The Cyber Resilience Compass 2025

All of the organizations involved in this project had awareness campaigns focused on general cybersecurity and cyber hygiene practices. However, fewer organizations had context- specific programmes that explored in depth digital dependencies in particular areas of the business and consequently the unique cyber risks tied to those parts of the organization. For instance, there were examples where local business continuity plans and exercises did not cover relevant cyber risk scenarios, leaving staff unprepared for such situations. Many experts also highlighted a widespread shortage of specialist staff, which put unsustainable pressure on the available staff during times of crisis. Together with a community of cybersecurity experts, the World Economic Forum has developed the Strategic Cybersecurity Talent Framework featuring achievable approaches to help organizations build sustainable talent pipelines. A company can be resilient only if its people are resilient. There’s no point in writing fantastic incident response plans, playbooks and running exercises when, in reality, people drop out because they were already under severe pressure. Swantje Westpfahl, Director, Institute for Security and Safety (ISS) We try to make the mistakes during the tabletop exercises, so we learn and we are ready when the problem occurs. It doesn‘t mean that it will be perfect then, but at least we will be a bit more prepared. Elie AbenMoha, Chief IT Security Officer, Publicis Resources Cyber resilience cannot be achieved by the cybersecurity team alone; it requires the active engagement of key stakeholders throughout the organization. At Engro, regular tabletop exercises involve those critical stakeholders from information and communications technology (ICT), security, senior management, legal, public relations (PR) and operations to prepare for a serious cyber incident and evaluate the organization’s readiness to respond. These exercises follow a structured format that includes developing scenarios based on real-world threats, participant briefings, live role-playing of incidents and post-exercise assessments. A key focus is leadership engagement, with executives actively involved in decision-making simulations, crisis communication drills and impact assessments to replicate real-world cyber incidents. Past exercises have helped Engro to reveal gaps in detection, response, back-up validation, escalation procedures, decision-making and cybersecurity awareness across teams. Following the exercises, Engro implemented key improvements such as: –Enhancing incident response plans with clearly defined roles and responsibilities –Strengthening back-up and recovery strategies to ensure business continuity –Conducting targeted cybersecurity awareness training for employees, including senior management, streamlining communication between ICT, leadership and PR teams for faster decision-making –Deploying advanced security solutions and automation tools for real-time threat detection and response These measures have helped to enhance Engro’s cyber resilience, accelerate incident response times and strengthen crisis communication. Leadership involvement ensures that cyber resilience remains a top priority, emphasizing the need for proactive risk management and crisis preparedness.CASE STUDY 5 Engro – Collaborating for cyber resilience: Engaging stakeholders across every level The Cyber Resilience Compass: Journeys Towards Resilience 13