organization assessing its own risk.Many organizations have too many assets on their network to identify the key risk points,or even to map their assets.This makes it difficult to assess where and h
163、ow much money should be spent.Without a way to clearly map risks to value-creating assets or processes,as well as a plan of action arising from this,it is hard to quantify and justify the resources that should be allocated to mitigating them.Lost in translation?of security executives are concerned a
164、bout the level of cyber resilience in their business.17%Global Cybersecurity Outlook 202326It can be useful to find a shared starting point for the conversation between security and business executives on cyber risk.As mentioned earlier in this report,business leaders are often well-practised in ada
165、pting their organizations to geopolitical change.The research for this paper also indicates that security leaders and organizational leaders share the same concerns about their personal cybersecurity.When considering personal risks,organizational leaders and security executives are most concerned ab
166、out becoming victims of identity theft(ranked first)or cyber extortion and theft of data or money(ranked second and third by each cohort).So there are shared reference points at the macro level(geopolitics)and the micro level(personal digital security)that can be an entry point to a discussion on or
167、ganizational and business cybersecurity.Shared starting pointsWhat cyber risk are you most concerned about when it comes to your personal cybersecurity?FIGURE 20Identity theftCyber extortion(e.g.ransomware)Losing my own money or valued data due to a cyberattackCritical infrastructure breakdown(e.g.e
168、ssential goods and services)due to a cyberattackGeopolitical instability and cyberwarBlackmail due to compromised personal dataFalsified or stolen medical dataBusiness leadersCyber leaders44332235667442316During the World Economic Forums Cybersecurity Outlook Series of workshops in 2022,p
169、articipants noted the difficulty of translating investment in cybersecurity into clear returns for the board,with one representative participant saying,“The three things board members are interested in are risk,opportunities and investment in cost.In cybersecurity,we talk about the cost a lot,but we
170、 need to better respond to the question,What is the return?That is something we struggled with in cybersecurity.How do I know this is a good investment across the myriad of things that I could potentially be invested in?How can we improve at making effective metrics to help boards make better-inform
171、ed decisions?”17 Effective metrics are ones that a board can translate directly into informed decisions to drive the business.Explaining return on investment in cybersecurityGlobal Cybersecurity Outlook 202327Cyber leaders should actively work to close the communication gap with their non-technical
172、audiences so that the relevance of their recommendations is understood and incorporated into risk-management strategies.The challenge was clearly described by a business executive interviewee:“Cyber leaders remain,in general,weak at presenting the cybersecurity problem in terms that board-level exec
173、utives can understand and act on.Its also true that boards need to have questions they can ask to assess what their cyber leaders are telling them.However,the message from cybersecurity experts is still too technical and the data they are providing is too scattered.Lots of data is flying around and,
174、while the environment cant be made less complex,boards need to understand the strategic essence of the message being received from security teams and what that means for corporate governance and investment decisions in security and elsewhere.”18 Effective communication is the basis for success in an
175、y cyber-resilience programme.Cybersecurity leaders should use less technical jargon when speaking with business leaders.Boards of directors should help cybersecurity leaders understand what assets and processes must be prioritized for protection.Boards should then make themselves accountable for the
176、se priorities once they are set because cybersecurity resources are rarely sufficient to effectively defend all parts of an organization all of the time.Steps to close the communications gapFrequency of meetingsFIGURE 21AnnuallyQuarterlyMonthlyMore frequent than monthlyBusiness leadersCyber leaders1
177、0%9%37%12%42%39%22%29%Reviewing organizational design3.2Organizational structures play an important role in embedding cyber-risk management across an organization.They shape the frequency and quality of cyber-risk discussions,and can create opportunities for improved clarity,context and understandin
178、g between security and business teams.As one participant at the World Economic Forums 2022 Cyber Outlook Series of workshops highlighted with regard to organizational and reporting structures:“I report to the CEO,which is a huge advantage;we have portfolio companies where cybersecurity is still in I
179、T.Not having direct reporting to the board is a big disadvantage.Reporting should come from the person responsible for it.”19That participant was not alone in their opinion that the most senior cybersecurity executives should report directly to CEOs.Another respondent opined that by having the CISO
180、report directly to the CEO,budgeting conflicts between security initiatives and technology enablement might be avoided.20As observed in the 2023 Global Cybersecurity Outlook survey results,only 25%of all respondents indicated that the most senior cybersecurity executive in their organization reports
