The Fourth Industrial Revolution

The term Fourth Industrial Revolution—sometimes called Industry 4.0¹—was popularized in the 2010s by the economist Klaus Schwab, founder of the World Economic Forum (WEF). The concept is commonly defined as rapid, and rapidly accelerating, change in systems and processes driven by the increasing interconnectivity and automation of technologies in ways that blur the distinctions between the physical and digital worlds. These technologies include artificial intelligence (AI), advanced robotics, machine-to-machine (M2M) communication, the networks of autonomous devices that make up the Internet of Things (IoT), and many more that are on the horizon. And as these technologies interact in new, unexpected, and unpredictable ways, they are driving social, political, economic, and cultural changes at a velocity never before seen in human history.

To understand the dramatic changes we’re experiencing now, let’s take a step back to look at how we got here, specifically at the historical changes that preceded them:

• The First Industrial Revolution used water—rivers turning millwheels and coal-fired boilers feeding steam boilers—to drive manufacturing production (steel mills and textile mills) and transportation (trains and ships).

• The Second Industrial Revolution electrified these processes, making true mass production possible.

• The Third Industrial Revolution was—and is, because it’s still going on—based on electronics, using automation and information exchange to drive improvements in operational efficiency.

• The Fourth Industrial Revolution delivers operational efficiency and innovation at a velocity that was unimaginable a few years ago. It’s driven, above all, by the digitalization of existing systems, applications, devices, and processes, and—crucially—by the continuous, ongoing, rapid creation of new digital technologies.

In the future, the world will likely look back on the Fourth Industrial Revolution as a more radical, dramatic, and fundamental change than all three of its predecessors taken together. It builds on all of them, especially the Third, with previously unimaginable speed, scope, and impact. It’s as if all the major technology developments that had come before—the electric light bulb, the automobile, radio and television, everything—were occurring at the same time.

There are five key trends impacting enterprises and the risks they face:

Industry convergence

Every industry is changing, and the cycle of change is constantly accelerating. New ecosystems, business models, and consumer behaviors are blurring industry lines across every market segment. And enterprises collaborating with third parties in industry ecosystems—sometimes even with direct competitors—face previously unknown risks, because they inevitably give up some degree of control to the other parties.

Globalization

When the people and organizations involved in the value chain—manufacturers, suppliers, partners, customers—are spread across the entire world, enterprises have to recognize that the risks they face are different, highly unpredictable, and on a scale they’ve never before had to deal with.

Expectations of oversight

Enterprises are being watched more closely than ever by legislators, regulators, industry and consumer organizations, and a broad range of other interested parties. And all those parties expect—and in many cases demand—greater oversight of enterprise business practices.

Legal action challenges

Often enterprise actions—and failures to act, as in the case of cybersecurity events like data breaches—result in damaging lawsuits.

A changing regulatory landscape

Regulatory requirements are becoming ever more complex and more rigorous—and often more contradictory. This increases both the risks of noncompliance and the difficulty and expense of managing those risks.

All these trends are characterized by two radically disruptive factors: velocity and volatility. Everything is happening at a dramatically accelerated pace, and the acceleration itself is constantly accelerating—markets, politics, consumer behaviors—making everything more complex, unstable, hard to predict, and harder to manage. The result is that enterprises have no choice but to become more agile than ever and keep refining and enhancing their agility through their risk decision making.

Digital transformation has made it possible for manufacturers to achieve operational and logistical efficiencies that would have been unthinkable only a few years ago. Let’s take a look at a simple example of how this works: the design, testing, manufacture, shipping, and installation of a semiconductor for use in an electric vehicle (EV). The process begins with a design team in California delivering the specifications for the chip, probably with an endless series of last-minute updates, to a facility in China that’s tasked with developing a prototype. When the prototype is ready, it’s sent to the auto manufacturer in Michigan for testing. If the prototype is satisfactory, the specs are sent to another plant, in a different location in China, where a different manufacturer begins sourcing the rare earths and other materials that go into the chip and planning a manufacturing schedule. And here’s an important point that we’ll be returning to later: all these different points in the process can be handled by different entities. They don’t have to be part of the same organizational structure, and they don’t have to be all part of the same company—and in most cases, they won’t be. They will, however, all be part of the digitalized world, forcing all involved to rethink processes and interaction, with digitalized risks built in along the way.

