Article
by James Thomas, SVP Defence & Cyber in Nortal’s Defence business unit and Michael Hampson, CEO of Nortal’s UK cybersecurity business unit
Cybercrime, often called the dark underbelly of digitalisation, continues to rise rapidly like an epidemic. While organisations are inclined to focus on prevention, the alarming statistics should push us to accept the reality that attacks are inevitable and adopt the “when, not if” approach, shifting our pursuit from the illusion of perfect security toward an achievable goal of cyber resilience.
42%
of organisations reported phishing and social engineering attacks in 2024
90%
of organisations expect an increase in cyberattacks this year in terms of volume, costliness, or both
29%
of organisations reported that they had been materially affected by a cyber incident in the past 12 months
This resilience-focused approach becomes even more critical as digital transformation accelerates, exponentially expanding the threat surface. When treated as a strategic enabler rather than a constraint, cyber resilience—embedded throughout the organisation’s operating model—can actually amplify digital initiatives while digital capabilities strengthen security postures.
Organisations must, therefore, integrate robust security controls into all transformation projects (including new product launches, acquisitions, and market expansions) from inception, not as an afterthought. Cyber resilience transcends being merely an incident-driven technical function; it is a dynamic mindset and adaptive culture that evolves alongside both threats and opportunities.
While tools like firewalls and threat detection systems play an essential role, true resilience depends on people, processes, and leadership commitment to cybersecurity best practices.
A resilient culture means that employees at all levels understand cyber risks, take proactive measures, and respond effectively to incidents—not just the IT team. Much like digitalisation and customer-centricity have evolved from isolated initiatives to organisation-wide imperatives, cybersecurity must follow the same path to maturity. This evolution involves continuous training, clear communication, and integrating cybersecurity into business decisions rather than treating it as a separate technical concern.
Ultimately, cyber resilience thrives when security becomes a shared responsibility embedded into daily operations and decision-making across an organisation.
The era of “tech” businesses and “non-tech” businesses has passed. When everyone and everything is connected to the internet, everyone and everything has an attack vector. So, everything today is a tech business, making data breaches a business problem, not a technology issue. Yet this view has not yet been universally accepted in organisational cultures, and cyber resilience is often the victim of budget restraints and/or cuts. Given the difficulty of demonstrating true value and ROI regarding cyber resilience and security, it is still too often seen as a tradeable commodity, a hindrance instead of an enabler. But it does not have to be this way.
Quantifying the ROI on an investment in cyber resilience is challenging but not impossible. While traditional financial metrics may struggle to capture the full value of resilience measures, organisations can develop meaningful frameworks to assess both direct and indirect returns. This is especially true as the business value of cyber resilience extends beyond simply avoiding costs, encompassing regulatory compliance, operational continuity, and stakeholder trust, all of which contribute to measurable outcomes when adequately evaluated. With the right approach, cyber investments can demonstrate clear value, even if that value takes multiple forms.
€10.5tn
is the predicted cost of cybercrime globally in 2025
€4.66m
was the average cost of a data breach ion 2024
€4.76m
was the average cost of a malicious insider attack in 2024
So, what does cyber resilience cost? It is not a percentage of your turnover but rather depends on your needs.
The key questions to ask are:
The answers to these questions dictate the resilience measures needed and, thus, costs. The most important aspect is that the cyber resilience program is aligned with the business. It is a mistake to optimise for the wrong problem.
A complete checklist to a comprehensively cyber resilient organisation.
The “why” of cyber resilience sets the vision, policies, risk appetite, risk tolerance, and strategic direction.
A comprehensive governance and strategy framework is at the heart of any cyber resilience program. This building block functions as the command centre of cyber resilience, setting the overarching vision, establishing critical policies, and defining the organisation’s risk appetite alongside its strategic direction. Meticulously mapping internal policies to the requirements of various external frameworks creates a resilient and compliant operational environment.
The traditional defence layer implements technical and procedural safeguards to minimise the likelihood of breaches.
Having all the technical and procedural safeguards in place helps maintain a vigilant stance and enhances the continuous monitoring of the security posture. In essence, while the protect and secure element aims to prevent incidents through a layered defence approach, it is also a critical foundation that supports the other building blocks of cyber resilience.
Ensures the organisation can effectively respond to incidents while maintaining critical business operations, minimising impact, and returning to normal functioning.
Acknowledging that no security posture is impervious to all threats, this building block integrates incident response capabilities with business continuity planning. This integrated approach is particularly distinctive in that it assumes incidents are inevitable and thus focuses on both swift tactical response and sustained operational resilience. By combining these elements, organisations can minimise downtime, maintain service delivery, and preserve customer trust throughout the incident lifecycle.
Post-incident reviews to assess effectiveness and identify improvements
A continuous learning loop that leverages threat intelligence, real-time monitoring, and post-incident analysis to evolve defences and responses.
The intelligence and adaption block ensures that organisations can systematically analyse the value of their current defences and make informed adjustments where necessary. Moreover, the adaption process involves internalizing lessons learned from post-incident reviews and active engagement with external intelligence sources and collaborative industry networks. This ensures that our organisations learn and grow from our own experiences and also from those of other organisations. It also ensures that we remain at the forefront of best practices and can continually refine our policies and processes to meet new challenges head-on.
Mission mapping involves deeply examining an organisation’s purpose to understand the value it provides to stakeholders and to identify critical functions that must be maintained under adverse conditions. Value stream and dependency mapping help uncover how the organisation creates and delivers value, revealing key interdependencies that affect resilience. This process extends to stakeholder relationships, offering a broader understanding of the organisation’s ecosystem, including its supply chain. By clarifying purpose and operations, mission mapping allows for the examination of assumptions, ultimately strengthening organisational resilience.
Capability assessment involves systematically evaluating an organisation’s current adaptive capacity (its ability to absorb disruption without critically impacting business operations and/or value generation), therefore, gauging its ability to respond to both challenges and opportunities. This assessment spans protection security measures, operational flexibility, and intelligence capabilities, providing a comprehensive view of organisational resilience. The assessment process employs both quantitative (recovery time objective (RTO), Mean Time to Detect (MTTD), and qualitative (Resilience Culture Assessment, Crisis Simulation Performance) measures, recognizing that resilience cannot be reduced to simple metrics. Instead, it considers multiple capability dimensions, from technical controls to human factors and organisational culture.
Gap analysis compares an organisation’s current resilience posture against its desired state, identifying areas for improvement across all framework layers. This desired state is typically defined through industry frameworks (such as NIST Cybersecurity Framework, ISO 27001, etc.), regulatory requirements, and organisation-specific objectives established during the mission mapping phase. This analysis considers not just capability gaps but also opportunities for enhancement and innovation. The prioritization of improvements considers both the criticality of identified gaps and the organisation’s capacity for change (an element of its adaptive capacity). Action planning then creates realistic roadmaps for closing these gaps while maintaining operational stability and acknowledging constraints (time, budget, etc.).
Implementation focuses on executing prioritized improvements while maintaining operational continuity. This phase emphasizes incremental improvement, balance across technology and culture, and the importance of measurement and feedback. It ensures that improvements achieve their intended outcomes while avoiding unintended consequences and/or seizing fleeting opportunities. Establishing feedback mechanisms and learning protocols ensures that the implementation process contributes to organisational learning and capability development (value generation). This creates a virtuous cycle that can fundamentally alter the business, requiring a re-evaluation of mission mapping and continuous improvement in resilience capability.
Download the full thought leadership to discover how to become cyber resilient.