181、 directly to the CEO.However,other security executives pointed to the importance of the chief information officer(CIO)as a champion for cybersecurity across a business.There is no single approach to making this work,but it is important that security executives have access to senior business leadersh
182、ip.Boards need to understand the strategic essence of the message from security teams and what that means for corporate governance and investment decisions in security and elsewhere.Global Cybersecurity Outlook 202328Building security culture3.3A security culture starts with awareness and includes e
183、veryone.Increased employee awareness about cyberattacks was cited by cyber leaders who took part in the survey as the most positive influence on an organizations cyber-resilience approach in the next 12 months.An organizations cyber capabilities grow with its employees understanding of cyber risks a
184、nd their personal role and responsibility in helping to manage them.Organizational leaders should consider pushing more accountability for operational cyber requirements onto business leaders.As an example of how this can change an organizations security culture,one interviewee explained that their
185、organization previously granted cybersecurity control exceptions without considering how those exceptions could increase their cyber risk.To address this,it is establishing a new executive committee to review exceptions.“Now if you need an exception,you will have to come in front of the CTO,CIO and
186、CISO to defend your case.the business might not immediately be ready for the mitigation controls and the path forward,but now I am looking for a mindset shift.When you need to stand in front of three executives,your preparations have to be completely different.We need this to drive cultural shifts t
187、owards security.”21The cybersecurity team,if used thoughtfully,can provide vital insights that help embed cyber-risk methodologies in an organization.For example,one security executive interviewed for this report identified their organizations human resources team as being considerably more likely t
188、o open suspicious attachments than other parts of the organization.Further investigation revealed that staff in this team had no secure portal in which to access job applications from external candidates and were thus required to open large numbers of resums that arrived as email attachments.The vol
189、ume of attachments processed by this team increased the likelihood of a malware-infected attachment being opened.This allowed the security executive to make an organizational recommendation,that the human resources team be provided with an online portal for job application submissions to reduce the
190、risk of opening malicious files that could severely damage the wider company.This high-value consultative approach can be taken when boards give security executives the time and space to step away from their daily role of surveillance and response to act as an adviser to the rest of the organization
191、.Where possible,security should be focused on higher-order topics that are more specialized than basic operations.Cyber leaders should contribute cybersecurity requirements that business units can incorporate into their key performance indicators(KPIs),after which all leaders must demand real enforc
192、ement,real consequences and real incentives to achieve the agreed-upon KPIs.Meaningful incentive structures make change happen.The cybersecurity team,if used thoughtfully,can provide vital insights that help embed cyber-risk methodologies in an organization.Global Cybersecurity Outlook 202329Closing
193、 the cyber talent gap 3.4People think that cybersecurity is something thats highly technical.Yes,some roles require deep technical expertise,but cybersecurity is a vast domain and making an organization cyber resilient also requires generalist roles that need a broader skillset,from education and aw
194、areness to policy writing,governance and others.We need more people in the both the technical and generalist roles.Bobby Ford,Senior Vice-President and Chief Security Officer,Hewlett Packard EnterpriseAs indicated in the previous section,talent recruitment and retention continue to be a key challeng
195、e for managing cyber resilience.The shortfall between supply and demand for cybersecurity experts was estimated at 2.27 million in 2021.22 Currently,organizations are competing for talent by paying more to the same small pool of people.This exacerbates the staff shortage by creating a high turnover
196、of cybersecurity experts from company to company.Paying more is a stopgap that will not solve the longer-term problem.More needs to be done to increase the flow of cybersecurity talent into the workforce.This has been a consistently difficult problem to solve,but it is also an area with possibilitie
197、s for real progress.New and inventive projects are being launched every year.A significant number of organizations understand that cybersecurity touches on many areas of their activity and making an organization cyber resilient requires a wide range of skill sets.Respondents to the surveys as well a
198、s participants in the interviews and workshops consistently argued that the academic and professional disciplines that lend themselves to cyber-resilience skills are much broader than many people realize and are certainly not limited to computer science or engineering.The soft skills for cyber roles
199、 can come from disciplines such as economics,law,psychology,sociology,communications and media studies.A broad solution to increase the supply of cyber professionals is to expand and promote inclusion and diversity efforts within cyber recruitment.Underrepresented groups in cybersecurity such as wom