Let’s say the manufacturing process has gone off without a hitch, and the first shipment of semiconductors is ready to go. Digital technologies make it possible to track that shipment to the most granular level. That means that at any given moment, the manufacturer knows exactly where a specific semiconductor is, not just in the world, but in which shipping container in which hold of which ship in which port. Why does this matter? Because it lets the manufacturer plan its production schedule with absolute precision. The chip will arrive just in time to be inserted into the dashboard of the EV. Production won’t be delayed, and the manufacturer won’t have the added costs and risks of keeping unnecessary supplies on hand—supplies that could be stolen or damaged while sitting in a warehouse. And this efficiency is made possible by digital connectivity, which drives this “just-in-time economy” and the real-time communication and information exchange it enables.

Just how fast are the changes these trends are driving? One excellent indicator of the velocity of change is the Standard and Poor’s 500 (S&P 500), one of the oldest and most important stock market indexes in the US. In 1969, not much more than half a century ago, traditional industrial companies, essentially manufacturing concerns, made up a third of the 500 companies listed. Today, only 68 industrials are listed, tied for first place with information technology companies. Even more breathtaking is the change in the lifespan of S&P-listed companies—the period when S&P thinks they’re important enough to represent a benchmark of the economy. According to Innosight, a company’s average S&P listing period was 33 years in 1964, and S&P predicts it will have dropped to just 12 by 2027.

What’s the takeaway here? Enterprises need to move fast. Moving fast also means taking risks. Some of the equilibrium in the risk-reward dialogue involves maintaining a balance between different risks. In this case, the risk of cyber can be at the cost of efficiency and financing other projects, as well as at the cost of losing ground to competitors who may be willing, or capable, of taking more risks. A good cyber risk management program, delivering timely and trusted risk information, should allow companies to go faster, knowing what’s around the corner. They’ll identify risks more quickly, and they’ll be more aware of the latency of their brakes should they need to use them. This clearly represents a strategic advantage in this digitized environment.

The radical changes created by the Fourth Industrial Revolution—new technologies and new business models being born, and old ones dying—represent the latest and most extreme example of the process the Austrian economist Joseph Schumpeter called “creative destruction.” And the global economy has never experienced a more intense period of creative destruction than the one it’s going through right now, driven almost entirely by digital transformation. Digital technologies are opening up creative opportunities for innovative, forward-looking businesses, even as they’re literally destroying businesses that have failed to innovate or even just failed to innovate fast enough. Most importantly for the security decision makers reading this book, digital technologies have made enterprises, their operations, and their processes more vulnerable than ever before. This vulnerability and fragility was made painfully clearer by an event that was literally unprecedented in living memory, one we’ll discuss in detail later in this chapter: the COVID-19 pandemic.

The penetration of digital technologies into our professional and personal lives is now so complete that most of us take it for granted. And all too often, that means we don’t recognize the radical changes it’s brought about, the dramatic impacts it’s having on our professional lives, and above all, how dependent we are on all those technologies. Without that recognition, we can’t adequately protect against, or even identify, the constantly growing risks that digitalization introduces. This of course also now extends beyond the enterprise to third parties.

In a world transformed by digital technologies, security risk management must change dramatically to keep pace with constant digital-driven changes to the enterprise environment.

Cybersecurity Is Fundamentally a Risk Practice

In this complex, fast-changing, intricately interconnected world, there’s no such thing as a zero-risk environment. From the very beginnings of civilization, ships sank, crops failed, caravans on the Silk Road linking Europe and Asia—an early example of what we’ve come to call the supply chain—were attacked by bandits. Enterprises have always needed to take on risks in order to adapt, innovate, compete, and survive. Every aspect of business, in one way or another, involves risk management. (That, too, has always been true. Merchants in ancient Egypt were taking out insurance on their shipments more than three thousand years ago.) Here’s a more current example: a CFO’s budget decisions represent a process of risk management, as she decides how to apportion resources to manufacturing, research and development, marketing, stock buybacks, and, of course, security. Every dollar, euro, rupee, or yen allocated to one area has to be taken away from some other area, and the CFO has to walk a fine line between costs on the one hand and risks on the other.

There is no such thing as a zero-risk environment. The role of a cybersecurity risk management program is to help enterprise decision makers understand the risks they face—and guide them through a risk-informed decision-making process.

