navigating cyber complexity in a risky world lessons learned from wef banner

Navigating Cyber Complexity in a Risky World: Lessons Learned from WEF

Cyberthreats may have dropped slightly on the list of global risks to watch over the next 2-10 years. But according to the World Economic Forum (WEF), they remain a prominent concern for business leaders. As the NGO’s latest Global Cybersecurity Outlook warns, building effective resilience to such threats is becoming harder in the face of escalating complexity.

Going forward, the key for security and compliance professionals is not to reinvent the wheel. The best course of action is to understand the threat landscape and what’s most at risk inside the organisation and take best practice steps to mitigate that risk continuously and demonstrably.

What Does WEF Say?

WEF’s Global Risks Report 2025 is based on the opinions of 11,000 business leaders and risk experts in academia, business, government, international organisations and civil society. They rank “cyber espionage and warfare” (confusingly also including non-state actor attacks) fifth on the short-term risks list. That’s down from fourth last year when the category was named “cyber insecurity”. And in terms of long-term risk over the next decade, it sits in ninth, down from eighth.

However, we shouldn’t read too much into this slight downranking. It’s also notable that “adverse outcomes of AI technologies” sit sixth on the long-term risk list. These “outcomes” could certainly be influenced by malicious cyber-activity such as data/model poisoning.

More interesting is the cybersecurity-specific report released by WEF in the same week last month. It warns of an increasingly complex cybersecurity landscape driven by:

Escalating geopolitical tensions

These are influencing nearly 60% of responding organisations, with a third of CEOs citing cyber-espionage and loss of sensitive information/IP as significant concerns.

Greater integration of and dependence on more complex supply chains

Over half (54%) of organisations cite this as the most significant barrier to achieving resilience.

Rapid adoption of emerging technologies, expanding the attack surface

Two-thirds (66%) of respondents claim AI will impact cybersecurity in the next 12 months, but just 37% have processes in place to assess the security of AI tools before using them.

A growing regulatory compliance burden

Some 78% of private sector leaders say cyber and privacy regulations effectively reduce risk, but two-thirds of respondents admit the complexity and sheer number of requirements are a challenge.

These challenges are worsened by a growing cyber-skills gap, making risk more difficult to manage, alongside more sophisticated cyber threats. Some 72% of respondents say cyber risks have risen in the past year, with ransomware attacks, supply-chain threats and cyber-enabled fraud occupying the top three spots, respectively.

The Problem with Cyber Resilience

It is often (rightly) said that even the most secure organisation will eventually suffer some kind of security breach. Therefore, the focus for CISOs today is on cyber resilience: the ability to “anticipate, withstand, recover from, and adapt” to these events so that business operations can continue even following a serious intrusion. So, it should be of some concern that cyber resilience is worsening in smaller organisations.

According to WEF, the percentage of SMB respondents claiming insufficient resilience has risen from 5% in 2022 to 35% in 2025. By contrast, the figure virtually halved from 13% to 7% over the same period for large organisations. According to the report, 71% of cyber leaders at the WEF Annual Meeting on Cybersecurity 2024 claimed that small organisations have reached a “critical tipping point” where they can no longer secure themselves effectively against the growing complexity of cyber risks.

This matters to organisations of all sizes because even the largest enterprise may have a multitude of small business partners in its supply chain. The WEF report highlights a “lack of visibility and oversight” of suppliers’ security posture as a leading risk. Suppliers in this context could mean everything from an open-source contributor to a professional services partner or MSP.

Yet while 63% of respondents to the report cited “a complex and evolving threat landscape” as their most significant challenge to becoming cyber resilient, the first – often insurmountable – hurdle is for CISOs and their boards to build an economic case for more investment in cyber. Or as WEF puts it: “the need for leaders to quantify cyber risks and their economic impacts to align investments with core business objectives.”

Getting Started

Regulation is the elephant in the room here. Although well-designed legislation can provide a valuable focus for security teams in their efforts to manage risk, the current regulatory landscape has become extremely challenging to navigate. Three-quarters (76%) of CISOs at the previously cited WEF Annual Meeting apparently reported that “fragmentation of regulations across jurisdictions greatly affects their organisations’ ability to maintain compliance”. This chimes with the ISMS.online State of Information Security Report 2024, which reveals that 65% of respondents find the rapid pace of regulatory change is making it harder to comply with information security best practices.

This is where standards and certifications can help by delivering the foundations on which regulatory compliance programmes can be built. As many of these regulations call for deploying the same underlying best practices, it can also save time, money and effort. That’s why 59% of respondents to the ISMS.online study claims they plan to increase spending on these programmes over the coming year.

Malachi Walker, security advisor at DomainTools, argues that this approach will not only help regulatory compliance efforts but could also drive competitive advantage in the form of eligibility for more contracts, security team efficiency and increased customer trust.

“Best practice standards like NIST CSF, SOC 2 and ISO 27001 close this gap by giving actionable and specific steps organisations can follow to increase their cyber resilience,” he tells ISMS.online.

“Every organisation, no matter the size, can limit access controls to sensitive data, develop and practice an incident response plan, and outline in what areas within their organisation are most vulnerable. If they approach compliance with these three steps in mind, compliance and cybersecurity resilience will become more attainable.”

As WEF notes in its report: “The time to act is now”.

Author

Phil Muncaster

Phil Muncaster has been an IT journalist for 20 years. He started out as a reporter on enterprise IT title IT Week in 2005 and progressed to the role of News Editor before leaving to pursue a freelance career. Since then, Phil has written for titles including The Register, where he worked as Asia correspondent whilst based in Hong Kong for over two years, MIT Technology Review, SC Magazine, Infosecurity Magazine and others.

View all posts by Phil Muncaster

Related Posts

DORA is here! Supercharge your digital resilience today with our powerful new solution!