200、en,people of colour and those with informal educations have been continually discouraged from technical careers through societal expectations and perceptions of cybersecurity work culture.This is not a simple solution.As a first step,it requires broadening the narrative about who can work in cyberse
201、curity so that people with non-technical backgrounds,as well as those outside of the traditional education system and from underrepresented groups,understand that there are currently roles for them as well and that it is possible to retrain for technical roles in the near future.Many cybersecurity r
202、oles can be learned on the job or through apprenticeships.Democratizing access to cybersecurity career paths has the potential to be a social good,supporting reskilling of sections of the workforce.However,capitalizing on the increased interest in cybersecurity is also likely to require greater coll
203、aboration between organizations.Even high-quality apprenticeship and training programmes run by individual organizations,such as the Absa Cybersecurity Academy in South Africa,23 have encountered difficulties scaling to large numbers.Diversity and talent pipelines can be further improved if organiza
204、tions build relationships with civil society organizations such as Girls Who Code in the US and Africa Teen Geeks in South Africa.Its also possible to open the recruiting process by focusing more on skills and experience rather than four-year degrees.As cyberthreats evolve and expand,so must the tal
205、ent pool that engages with them.As argued in October 2022 by experts from the Tech for Good Institute,the Tifa Foundation and the United Nations University Institution:“Designing and implementing appropriate cybersecurity solutions demands non-technical competencies such as business,management,legal
206、,policy and diplomacy.”24 The need for these competencies grows as“socio-technical threats such as social engineering and online abuse are increasingly prolific”.25Social inclusion and diversity issues should not be decoupled from the discussion of cyber talent development.Many skills projects are s
207、uccessful because they focus on diversity of professional or lived experience.Diversity is not a“nice-to-have”addition to a cyber-skills programme but something that is likely to influence the programmes success and also strengthen the cyber resilience of an organization to the highest degree.Employ
208、ing a range of people with diverse opinions,backgrounds,experiences and identities leads to Expanding the talent poolShortfall between supply and demand for cybersecurity experts in 20212.27mGlobal Cybersecurity Outlook 202330stronger outcomes and produces greater insights in any setting,including c
209、ybersecurity.Understanding the broad spectrum of skills needed to be cyber resilient in the current cyber landscape can help enable organizations to expand their hiring pools.Work conducted by the World Economic Forum and its partners in 2021 identified four concrete steps taken by organizations tha
210、t prioritize diversity,equity and inclusion.These steps should be seen as the minimum for organizations seeking to attract and retain a diverse workforce that will increase their cyber resilience:Ensure that leaders actively support diversity,equity and inclusion across the organization.Create oppor
211、tunities for everyone to publish,write and engage in public speaking.26 Treat all employees as individuals,provide opportunities for them to express themselves,create a safe space and acknowledge their contributions.Prioritize retention and development opportunities for diverse staff members.Employe
212、e retention is essential to increase diversity at higher organizational levels.Once hired,organizations can train professionals to become effective cyber employees.Technology can always be taught,but traits such as curiosity,problem-solving and critical thinking are vital for cyber professionals.Org
213、anizations should therefore seek these traits even when recruiting experienced talent.As a Forum article says,“Professionals cannot be static in their knowledge to succeed in this field.”27 Traits such as curiosity,problem-solving and critical thinking are vital for cyber professionals.Global Cybers
214、ecurity Outlook 202331ConclusionThe 2023 Global Cybersecurity Outlook study showed that the profound disconnect between how cyber leaders and business leaders perceive cyber issues a core finding of the 2022 edition of this report has begun to close.Both security leaders and business leaders needed
215、to adapt and change their mindsets to make this possible.When we compare this years findings with the 2022 edition of this report,business leaders are more aware of the threat landscape and cyber leaders made more frequent appearances before their board of directors.Both groups have a clearer view o
216、f the strengths and weaknesses of their organizations cyber capabilities,and cyber issues are more integrated into enterprise risk management and now receive more board-level support.However,the study also revealed that cyber and business leaders still have a great deal of work to do to truly unders
217、tand each other,articulate the risk cyber issues pose to their business and translate that into meaningful management and mitigation measures.As the cyber landscape promises to become more complex in the coming years,it is critical that organizations work to resolve this now if they are to build sys
218、temic cyber resilience for the long term.Fortunately,building long-term capability is in the interest of all executives.As one leader stated,“There is value in providing business leaders with access to cyber-issue information.Business leader roles such as CRO,BoD and CEO evaluate risks over a long t
