 Good morning everyone here in the room, especially on the panel and also on the live stream and Good morning to everyone who hacked into the cameras of our phones and is watching from there Welcome to the first press conference of today from the 47th annual meeting of the World Economic Forum here in snowy Davos It is a topic that we are dedicating this panel today that requires All of us especially companies to be wide awake. So welcome to this early morning press conference The topic is in fact, how well our company is prepared to withstand cyber attacks You know the World Economic Forum has been talking a lot about the fourth industrial revolution This is if you will the dark side of the fourth industrial revolution that we are taking a closer look at today and I'm very pleased that we're joined by an expert panel to tackle this topic today Let me quickly introduce my fellow panelists to my immediate left. I'm joined by Derek O'Halloran Who's the a forum colleague first of all, but more importantly He's the head of the systems initiative on shaping the future of digital economy and society at the World Economic Forum On his immediate left. We are joined by Walter Baumeier the senior partner and managing director of the Boston Consulting Group Right in the center of our panel. We're joined by Victoria Espinel She's the president and chief executive our officer of BSA the software Alliance and Many of you watching might still remember her as the White House coordinator for IP enforcement So a public sector experience there as well, which is important to have for this topic Of course and last but definitely not least. We're joined by Mike Nevkins Mike is the executive VP and general manager of enterprise services at Eulod Packard enterprise Based in the US welcome on the panel Without further ado Derek We've brought together a wide group of stakeholders to tackle the issue and we have worked on a first of its kind set of principles Share with us, please. Why is this a topic that's important to the forum and what are these principles about please sure? Thank you. Thank you York. Yes. So first of all, perhaps it's worth highlighting or explaining I mean, what is the problem here? What is it that works work? What is the problem? We're trying to solve so Part of the part of the work the forum has done and what we see across all industries is a tremendous wave of digitization That is transforming business models in the way that companies operate this is changing how they interact with customers is changing how the interact with customers with their suppliers with partners and It's opening up new business new innovations new business models and new opportunities, but any new business opportunity comes with risks and Just as we feel you enter a new market you consider the risks there as you create new business Business models which are based on digitization You'd also need to think about what are the risks that go along with that some of these risks are driven by We might term bad actors so there's there's a there's an ill intent and some of them may be broader at that that Not necessarily driven by by hackers of bad actors, but simply there's there's risks involved in any new endeavor The challenge however is that as this is a very new and emerging set of of issues and challenges Many companies in particular the boards in those companies don't feel adequately Equipped to be able to Understand and manage these risks and guide their companies to to manage these risks in the same way that they would many other risks So what we've done over the past year with the help of Hewlett-Packard Enterprise and with BCG and actually a much broader group of companies from several different industries including not just technology, but healthcare and automotive and infrastructure and Financial services and we've worked with experts and executives within those companies across different functions from risk and security and Operations and then also with some policy makers and with some academia to understand what are some of the leading practices out there that some companies have already started to develop and Can we develop a set of? tools or a framework and A set of principles for to guide boards to be able to accelerate the adoption of these leading practices In a coherent way across different sectors So this is this has been the endeavor The output from this is a Is a is a report which in fact is really a set of tools and there are three tools In there first of all there are a set of ten principles for boards to guide their behavior and their activity and their Interactions with their executive and management teams Secondly, there's a cyber risk framework That gives that allows them to understand and contextualize risks as they Become relevant to their organization and then finally because there are so many new technologies hitting us at the same time we've also added in a Board guide to emerging technologies to help boards Understand how they should be thinking about emerging technologies like IOT AI and even the second wave of cloud Thank You Derek. Walter. Let's let's hear from you. I'm sure many of your clients have concerns about the issues and our Probably beginning more and more to understand the the implications, but what are the strategic implications of that of that is sure Allow me to share three strategic guidelines. I would call it Advancing cyber resilience is not a standalone discipline. It has to be derived from business strategy It has to be embedded in business decision and the reason is simple. You cannot protect everything to the same level therefore and Company an organization has to Define and derive its ground tools as we call it So for example consumer data or intellectual property and they have to understand with kind of business processes I attached to them who is accessing it and that means at the end that you have to have an Integration of cyber risk into your all overall risk management system Secondly, it's about capabilities Because an organization is the capability to deal with incidents and in today's world Unfortunately an organization has to accept that it will be preached That's unfortunately the new normal ladies and gentlemen and therefore you have to deal with Detecting this breach quickly. You have to respond to it You have to recover and that means