The Cyber Resilience Compass 2025

Unpacking cyber resilience1 Cyber resilience goes beyond traditional cybersecurity; it is an organization’s ability to minimize the impact of significant cyber incidents on its primary business goals and objectives. The term “cyber resilience” does not diminish the importance of cybersecurity but recognizes that where 100% cybersecurity cannot be achieved, further measures are required (both pre- and post-incident) to protect the organization from the impacts of severe cyber events. When considering cyber resilience, it is important to take a broad view of what cyber risk encompasses. Cyber risk can refer to any risk that arises from an organization’s use of information services and digital technology or from their use by others in the supply chain or within the wider business environment. Organizations need to consider the many ways in which they are exposed to cyber risks and how they can limit potential impacts – whether by investing in operational cybersecurity controls, by adapting business processes or by taking steps to reduce legal or regulatory liability. This might involve ensuring that business-as-usual operations can continue when system outages occur or limiting the harm that could arise from a compromise to the confidentiality of data. Cyber resilience focuses on limiting the impact, which could be short-term or long-term, operational or strategic, financial, legal or reputational – or a combination of these factors.Preparing for cyber incidents Organizations advise acting on the assumption that significant cyber incidents will occur. To ensure that they can continue to achieve their primary goals and objectives, organizations need to be able to: –Anticipate and plan for incidents, based on an understanding of the threats to which they are exposed and the potential harms that could arise. –Design processes and establish contingent capabilities that will place the organization in a good position to absorb and recover from events. –Adopt information governance practices that can limit the impact arising from confidentiality breaches and data integrity compromises. –Learn from incidents affecting their own organization and peers and adapt to strengthen their resilience posture – and perhaps find even better ways to deliver business value. –Take a broad view of cyber risk and the many ways in which malign actors could exploit cyberspace to cause harm to their operations, profitability or reputation. The Cyber Resilience Compass: Journeys Towards Resilience 5