Embedding resilience: Becoming cyber resilient through accepting the threat
Cybercrime, often called the dark underbelly of digitalisation, continues to rise rapidly like an epidemic. While organisations are inclined to focus on prevention, the alarming statistics should push us to accept the reality that attacks are inevitable and adopt the “when, not if” approach, shifting our pursuit from the illusion of perfect security toward an achievable goal of cyber resilience.
Service
It’s not a question of if you will be attacked; it’s a question of when.
42%
of organisations reported phishing and social engineering attacks in 2024
99%
of organisations expect an increase in cyberattacks this year in terms of volume, costliness, or both
29%
of organisations reported that they had been materially affected by a cyber incident in the past 12 months
A resilient culture
This resilience-focused approach becomes even more critical as digital transformation accelerates, exponentially expanding the threat surface. When treated as a strategic enabler rather than a constraint, cyber resilience—embedded throughout the organisation’s operating model—can actually amplify digital initiatives while digital capabilities strengthen security postures.
Organisations must, therefore, integrate robust security controls into all transformation projects (including new product launches, acquisitions, and market expansions) from inception, not as an afterthought. Cyber resilience transcends being merely an incident-driven technical function; it is a dynamic mindset and adaptive culture that evolves alongside both threats and opportunities.
While tools like firewalls and threat detection systems play an essential role, true resilience depends on people, processes, and leadership commitment to cybersecurity best practices.
A resilient culture means that employees at all levels understand cyber risks, take proactive measures, and respond effectively to incidents—not just the IT team. Much like digitalisation and customer-centricity have evolved from isolated initiatives to organisation-wide imperatives, cybersecurity must follow the same path to maturity. This evolution involves continuous training, clear communication, and integrating cybersecurity into business decisions rather than treating it as a separate technical concern.
Ultimately, cyber resilience thrives when security becomes a shared responsibility embedded into daily operations and decision-making across an organisation.
Investing in cyber resilience
The era of “tech” businesses and “non-tech” businesses has passed. When everyone and everything is connected to the internet, everyone and everything has an attack vector. So, everything today is a tech business, making data breaches a business problem, not a technology issue. Yet this view has not yet been universally accepted in organisational cultures, and cyber resilience is often the victim of budget restraints and/or cuts. Given the difficulty of demonstrating true value and ROI regarding cyber resilience and security, it is still too often seen as a tradeable commodity, a hindrance instead of an enabler. But it does not have to be this way.
Quantifying the ROI on an investment in cyber resilience is challenging but not impossible. While traditional financial metrics may struggle to capture the full value of resilience measures, organisations can develop meaningful frameworks to assess both direct and indirect returns. This is especially true as the business value of cyber resilience extends beyond simply avoiding costs, encompassing regulatory compliance, operational continuity, and stakeholder trust, all of which contribute to measurable outcomes when adequately evaluated. With the right approach, cyber investments can demonstrate clear value, even if that value takes multiple forms.
Measuring the impact
€10.5tn
is the predicted cost of cybercrime globally in 2025
€4.66m
was the average cost of a data breach ion 2024
€4.76m
was the average cost of a malicious insider attack in 2024
The cost of cyber resilience
So, what does cyber resilience cost? It is not a percentage of your turnover but rather depends on your needs.
The key questions to ask are:
- How does the organisation make money or deliver value?
- What are the organisation’s critical outputs and/or services provided?
- What is the threat to each?
- Does it matter if these systems or information are unavailable for an hour? A day? A week? Can the business continue to function?
- Ultimately, what compensating or mitigating controls need to be put in place?
The answers to these questions dictate the resilience measures needed and, thus, costs. The most important aspect is that the cyber resilience program is aligned with the business. It is a mistake to optimise for the wrong problem.
The building blocks of embedding resilience
A complete checklist to a comprehensively cyber resilient organisation.
01. Governance & strategy
The “why” of cyber resilience sets the vision, policies, risk appetite, risk tolerance, and strategic direction.
A comprehensive governance and strategy framework is at the heart of any cyber resilience program. This building block functions as the command centre of cyber resilience, setting the overarching vision, establishing critical policies, and defining the organisation’s risk appetite alongside its strategic direction. Meticulously mapping internal policies to the requirements of various external frameworks creates a resilient and compliant operational environment.
- Leadership commitment and clear accountability
- Risk management and asset identification (aligns with NIST’s Identify function and ISO’s context and leadership clauses)
- Integration of cyber resilience into business continuity planning
- Regular review and refinement of policies to address evolving threats
- Regulatory and legal compliance, mapping to relevant standards
- Organisational value alignment; cyber strategies support business objectives and value generation
- Reporting structures and escalation pathways
- Investment prioritization
- Operational dependency mapping
- Operational Impact analysis (BIA)
02. Protect & secure
The traditional defence layer implements technical and procedural safeguards to minimise the likelihood of breaches.
Having all the technical and procedural safeguards in place helps maintain a vigilant stance and enhances the continuous monitoring of the security posture. In essence, while the protect and secure element aims to prevent incidents through a layered defence approach, it is also a critical foundation that supports the other building blocks of cyber resilience.
