global security outlook blog

Top 5 Takeaways from the WEF 2023 Global Security Outlook Report

This year’s Global Security Outlook report from the World Economic Forum contained a great deal of insight into the state of cybersecurity. Dan Raywood breaks down the five key governance, risk and compliance takeaways.

Last year the World Economic Forum announced plans for a public-private partnership to combat cybercrime, saying that in order to “systematically address” the threat, “it is imperative to raise the cost of conducting cybercrime and increase the risks for cyber-criminals.”.

After this announcement, this year’s Global Security Outlook Report from the World Economic Forum (WEF) encompassed major cybersecurity trends in 2023. The executive summary states: “The significance of cyber risk has certainly been heard in C-suites and boardrooms. On the other hand, whether cyber leaders and business leaders understand each other well enough to meet this challenge is an open question.”

This point was rather telling, as the subjects of communication, risk and compliance posture were all prominent throughout the report. With a wide array of topics covered, this blog will look at five of the top takeaways that most correspond to risk, compliance and regulation.

Cyber Risk Stands Out

Ultimately the subjects covered in this report all impact cyber risk, but in particular, the WEF said there were significant movements forward in understanding cyber risk. In particular, it admitted that when insights on emerging cyber threats were collected, the work on translating “cyber-risk issues into communication that C-suites and boards of directors can use effectively” was evident, as well as what else still needs to be done.

While “awareness of cyber-risk issues, at the executive level, has gone up”, there remains a challenge for businesses to determine how best to address cyber risk. The WEF claims that this “remains a challenge for organisational leaders”, and while boards appear to be more cyber-aware than before, the questions they are asking about cybersecurity imply that they may not have fully grasped the effect of cyber risk on enterprise risk.

Board Communication With Security Leaders

Much like there is an improvement in the adoption of cyber-risk issues into communication, board communication with security leaders is a key trend in this year’s report. 

The WEF claims that more fluid communication around effective cyber risk management is being enabled by changes in organisational structures, enabling those discussions to take place. This includes increased cyber risk awareness among business executives, with 27% reporting this increase – compared to 16% last year.

Also, the WEF highlights a shift in reported behaviours among cyber leaders, as 56% of cyber leaders meet with business leaders monthly or more frequently to discuss cyber-focused topics.

How Cyber Resilience is Integrated into Risk Management

Following on from the board communication takeaway, the concept of cyber resilience was particularly prominent as it was determined that “boosting cyber resilience starts with improving communication between cyber and business leaders” and “effective communication is the basis for success in any cyber-resilience programme.”

The WEF report highlighted the level of integration of cyber resilience into enterprise risk-management strategies, with 95% of business executives and 93% of cyber executives agreeing that cyber resilience is integrated into their organisation’s enterprise risk-management strategy.

So how is cyber resilience enabled? There is the communication factor, as this allows “more opportunities to align on cybersecurity priorities”, and the WEF claims those leaders who meet more often are more confident in their organisation’s cyber resilience than those who meet less frequently. Also, a third of all cyber leaders said gaining leadership support was the most challenging aspect of managing cyber resilience.

The Impact of Regulations Upon Compliance

An argument could be that regulations determine compliance, and therefore one leans on the other. The WEF report claims that cyber executives are now more likely to see data privacy laws and cybersecurity regulations as effective tools for reducing cyber risks across a sector. 

One key point made on the subject of regulation is whether they impact a business’s operations, as some elements of cybersecurity regulations “remain duplicative and can move resources from core cybersecurity work towards activities that aim primarily to demonstrate compliance rather than to keep an organisation secure.”

However, regulations are essential as they are something boards actively respond to and “are a valuable starting point for embedding cyber-resilience techniques across an organisation.”

A standard to follow, rather than something to be seen as a hindrance and obstruction to how a company operates? The report found that 76% of business leaders and 70% of cyber leaders agreed that further enforcement would lead to an increase in their organisation’s cyber resilience, and adequately enforced regulations will raise the quality of cybersecurity across their sector and their supply chains, which will, in turn, make their business less prone to collateral damage from attacks on other organisations.

How Doing Risk Management is a Positive Step Forward

Risk management is a crucial part of cybersecurity; boards understand and tackle this as part of their communications and actions. The report claimed that organisations that embed cyber-risk management across multiple aspects of their activities find it easier to develop strategic responses to changes in the threat environment, making their organisation more resilient to attacks when they occur.

Also, it was stated that security leaders should help their boards to align cyber-risk management with business needs by identifying how cyber-risk management and resilience help to meet business objectives.

Ultimately there was a lot to take away from this year’s WEF cyber report, but the report’s own summary claims that “business leaders are more aware of the threat landscape and cyber leaders made more frequent appearances before their board of directors.” This ensures both groups have a clearer view of the strengths and weaknesses of their organisations’ cyber capabilities, and cyber issues are now more integrated into enterprise risk management and receive more board-level support.

This should ensure that businesses are more aware of the threats posed to them to create a better risk management program and a more assertive cyber risk posture.

Explore ISMS.online's platform with a self-guided tour - Start Now