This is as true for the security professional as it is for the CFO. Security professionals, whatever their role, whatever their position in the enterprise, shouldn’t be trying to eliminate all risk—not only because it can’t be done, but because it’s an unconstructive waste of their valuable time and resources. (This is a concept that most people understand intuitively, because we all make risk-based decisions constantly in our daily lives. One simple example: someone who’s late for a business meeting may have to balance the risk of a speeding ticket against the reward of a new client.) Instead, they should be working with key enterprise stakeholders to define the right balance between risk and reward, establish acceptable levels of risk, and develop appropriate security and risk management measures.

A security professional is by definition a risk management professional.

Security practitioners have always practiced risk management, of course. But they’ve tended to approach risk management on an ad hoc basis, addressing risks and threats and vulnerabilities when and if they emerge and are identified. That’s natural, because risks have always been difficult to predict and prepare for, but it’s no longer an adequate approach in a world turned upside down and inside out by digitalization. Many security professionals already recognize this and are working to mature their practices, but a tremendous amount of work still remains to be done. We believe that security and risk management as professional disciplines need to mature significantly, and that a security organization can only achieve this by putting formalized security risk management programs in place.

Security has to mature to address the necessary speed of emerging risks and to meet changing enterprise needs—and this can only be accomplished through a comprehensive cyber risk management program.

This represents a set of fundamental changes in the way security works, and there’s no question that addressing them will be challenging for many security professionals. Change is always difficult, and changes as radical as those brought about by digital transformation are certain to be especially difficult. It’s important that the security professionals reading this book recognize that new risk-based security approaches driven by digital transformation don’t just present challenges. They also mean new opportunities for professional and personal engagement and development.

Security professionals who view their role as working with key stakeholders to identify and achieve the right balance of risk and reward won’t simply be helping to protect the enterprise better—although they’ll definitely be doing that. They’ll also be helping to ensure that those stakeholders view them as peers and fellow strategic decision makers, not simply technical personnel installing antivirus software or implementing VPNs. In short, this means that security should have a seat at the table where the important decisions are made. But getting there won’t necessarily be easy. It will require that security professionals build on and augment their already extensive technology skill sets. They’ll likely also need to develop skills in areas that haven’t historically been considered “security” or “technology”—for example, learning how to communicate with business leaders in terms they’ll understand and find accessible. And that will require that they cultivate a richer, more nuanced understanding of the changes that are reshaping the world, the enterprise, and the mature discipline of risk management.

Cyber Risk Management Oversight and Accountability

Clearly, the thing that’s transforming is not the technology—it’s the technology that is transforming you.

Jeanne W. Ross, MIT Sloan Center for Information Systems Research

In today’s era of volatility, there is no other way but to re-invent. The only sustainable advantage you can have over others is agility, that’s it. Because nothing else is sustainable, everything else you create, somebody else will replicate.

Jeff Bezos, “Digital Transformation and Becoming an Agile Business”

The practice and oversight of managing these risks has captured the attention of regulators and the courts.

A new set of rules released by the SEC, for example, requires that public companies report material cybersecurity incidents within a set period, and report on their cybersecurity governance, risk management, and strategies. Digital transformation makes every “malicious” event a cyber event, meaning cyber is central to every aspect of enterprise security and enterprise-wide business risk decision making. Industry regulators are also increasingly focused on cyber risk management and oversight of their programs.

As we’ll discuss in detail in Chapter 2, courts have also been narrowing their focus on who has responsibility for establishing enterprises’ efforts to manage these risks—not necessarily the day-to-day decisions, but the actual risk programs. Boards of directors and corporate officers, including the CISO, are experiencing a new responsibility they need to execute that is in addition to their expected responsible tactical execution: cyber risk management.

The “why now” question is also driven by these oversight responsibilities. A cyber risk management program can assist in helping to provide a more defensible program, based on existing standards, prior case law, and guidance provided by board-level education providers, specifically the National Association of Corporate Directors (NACD) and the WEF.

Digital Transformation and Maturing the Cyber Risk Management Program

In recent years, we’ve seen an astonishing increase in cyberattacks—in their volume, severity, and sophistication. There are plenty of reasons including a few listed here: a dramatic increase in remote work, increased exposure due to the use of employee-owned devices, and growing reliance on the IoT. And the impact is being felt. A study released in November 2021 showed that 81% of global organizations had experienced increased cyberthreats and had suffered downtime due to cybersecurity risks (McAfee Enterprise and FireEye). And the worldwide revenue from cybercrime for 2022 has been estimated at a staggering $8.4 trillion.

