In the year since the calamitous Colonial Pipeline cyber-attack, we’ve seen a heightened awareness and a greater level of engagement in cybersecurity initiatives from the government and industry leaders. For example, President Biden issued an ambitious executive order in May of 2021 to improve federal cybersecurity. In 2022, the SEC proposed an amendment to its reporting requirements around cyber incidents. Most recently in the private sector, the World Economic Forum (WEF) introduced the Cyber Resilience Pledge at its Annual Meeting, Davos 2022. The Pledge is an initiative directed at global gas and oil stakeholders, and it aims to reinforce cyber resilience against dangerous attacks and “mobilize global commitment” across industries.
Davos 2022 was the first in-person WEF meeting since the outset of Covid-19. It was themed “History at a Turning Point: Government Policies and Business Strategies,” and the problem of cyber resilience in oil and gas proved a necessary addition to the roster of more traditional topics such as food crises, health matters, and the world economy. Featured speaker Puesh Kumar of the US Dept. of Energy cited the Colonial attack as a direct influence on this initiative. He emphasized the importance of the oil and gas community leaders coming together to absorb and act on the lessons presented by what is now regarded as one of the most substantial attacks on our Nation’s critical infrastructure. The operational technology that supports the oil and gas industry is highly susceptible to hackers, and we’ve reached a point where business leaders must work together to protect the assets on which millions of people rely.
It’s time for global leaders to step forward
WEF Centre for Cybersecurity Head Alexander Klimburg praised the Pledge as a “landmark step” towards cultivating an industry-wide cyber-resilient “ecosystem.” Champions such as Dragos, Claroty, Saudi Aramco, and more have come together to establish a framework for executive leadership to evaluate cyber risk and nurture cyber resiliency. The oil and gas sector has grappled with supply chain challenges through the Covid-19 pandemic and the heightened geopolitical tensions that have arisen from the Ukraine-Russia conflict. Board members and corporate executives are becoming increasingly aware of the devastating consequences that cyber criminals pose to their already precarious circumstances. The challenge for these business leaders is performing their due diligence and effectively managing and mitigating the cyber threats facing their organizations. With the ever-expanding threat landscape, the task seems tremendous, but The Cyber Resilience Pledge intends to provide such guidance. It’s based on six “consensus principles” that define industry guidelines by helping corporate leadership drive cyber resilience across industries:
- Cybersecurity is a strategic business enabler
- Understand the economic drivers and impact of cyber risk
- Align cyber risk management with business needs
- Ensure organizational design supports cybersecurity
- Incorporate cybersecurity expertise into board governance
- Encourage systemic resilience and collaboration
The WEF’s Playbook for Boards and Corporate Officers, outlines these six principles in detail along with accompanying case studies.
This path to cyber resilience is well-aligned with the core tenets of Axio’s risk-based approach to cybersecurity because it takes technical problems and translates them into actionable business problems. These decision-makers need to know how a cyber incident could affect their bottom line. This approach leads board members toward making quantifiable decisions by answering the following questions:
- What are the biggest risks, and how do they translate to financial terms?
Cyber risk quantification presents business leaders with a clear picture of various solutions and the associated cost scenarios.
- What is our cyber maturity level in relation to established cybersecurity frameworks, and how does that maturity level align with the answer to the preceding question?
Maturity-based assessments promote a framework that any company of any size or stage of maturity can use.
- Do we have the proper funds and insurance to recover financially when an attack occurs?
Cyber risk management is a constantly moving goalpost, and risk posture can change on a dime; a risk-based approach means the program can quickly adjust to operational or fiscal changes at any time.
- How does our risk and mitigation strategy line up with our peers?
When the public interest is at stake, benchmarking and transparent, actionable data are required to stay reasonably informed before, during, or after a cyber-attack.
Axio’s approach to cyber resilience has produced Axio360, a decision-support risk-assessment software platform that answers these questions. The system generates reports that contextualize risk exposure, risk tolerance levels, and a bird’s eye picture of the industry’s risk landscape. It also provides a dynamic, continual assessment process, which is vital to cope with today’s growing threat landscape and the increasing digitalization sweeping every industry (especially the oil and gas sector). For further reading on this topic, download our board of directors’ guide, “Getting the Board Game Right: A Board of Directors Guide to Making Informed Cybersecurity Decisions.”