219、ime frame,and this long-term strategic focus can help overcome the tendency to focus less on cyber response and more on cyber resilience.”28Yet,the 2023 Global Cybersecurity Outlook study illustrated that time is both the most valuable asset and a stubborn adversary in this regard.The results indica
220、ted that the tenure for cyber leaders is often short and the turnover of cyber talent is high.Furthermore,the dynamics of the threat landscape frequently focus attention on tactical defence at the expense of extended strategy,horizon planning and investment.Jacky Fox,Europe Security Lead for profess
221、ional services firm Accenture,put it this way:“One of the biggest barriers to cyber resilience in many organizations is time.Business leaders broadly understand they need to become more cyber resilient,but they cant snap their fingers to make it happen.They know there is a journey to travel to make
222、their organizations cyber resilient,but time is not on their side.”Breaking that cycle will require concerted communication and a coordinated risk-driven improvement effort across the C-suite.In a cyber environment with such interconnected systemic implications,this is imperative for all public-and
223、private-sector organizations.Encouragingly,it is also a message that is recognized consistently in the Global Cybersecurity Outlook year after year and by leaders across the globe.Global Cybersecurity Outlook 202332Appendix:MethodologyInsights for the Global Cybersecurity Outlook 2023 were gathered
224、from five sources:first,a survey of global organizational leaders;second,a workshop with the World Economic Forums Cybersecurity Leadership Community and Global Future Council on Cybersecurity in October 2022,as well as workshops conducted during the World Economic Forums Annual Meeting on Cybersecu
225、rity in November 2022;third,a multitude of interviews with experts and bilateral meetings;fourth,the collection of data from reports,research and articles published by the World Economic Forum and reputable third parties.In combination with all of these efforts,the World Economic Forums team consult
226、ed 151 global organizational leaders.Cyber Outlook SurveyThe World Economic Forums Centre for Cybersecurity and Accenture generated a survey comprised of 27 questions.The questions focused on cybersecurity and cyber-resilience progress,foresight,challenges and perceptions.The survey was administered
227、 to global leaders within the following groups:Accenture account teams client counterparts;the Forums cyber leadership community;the Forums chief strategy officers community;the Forums New Champions;and the Forums Young Global Leaders.The survey was anonymous and non-attributable to the respondents
228、or their respective organizations.Demographic questions were asked in the survey and included:industry;ranges of number of employees in the respondents organization;annual revenue ranges of the respondents organization;country in which the respondents organization is headquartered;and the respondent
229、s job title.There were a total of 117 responses from 32 countries and 22 industries.Except for one percentage slider(ranging from 0100%)and seven sentiment responses(ranging from 1 to 10 where 1 is“strongly disagree”,5 is“neither agree nor disagree”and 10 is“strongly agree”),all survey questions pro
230、vided respondents with a list of pre-populated answers from which they could select.Where appropriate,a text box labelled“other”was available to permit the addition of responses not included in the pre-populated responses.Three questions asked respondents to rank their responses,which also permitted
231、 respondents to create and rank their own unique responses using a text box input.Cyber Outlook Series The Forum Centre for Cybersecurity hosted a series of workshops in 2022 as part of its Cyber Outlook Series sessions,with the goal of creating opportunities for unique peer-level exchanges on key c
232、ybersecurity issues among members of various leadership communities.This series included a workshop to test the validity of the Global Cybersecurity Outlook survey results.During 2022,the Forum actively engaged more than 151 members of these communities on the questions raised in this report.The Cyb
233、er Outlook Series of workshops were held under the Chatham House Rule;consequently,no information in this report is attributed to a specific member of these communitiesGlobal Cybersecurity Outlook 202333ContributorsAcknowledgementsWorld Economic ForumAccentureLead authorsGretchen BueermannResearch a
234、nd Analysis Specialist,Centre for Cybersecurity,SwitzerlandSen DoyleLead,Centre for Cybersecurity,SwitzerlandAdditional contributorsDaniel DobrygowskiHead of Governance and Trust,Centre for Cybersecurity,USAAkshay JoshiHead of Industry and Partnerships,Centre for Cybersecurity,SwitzerlandLuna Rohlan
235、dEarly Careers Programme,Centre for Cybersecurity,Switzerland.Carlos AguirreSecurity Senior Manager,USATaylor BrowderSecurity Consultant,USAJim PruittPrincipal Director,USAMichael RohrsSecurity Senior Manager,USALauren StocktonSecurity Senior Analyst,USAHarim JungData Analyst,Climate Change Data Vis
236、ualisation Org,South KoreaHyoJin ParkCreative Producer,World Economic Forum,SwitzerlandCampbell PowersData Fellow,World Economic Forum,Switzerland;Salesforce,USAGiovanni SalviData Intelligence Manager,World Economic Forum,SwitzerlandNicolas SiegenthalerVideo Producer,World Economic Forum,Switzerland
237、Editing and designLaurence DenmarkDesigner,Studio MikoSophie EbbageDesigner,Studio MikoAlison MooreEditor,Astra ContentGlobal Cybersecurity Outlook 202334Endnotes1.World Economic Forum,“Systemic Cybersecurity Risk and Role of the Global Community:Managing the Unmanageable”,November 2022:https:/www3.