The ever-increasing pace of the creation of new technologies presents enterprises with an equally fast-changing set of risks. This clearly shows that cybersecurity as a function and a discipline has moved far beyond simply protecting systems and data, and that it’s not just the security organization’s problem anymore.

Cybersecurity Isn’t Just a “Security” Concern

While cybersecurity is obviously a major focus for enterprise security professionals, it impacts an enormous range of enterprise roles and functions, because cyber risks impact all those functions. That’s why we hope this book will be read by, and will influence, not just security professionals, but also many other enterprise decision makers. Let’s take a look at some of those individuals, and talk about why they need to take action to address cybersecurity issues (see Table 1-1).

Table 1-1. The position-specific benefits of a cyber risk management program

Position	Risk-related roles and responsibilities	Cyber risk management program benefits
Director (board member)	Produces oversight of corporate practices and ensures independence.	A defendable system in place for exercising cyber risk management oversight obligations with an understanding of business-critical risks.
Corporate officer (CxO)	Provides oversight and informs the board of critical risks that may be material to the enterprise. Reviews and approves recommended mitigation plans.	Properly informed of risks with the data and insights available to maintain relevance and competitiveness in the market, provides strategic guidance throughout the business on proper execution to a defined tolerance.
Business unit leader	Provides insight into risks specific to business units and corporate functions.	Delivers access to risk information relevant to business unit decision making.
Chief information security officer	Makes it possible to monitor the risk environment, guide the business in establishing acceptable risk levels, and ensure alignment with established mitigation strategies.	Offers an ongoing budget business case with alignment to the enterprise’s risk appetite.
Compliance or risk manager	Offers frontline risk identification and mitigation recommendations.	Acts as an established channel for escalation and business visibility.
General counsel/legal	Guides the organization’s legal strategy and approach to cybersecurity (reviewing regulatory requirements, managing legal risks related to cybersecurity, and overseeing the organization’s response to any cybersecurity incidents from a legal perspective).	Provides the legal team with a clear understanding of the organization’s cyber risk posture, enabling them to be proactively informed and address potential legal issues. This clarity allows them to provide more accurate and informed legal advice.
Cyber function owner or practitioners	Provides risk information from their specific security risk areas that can be aggregated. Executes the agreed-on mitigation strategy and tracks performance against it.	Aligns organizational goals with daily tactical operations (giving greater purpose to the role).
Auditor	Independently tests the design and operation of the cyber risk management program.	Clearly defined program with a design that can be assessed.

Cybersecurity is also a broader concern, involving entire enterprises, industries, and the organizations that represent them. Here are some of the most critical (see Table 1-2).

Table 1-2. Cyber risk management program needs by industry sector

Sectora	Illustrative examples of technology adoption	Examples of what’s at stake
Energy production and distribution	IT and operational technology (OT) assets are connected to the internet to improve productivity and operational efficiency.	Everything. All other sectors depend on a stable energy supply. Without it, the economy can’t function and people’s health and welfare are threatened.
Financial services	Digital technologies including blockchain, robotics, and artificial intelligence (AI) / machine learning (ML) are streamlining the financial system in an attempt to provide better service.	Society can’t function without overall confidence in capital markets and the ability to store and transfer monetary value.
Transportation and logisticsb	Next-generation communications technology, such as connected vehicles that exchange information in real time with nearby vehicles and infrastructure, are designed to make travel safer, more efficient, and less environmentally destructive.	Unauthorized access to vehicle systems could result in loss of drivers’ personal data or manipulate vehicle functionality, causing accidents or death.
Industrial	Digital solutions including automation, AI, 3D manufacturing (additive manufacturing), and other technologies are driving efficiency, scale, and faster time to market.	Legal, safety, and environmental responsibility for these technologies are still evolving, and internet hackers have easier access to manufacturing blueprints more so than ever before, increasing attack surface exposure and potential for loss.
Healthcare	Cognitive systems generating insights across connected environments, wearable sensors, and robotic surgical processes are advancing and centralizing a once decentralized industry, helping to improve care and control costs.	Breach of protected health information and even disruption to critical health services provided due to targeted attacks from advanced adversaries (e.g., cyber criminals performing ransomware).
Education	Knowledge and information can be shared instantly and made available at scale, enabling educational institutions to reach wider populations.	Increased risk or lack of privacy along with misinformation spreading and being consumed at greater speeds.
Public sector	Rapid collection and analysis of data, increasing the participation of citizens and providing better services.	The overall complexity of the threat landscape as a result of technological advancement will test governments across the world where there is an increasing lack of skills and capacity to tackle the challenges effectively.
Communication	5G, AI/ML, IoT, and resulting data-driven insights are transforming the customer’s experience and driving higher expectations for services (including speed, connectivity, and resilience).	Enabling billions of connected devices has increased the attack surface, making it possible for larger and more dangerous attacks.
Chemical	An increasingly complex global supply chain enables the conversion of raw materials sourced worldwide into more than 70,000 diverse products essential to modern life.	Chemicals must be secured against a growing and evolving set of threats, both because they’re potentially dangerous and because other critical infrastructure relies on them.
a “Critical Infrastructure Sectors,” CISA, accessed October 10, 2023. b “How the U.S. Department of Transportation Is Protecting the Connected Transportation System from Cyber Threats,” US Department of Transportation, accessed October 10, 2023.