- Deliberate security architectures aligned to organisational goals, objectives, and structures
- Resilience by design principles
- Supply chain security controls
- Security culture and capability development
- Access controls, encryption, and network security measures
- Endpoint and application security
- Regular vulnerability assessments, patch management, and continuous security and business alignment validation
- Alignment with the “Protect” function of NIST and the Annex A controls of ISO 27001
03. Resilient response & business continuity
Ensures the organisation can effectively respond to incidents while maintaining critical business operations, minimising impact, and returning to normal functioning.
Acknowledging that no security posture is impervious to all threats, this building block integrates incident response capabilities with business continuity planning. This integrated approach is particularly distinctive in that it assumes incidents are inevitable and thus focuses on both swift tactical response and sustained operational resilience. By combining these elements, organisations can minimise downtime, maintain service delivery, and preserve customer trust throughout the incident lifecycle.
- Incident response planning and crisis management frameworks
- Business continuity strategies aligned with organisational priorities
- Cross-functional coordination with clearly defined roles and responsibilities
- Real-time damage assessment tied to operational impact metrics
- Predefined operational priorities to guide resource allocation during incidents
- Alternative processing capabilities for critical business functions
- Systematic restoration procedures following predetermined sequence priorities
- Stakeholder communication protocols scaled by incident severity
- Redundancy in systems and data processing capabilities
- Service Level Resilience Objectives that balance security and operational requirements
- Supply chain security and third-party risk management
- Simulated exercises and tabletop drills to validate response and continuity measures
- Processes for rapid containment and eradication of threats
- Operational dependency mapping to identify critical business pathways
Post-incident reviews to assess effectiveness and identify improvements
04. Intelligence & adaptation
A continuous learning loop that leverages threat intelligence, real-time monitoring, and post-incident analysis to evolve defences and responses.
The intelligence and adaption block ensures that organisations can systematically analyse the value of their current defences and make informed adjustments where necessary. Moreover, the adaption process involves internalizing lessons learned from post-incident reviews and active engagement with external intelligence sources and collaborative industry networks. This ensures that our organisations learn and grow from our own experiences and also from those of other organisations. It also ensures that we remain at the forefront of best practices and can continually refine our policies and processes to meet new challenges head-on.
- Proactive threat hunting and continuous monitoring
- Intelligence-led testing and validation
- Analytics, reporting, and feedback mechanisms
- Emerging Tech impact assessments
- Predictive analytics
- Incorporation of lessons learned into strategy, policy, and process updates
- Engagement with external intelligence sources and collaboration with industry peers
- Review of emerging threats and recommendations regarding strategy, policy, and process
Phase 1: Mission mapping
Mission mapping involves deeply examining an organisation’s purpose to understand the value it provides to stakeholders and to identify critical functions that must be maintained under adverse conditions. Value stream and dependency mapping help uncover how the organisation creates and delivers value, revealing key interdependencies that affect resilience. This process extends to stakeholder relationships, offering a broader understanding of the organisation’s ecosystem, including its supply chain. By clarifying purpose and operations, mission mapping allows for the examination of assumptions, ultimately strengthening organisational resilience.
Phase 2: Capability assessment
Capability assessment involves systematically evaluating an organisation’s current adaptive capacity (its ability to absorb disruption without critically impacting business operations and/or value generation), therefore, gauging its ability to respond to both challenges and opportunities. This assessment spans protection security measures, operational flexibility, and intelligence capabilities, providing a comprehensive view of organisational resilience. The assessment process employs both quantitative (recovery time objective (RTO), Mean Time to Detect (MTTD), and qualitative (Resilience Culture Assessment, Crisis Simulation Performance) measures, recognizing that resilience cannot be reduced to simple metrics. Instead, it considers multiple capability dimensions, from technical controls to human factors and organisational culture.
Phase 3: Gap analysis
Gap analysis compares an organisation’s current resilience posture against its desired state, identifying areas for improvement across all framework layers. This desired state is typically defined through industry frameworks (such as NIST Cybersecurity Framework, ISO 27001, etc.), regulatory requirements, and organisation-specific objectives established during the mission mapping phase. This analysis considers not just capability gaps but also opportunities for enhancement and innovation. The prioritization of improvements considers both the criticality of identified gaps and the organisation’s capacity for change (an element of its adaptive capacity). Action planning then creates realistic roadmaps for closing these gaps while maintaining operational stability and acknowledging constraints (time, budget, etc.).
Phase 4: Implementation
Implementation focuses on executing prioritized improvements while maintaining operational continuity. This phase emphasizes incremental improvement, balance across technology and culture, and the importance of measurement and feedback. It ensures that improvements achieve their intended outcomes while avoiding unintended consequences and/or seizing fleeting opportunities. Establishing feedback mechanisms and learning protocols ensures that the implementation process contributes to organisational learning and capability development (value generation). This creates a virtuous cycle that can fundamentally alter the business, requiring a re-evaluation of mission mapping and continuous improvement in resilience capability.
Embedding resilience: Becoming cyber resilient through accepting the threat
Download the full thought leadership to discover how to become cyber resilient.
Get in touch
Let us offer you a new perspective.