that this kind of capabilities have to build up It's not done in a day for sure and third and definitely one of the biggest challenges Everything I've just have said it's a highly dynamic process. It's not a one-time exercise It's an arm race out there between the attackers and the defenders And that means that also boards and the senior executives have to daily Basically deal with this issue and have to understand what's going on and coming back to your point Digitization bringing up new products digital products. You have to make and trade-off decision between What's my time to market for a new digital product versus how much effort to expand for example into security architecture? Thank you Walter Victoria We've been joking back in the speaker's room whether you'll be an optimist or a pessimist I'm not gonna put you on the spot here again, but More and more companies are moving their operations into the cloud that they're digitizing What are the implication of that and what are the risks you see? So, you know software is at the forefront of the digital economy because of software people and companies have Access to computing power that is unprecedented because of software We are at what is just the very beginning of a data revolution although it has already had enormous impact So we are you know the software industry is helping companies do what they do better It's also changing how each of us lives our life every single day one of it Changes that is bringing about those really increase the importance of this issue that we're here to talk about today for cybersecurity And you know the way the software industry sees it we see this very much as a shared responsibility So when I say that I mean shared between governments Between the software industry and between the companies across every sector of the economy because as Walter pointed out There is no sector of the economy that is not at risk today So I would say it's great to see the world economic forum focusing on this I think it is a very it is essential to responsible leadership to have boards focused on this issue It's it is I think the byproduct of many positive things that are happening But as has been said on this panel with good things come additional risks I think it is a manageable risk, but it's clearly something that we need to be focusing on More and more and it's great to see the the world economic forum bring its thought leadership to this issue Thank you. Mike You're one of twelve hundred senior executives from the from the business community here in Davos I know you've been talking to a lot of boards around the world But if you talk to your fellow Business representatives here have do you have the feeling they have the necessary awareness of the threat and and the steps of action They need to take you know, I think I think that's finally starting to emerge We've been here a couple years now when we're finally I think seeing that the senior executives out there are realizing And I think Walter said it earlier. It's not a matter of if you're gonna get breached now it's a matter of when and What that means is that the risk is now real for every executive for every board not just the one that ends up in the paper You know where you think hey, that's not gonna happen to us Everyone knows it's now a real risk and what we've been able to do I think with this paper and with the toolkit is we've given boards a a real first view of you know Where to get started how to how to get trained? What are the best practices? What are the principles and how can you get access to experts to help you? Frank you if you look at the makeup of most boards these days You know, there's not a lot of technology experience in those boards let alone a deep knowledge of of how to handle Cyber issues and you know Walter said it perfect when you talk about you know How you have to protect an enterprise then when you're breached how you detect and respond and then most importantly how you recover and This is what we've really set out to do in this in this paper is we've been able to you know Put those principles in place and it gives a board a place to start So that they can become more educated in in the threats of cyber and you know They have access to experts and whether it be on the technology side or on the consulting side So they have a place to get started and they can start to manage their risk Thank you very much. So Saying that they're finally understanding means they're not there yet But yeah, it's it's good that you that you raise that awareness You know, I don't think we're ever gonna get there because this is a constant cat and mouse game And that's also a real learning right on cyber The threats change on a daily basis So so it's a question of being agile enough and making sure that the community is linked in a way that That as we fight the cyber threats together across government agencies companies and other forums that that we can keep up and And really be one step ahead of the threat actors versus a step or two behind Yeah, maybe if I could just build on that actually be you know In addition to the to the question of you know, why is this important? I mean why is it important now and why did we particularly focus on on this on this topic and this effort right now? And I think it is because of that didn't that rapidly changing nature of the technology landscape So you really over the past, you know, 10 15 20 years there's been an awful lot of work in progress made in the area of information security and There have been there are companies that have leading practices around information security Unfortunately pretty much every study done by not just ourselves, but but elsewhere Through that period have indicated that the level of board attention to these issues has been historically low But there's been a cost of doing business that people have been willing to accept and because of the threat landscape was was The nature threat landscape now Information the stakes are being raised in information security But more importantly the stakes are being raised through a whole set of new technologies such as internet of things and once we start connecting physical devices then all of the stakes are raised and the kinds of harms and risks that we're talking about are significantly more impactful in many cases than Financial loss, which