Cyber Risk Management Program: An Urgent Enterprise Concern

The purpose of a security risk management program is to help guide the enterprise, its leaders (at the highest levels), and other key stakeholders in the security risk decision-making process. Security does not make the decisions, but it informs them with its expertise and experience. The result, ideally, is a set of risk-informed decisions that thoughtfully balance risk and reward.

An enterprise security risk program is an essential prerequisite for success in the digital world.

The entire enterprise—the security organization, lines of business, and individual contributors—need to take part in the process of continuously maturing this security risk program. Why? Because the effort has to be strategic, not tactical. This is an important consideration for the success of the program, but also for the professional and personal development of the security professionals involved. Everyone wants a seat at the table, everyone wants to be involved in important decisions. Executives put strategic folks around the table; individuals who are seen as tactically oriented rarely are offered that seat.

That perception—that security is essentially a tactical function or, worse, merely a cost center—is one of the most significant problems the discipline faces. It will not be easy to overcome this perception, and it will take time, but it can and must be done. The key is practicing strategic risk management programmatically, and being seen to do so, on an ongoing basis.

We’ve developed a framework for establishing a cyber risk management program (CRMP), mapping it against core elements of globally established and accepted risk standards, established regulations, and opinions from case laws that are starting to hold executives and boards accountable for risk oversight. The framework identifies four core components and supporting principles to help guide a security or risk practitioner, auditor, or regulator through what a CRMP is and which components should be considered for adoptions. The application is adaptable and flexible for all sizes or maturity levels of organizations. Any program needs some structure to help with stability and consistency. We’ve found through our research that all risk management programs are consistent in their approach. They use different words and processes to describe them, but the fundamentals are, well, fundamental to the program.

A CRMP has four essential components, which are defined by international standards bodies, court decisions, regulatory frameworks, and accepted board-level principles:

• Chapter 3, “Agile Governance”

• Chapter 4, “Risk-Informed System”

• Chapter 5, “Risk-Based Strategy and Execution”

• Chapter 6, “Risk Escalation and Disclosure”

Within the framework you’ll find the principles and a set of informative references that support each component and principle.

This Book’s Roadmap

The journey we’re going to take in this book will be primarily to talk about how to define and develop a cyber risk management program, and to consider its value. We’ll establish what exactly makes up the program in Chapter 2. We’ll define and cover in detail the four core components and the guiding principles in Chapters 3–6. In Chapter 7, we’ll be offering guidance on implementing a program that has an appropriate starting point and that aligns with the enterprise’s state of maturity, operating environment, and industry-specific requirements. We’ll talk about the ways a program can contribute to organizational resilience by coordinating with other operational risk practices (e.g., physical, supply chain and third-party security, business continuity management, and disaster recovery) to develop a holistic enterprise risk posture in Chapter 8. We’ll close this out in Chapter 9 with a look into emerging technologies and how risk management will continue to be the leading practice; we’ll also go a bit deeper into AI. Not all examples in the book relate to pure cyber; some examples are very relevant to risk management in any form.

The Bottom Line

Throughout this first chapter, we’ve been discussing the radical changes—transformative, disruptive, exciting, and challenging all at once—that are reshaping the enterprise risk environment. In the next chapter, we’ll go into much deeper detail about why enterprises need—and, in many cases, are legally required—to establish a formal, systematic cyber risk management program that can be clearly defined and defended, and that can stand alone and provide urgently needed strategic guidance in a world utterly transformed by digital technologies.