The Cyber Resilience Compass 2025

Ecosystem engagement describes an organization’s approach and practices in interacting with its wider ecosystem, including its supply chain, customers, competitors and regulators. This involves: –Building visibility of upstream and downstream dependencies with external parties –Consistently assessing risk bidirectionally with dependent parties –Responding in partnership with external actors –Sharing information in external forums –Adapting to the changing technical, operational and regulatory environment Examples of front-line practices that organizations are applying: –CISOs, in collaboration with business units, identify critical dependencies and single points of failure by improving visibility and developing an accurate mapping to evaluate third-party risks. An accurate mapping recognizes that supply chains are non-linear, that an issue can propagate up or down the supply chain, that organizations can be both a supplier and customer, and that a single third party can hold multiple roles. –CISOs evaluate third-party cybersecurity postures by establishing a consistent risk assessment methodology and collaborating with front-line business units and procurement teams in establishing mitigation measures. Approaches include using comprehensive questionnaires, implementing contractual requirements and collaborating with third parties to improve their capacities to respond, continue operations and mitigate impact in case of an incident. –CISOs introduce playbooks that go beyond the immediate organization to enable faster and more effective remediation. This includes proactive collaboration with key partners, cross-organizational exercising and building relationships long before a crisis occurs. –Organizations engage frequently and actively in information-sharing networks to identify threats faster, proactively mitigate vulnerabilities, share resources and manage systemic risk. These networks can include information security and analysis centres (ISACs), computer emergency response teams (CERTs) or other forms of collaboration, involving partnerships with governments and private-sector entities, including competitors, customers and suppliers. –CISOs and legal teams ensure the organization remains adaptable to and engages with developments in the wider ecosystem to improve visibility of incoming changes and capacity to adapt to the new environment. This includes engagement with regulatory bodies, policy-makers and industry bodies to stay adaptable to regulatory, policy and technology developments. Experts agreed that while organizations can take significant steps to enhance their own cyber resilience, this individual posture can depend heavily on the resilience of the broader ecosystem, which requires collaborative action. This collaboration should focus on: identifying and addressing single points of failure; optimizing the use of limited cyber talent while working to expand this talent pool over time; engaging with regulators to encourage cyber resilience throughout the ecosystem; developing a more efficient and effective systemic approach to supply assurance than current practices; and proactively addressing threats while finding ways to disrupt those who seek to exploit cyber vulnerabilities.3.7 Ecosystem engagement The industry has to be engaged in any solution. It can’t be sort of a government in a vacuum or regulate errors without working with industry to understand what a model would look like and how they can do it. Michele Mosca, Chief Executive Officer, evolutionQ The Cyber Resilience Compass: Journeys Towards Resilience 20