is often the case around information security And so if there are things that we know we should be doing around information security We should all just be doing that We should just be doing it because there's a whole new set of threats coming down the road that we're going to need to Be very agile and very quick to respond and figure out how we how we how we manage those Can I just pick up on the information security point? So when I was at the White House, I spent a lot of my focus was on economic espionage Against us companies and one of the challenges that we had is while it was it was evident to me and others that Were working in the space the scale of the threat we were seeing we were when we were talking to us companies They were either unaware of the level of risk or they were essentially hopeful that it was not going to happen to them And so they wouldn't have to Invest in the resources necessary to try to mitigate the threat now. I do think that has changed As has been alluded to on the panel. I think we're in a process of changing I think heightened awareness of the board level is extremely important but I think that that challenge still exists and I think one of the things that can be helpful as Governments and businesses work together is more on information sharing. So you're talking about information security the government has Accessed information companies have accessed information for for various reasons There has been a reluctance to share that information as much as would be helpful And so I think that is one of the areas when I talk about shared responsibility Between companies and governments. It's to work together to be sharing information as efficiently and and in real time As as as possible. Yeah, and I think that's finally starting to change where it used to be You didn't want to talk about your cyber problems because you were deathly afraid it would end up in the paper And it would hurt your brand and I think CEOs are now starting to share As they talk to agencies and others and the other big change that that I think has happened as well is beforehand the Executive team would update the board and the board would be satisfied with the update and it wouldn't be a problem Until it was a problem now what we're seeing is that boards are now getting more savvy and They're starting to question the executive teams and really being able to ask To understand the risk the risk level and then being able to adjust to based on what needs to be there And that's a big shift that's happened in the last year victory I think what you said is right It's because the boards are starting to get access to more data and as they get data and they're sharing and more CEOs and more boards are talking about the cyber risks They're becoming a bit more educated and maybe to To summarize what you just said why it is so hard for boards to really Understand the challenge in cyber security because you need essentially three things you need the leadership You just refer to it from the board to the senior executives You need collaboration because you basically failed if you believe that your CIO will solve the problem No, you need collaboration among all departments among all employees within an organization And you have to reach out to your peers to government to cooperate to share this information Which is not always an easy thing to do in our legislation and third not The least for sure is determination Because it's complex the problem. It's not just into your own Visinity so to speak and it's highly dynamic and that was the mental shift from Okay, it's fine to have it once a year on my agenda in the board meeting and now I have to even Actively respond if something happens and have to know how to react and not you know look to my assistant ask Where is our business continuity manual so to speak? Thank you Walter And I think that's a you're building a great bridge for me here because we did ask our social media audience Before for questions and kind of what what's at the top of your mind there? And I'm gonna combine two of the questions here because they have a similar angle one question was so will we see more chief technology? Offices moving to the role of CEO and companies and the second one was when will the IT security person be a C-suite level position? I think you you touch on that, but maybe you can elaborate a little bit Yeah, so those are two really interesting questions. I'll start with the last one. The first is absolutely The tech savviness of of the IT team We're seeing a lot of changes where in some cases the CIO is not even responsible anymore for cyber security where cyber That the CISO is reporting directly into the CEO or in some cases directly into the risk committee or the audit committee so we're seeing a lot of governance changes there which is driving more education of the board and and we absolutely believe that you know, you know across all the executives The technology savviness needs to increase so that they understand the risks they take as they digitize their business And then the second question you asked about the CEO look I don't think it's possible to be a CEO without having some understanding of technology If you talk to most CEOs, you know nine out of ten right now one of their first agenda points is that they have to go digitize their business and that takes really understanding technology and The threats associated with that where cyber comes into play Thank you. You want to add to that Victoria? No, I'd agree with that. I think you're already starting to see the move of having Chief security officers CIO CTOs being part of directly part of the board discussions and I think That's been a positive move. I think that's something you continue to see on the question of CTOs becoming CEOs I think good CEOs and come from all sorts of backgrounds, but I would completely echo I think every CEO right now has to have a little bit of their portfolio Being the CTO and being very focused on technology Thank you. We also had a question from a Gentleman or lady with the name evil cat But it was a very good question. The question is do universities need for example in MBA programs need to Put a heavier focus on on the issue. Does this need to be more part of the business? Curriculum as well It's a bit of an off topic question But I think we usually have a very