238、weforum.org/docs/WEF_GFC_Cybersecurity_2022.pdf.2.Pipikaite,A.,Holla-Maini,A.,Ware,B.and Dickinson,M.,“Will the Battle for Space Happen on the Ground?”,World Economic Forum,25 May 2022:https:/www.weforum.org/agenda/2022/05/increased-cybersecurity-for-space-based-services/.3.World Economic Forum,“Ear
239、ning Digital Trust:Decision-Making for Trustworthy Technologies”,15 November 2022:https:/www.weforum.org/reports/earning-digital-trust-decision-making-for-trustworthy-technologies.4.Phone Interview with Sen Doyle,World Economic Forum,19 September 2022.5.See Cybersecurity and Infrastructure Security
240、Agency,“Apache Log4j Vulnerability Guidance”:https:/www.cisa.gov/uscert/apache-log4j-vulnerability-guidance.6.Phone Interview with Sen Doyle,World Economic Forum,13 October 2022.7.Phone interview with Sen Doyle,World Economic Forum,9 September 2022.8.World Economic Forum,“Principles for Board Govern
241、ance of Cyber Risk”,23 March 2021:https:/www.weforum.org/reports/principles-for-board-governance-of-cyber-risk.9.World Economic Forum,“Global Cybersecurity Outlook 2022”,January 2022:https:/www3.weforum.org/docs/WEF_Global_Cybersecurity_Outlook_2022.pdf.10.Page,C.,“Viasat Cyberattack Blamed on Russi
242、an Wiper Malware”,TechCrunch,31 March 2022:https:/ Coop Supermarkets Shut Due to US Ransomware Cyberattack”,BBC News,3 July 2021:https:/ Economic Forum,“Systemic Cybersecurity Risk and the Role of the Global Community:Managing the Unmanageable”,November 2022:https:/www3.weforum.org/docs/WEF_GFC_Cybe
243、rsecurity_2022.pdf,13.Phone Interview with Sen Doyle,World Economic Forum,17 September 2022.14.Phone Interview with Sen Doyle,World Economic Forum,14 October 2022.15.World Economic Forum,“Principles for Board Governance of Cyber Risk”,23 March 2021:https:/www.weforum.org/reports/principles-for-board
244、-governance-of-cyber-risk.16.World Economic Forum,“Heres What Regulators Will Want Boards to Know About Cybersecurity”,24 October 2022:https:/www.weforum.org/agenda/2022/10/here-s-what-regulators-will-want-the-board-to-know-about-cybersecurity/.17.World Economic Forum,Cyber Outlook Series Workshop.C
245、yber Outlook Series,Virtual,22 October 2022.18.Phone Interview with Sen Doyle,World Economic Forum,6 September 2022.19.World Economic Forum.Cyber Outlook Series Workshop,Cyber Outlook Series,Virtual,22 October 2022.20.Phone Interview with Sen Doyle,World Economic Forum,10 October 2022.21.Phone inter
246、view with Jim Pruitt,World Economic Forum,3 October 2022.22.(ISC),“(ISC)Cybersecurity Workforce Study”,2022:https:/www.isc2.org/Research/Workforce-Study.23.ABSA,“Cybersecurity Academy”:https:/www.absa.africa/absaafrica/a-force-for-good/cybersecurity-academy/.24.Christine,D.,et al,“Beyond Supply and
247、Demand:Addressing the Multidimensional Workforce Gaps in Cybersecurity”,World Economic Forum,21 October 2022:https:/www.weforum.org/agenda/2022/10/cybersecurity-workforce-gaps-inclusive-approach-jobs/.25.Ibid.26.Pipikaite,A.and Zabierek,L.,“Why Cybersecurity Needs a More Diverse and Inclusive Workfo
248、rce”,World Economic Forum,26 October 2021:https:/www.weforum.org/agenda/2021/10/why-cybersecurity-needs-a-more-diverse-and-inclusive-workforce/.27.Ibid.28.Phone Interview with Sen Doyle,World Economic Forum,18 September 2022.Global Cybersecurity Outlook 202335World Economic Forum9193 route de la Cap
249、iteCH-1223 Cologny/GenevaSwitzerland Tel.:+41(0)22 869 1212Fax:+41(0)22 786 2744contactweforum.orgwww.weforum.orgThe World Economic Forum,committed to improving the state of the world,is the International Organization for Public-Private Cooperation.The Forum engages the foremost political,business and other leaders of society to shape global,regional and industry agendas.