Key Takeaways from the World Economic Forum’s Resilience Imperative
In 2016, the World Economic Forum’s Global Risks Report called for a “Resilience Imperative” to urgently find new ways to withstand, mitigate, adapt to and build resilience against global risks and threats. In its drive toward this resilience imperative, the WEF recently held the third of three workshops which focused on the financial, healthcare and transportation sectors. The event was held in August in New York City. As a speaker and active participant (respecting the Chatham House rules), I would like to share some of the discussions we found most relevant.
Key themes emerged around the move to cloud, reliance on ecosystems, legal frameworks, cross-sector collaboration, segmenting and micro-segmenting, and the use of latest technology tools. Some of the important comments on these issues include:
- “Cloud can be a game changer for systemic risk mitigation. Migration to the cloud is a great opportunity to enhance security of critical infrastructure – we can’t blow it. Migration must be managed with security in mind.”
- “Ecosystem security is different, because you don’t own it yet must rely on it. This requires a different approach to security.”
- “The legal framework for information sharing must continue to improve.”
- “Cross-sector collaboration is occurring, but is haphazard.”
- “Segmenting your networks is still the number one way to avoid the cascade effect, but the tools for how you do it have changed along with the times.”
- “We can’t firewall our way out of this [systemic risk] situation.”
The workshop focused on three critical industry sectors – healthcare, transportation and finance:
- In healthcare, the security of supply chains is both a risk and possible resilience benefit. Look at pre-positioning long lead time items for whichever group needs it, as is being done in the energy sector now. The life sciences component is increasingly reliant on machine-to-machine networks, which bring their own systemic risks to the table, and thus must be mitigated with a special focus.
- The transportation sector risks cascading failures with national consequences. In transportation, the introduction of smart vehicles creates additional areas of risk, including vehicle-to-vehicle, vehicle-to-infrastructure, and intra-vehicle operations. Allowing multiple systems, with totally different functions, to share common infrastructure, requires a community of interest security model for optimum risk/reward and safety. Total weight of a vehicle (air and ground) is a countervailing factor with risk, with a strong push away from redundancy and toward a common information infrastructure, which needs to be offset with an increased focus on advanced segmentation techniques that can deliver logical separation without additional physical weight.
- Financial sector interdependence spans the globe, and the ripple effect of a single bank breach can lead to a cascade effect that threatens the trust of entire segments of the banking sector. Air gaps no longer protect systems, and newer encryption-based technology is being employed that must defend against insiders as well as external attackers, while providing for very high-speed, low-latency connections with the rest of the financial ecosystem. Identity is becoming a key factor, moving to leverage physical and behavioral biometrics, as well as risk scores for access control. The financial sector has a lot going for it, with high levels of security spend, top people running security, and the strongest of the Information Sharing and Analysis Centers (FS/ISAC). A current limiting factor is security groups’ reporting structure, with many still reporting through a CIO instead of more directly to a risk committee of the board or other C-level executives with a broader appreciation of risk than just technology. There is an evolving trend toward a Chief Trust Officer who would coordinate logical, physical, privacy and insurance aspects of risk into a trust-based business recommendation to the ultimate decision makers. Adding strong security/risk/trust professionals to banking and insurance boards was also discussed in a positive way.
The White House’s new Presidential Decision Directive (PPD-41) was discussed, with most people feeling that it was focused more on helping to defend government-controlled entities, but would not have a great impact on privately-controlled infrastructure such as banks, airlines or hospitals. Projects such as the East West Institute’s breakout group on Global Infrastructure Protection (G.CIP) were also discussed and offered as another place for informed discussion from a global perspective.
Overall, the workshop provided great insight into the global issue of infrastructure resilience, both in the aggregate and with special focus on these three sectors. It was widely agreed that a cascade failure is probable in these sectors without strong cooperation within and across sectors. All speakers praised the WEF effort to bring focus to, and identify solutions for, this resilience imperative.