young live stream audience so that might be of interest Maybe you can you can share your thoughts on that if I may ask I couldn't agree more and yesterday we had an interesting session on the future of artificial intelligence and The first topic they picked surprisingly was cyber security and the CEO of this company said look one of the The The problems we have in a company to find the right skills on the market It's basically try and that's and universal. I would say even global problem that at the moment There are not the right skills. It's a fantastic topic. It combines the new things like digitization IOT it also shall hopefully then enable direct access to the board So I fully agree that in academia currently this is a little bit overlooked and hopefully it will change soon Yeah, and if I I would say even go beyond the business go beyond MBA So Berkeley is is I think perhaps announcing here at Davos that they are going to be undertaking a new initiative To be able to teach computer science to every undergraduate student that comes into Berkeley I think that's enormously positive. I know my alma mater Georgetown Law School just launched four weeks ago The Georgetown Law and Tech Policy and one of the things that Institute is going to do is make sure that computer science Encoding is available to every legal student every law student that goes to Georgetown I think beyond it's it's important as we've been talking about in this discussion to have the board and have business leaders Focus on cyber security, but it is also important. I think to have the legal system Focus on cyber security software has such an enormous impact on how we live our lives and so we need to have lawyers and policymakers and business leaders that are all as Immersive technology is possible and understand it as well as possible so they can make the right decisions Not just in the business community, but for society at large Yeah, it is one of the top one or two questions I get from boards, which is where do I go train my people and it is a real problem And it goes not just where do I train my people? Where do I get good people that understand cyber and the risks and it is a tough one and I would tell you that I think there's some great classes emerging at universities So I think some of the younger talent will have a better base But I believe it's going to be up to the technology industry to start driving Certifications in the area of cyber or at least in the different parts of cyber No one really does that now It's one of the things that HP that we're looking at doing But I think it's going to take a real collaboration across technology companies to really launch a certification program So you could get the different levels of certification and cyber and it'll really really take that field to the next Level, yeah, I mean if I when we started working on this maybe five six years ago I Similar question came as the question from evil cat there And I remember asking everyone I knew does anyone know of programs like this? And no one did and I actually had a piece of paper stuck on my with the wall of my desk So, you know, I take it take down the first time that we had a cybersecurity program at an MBA school And that that I saw the first one. I think it was three years ago. I think it was at Oxford That they do now they're proliferating and you see also within the engineering schools How do you work with the business side of the house in order to be able to explain? Really and really what what what this underlines? It's the same as the the tool sort of board This is not about making everybody in the world experts on cybersecurity That's not going to happen. That's not the point That's the point is that we need everyone needs to have a basic literacy in the topic just like Boards are not experts in all of the different aspects of accounting or risk But they know what questions after they know what risks what they have a basic literacy and that applies at all levels yesterday I had a meeting with a number of ministers from South Asia including ministers from Sri Lanka and find the best in Pakistan and they were talking about the programs They're putting in place from all the way through from primary secondary and tertiary About technology in general and the risks that this involves as well So that this is this is really something which is widespread across across all areas And we need to be embedding it in our technology in our education practices Thank You Derek Are there any questions in the room? If not, I have the opportunity to get in my most snarky question yet And the question came I don't remember the the account name of the person who asked but Do companies have the right to a hack back? Any volunteers to answer that one I Think it's a I think it's a really interesting question And I think there are two parts of that one is do nation states have a right to hack back is one question and And the others do companies. I would tell you right now that the resources and costs to try to hack back You know are going to file far outweigh the benefits from a company perspective You know, I think companies are more focused on protecting themselves being able to detect and respond and then recover If they're going to get into the hacking back business Number one it would introduce a lot more risk and number two the cost and effort to do that will be huge So I don't really see that as a viable business option. I think when you take a look at nation states I think that's a different question there, but from a company perspective I just don't see a future in that for corporations. Thank You Mike I thought it was interesting the way the question was phrase is quiz phrase is what not companies have a right to hack back And I think actually I think the response is more sort of what are the practical implications of it? Is that something it makes come make sense for companies to do I think in the real world? That's why more relevant than whether or not there's a theoretical right for them to hack back or not That's well said Very good. These were my snarky questions. Thank you. Thank you for being good sports and and answering them I think mindful of your full schedules. It's time for me to close this press conference. Thank you all for being here And thank you for watching. Thank you very much. Thank you. Thank you