The Cyber Resilience Compass 2025

Learnings from front-line practice3 What lessons can be learned from speaking with cyber experts about their front-line practices? What are they advising their peers to do? Through workshops and consultations with cyber experts, a list of front-line practices was gathered and systemized into a manageable set of seven categories. The following sections provide a brief description of what each category entails and examples of front-line practices that the world’s leading practitioners take in each area. The list of front-line practices is not exhaustive, but the examples are intended to inspire action and provide direction. Reflecting the complex reality of cyber resilience, many of the practices relate to more than one of the overlapping and interrelated categories. Leadership describes the approach to setting goals, making decisions and providing direction for the organization. This involves leaders: –Identifying the “crown jewels” and prioritizing their resilience –Defining and owning the organization’s risk tolerance –Embedding a cyber resilience culture –Empowering local decision-making within the overall parameters set by top leadership –Promoting cross-organizational collaboration Examples of front-line practices that organizations are applying: –Top leadership identifies the organization’s most valuable assets, business processes and products (its “crown jewels”) to ensure adequate prioritization and resource allocation. Technical leadership develops an understanding of how technology supports these assets and quantifies risks, including financial, operational and reputational impacts. –Top leadership validates the organization’s risk tolerance to balance the strategic imperative to drive growth with the need to maintain operational stability. By setting clear parameters for risk assessments, establishing the organization’s risk profile and communicating it, leaders steer decision-making and ensure that any risks that are taken align with the company’s overarching objectives. –Top leadership embeds cyber resilience as a core organizational value to ensure that everyone, from top leadership to entry-level employees, embraces awareness, proactivity and adaptability. Chief information security officers (CISOs) actively communicate the importance of cyber resilience and enforce clear cyber resilience policies, encouraging employees to take responsibility for protecting data and systems. –Risk-owners and CISOs engage with leadership to enable informed decisions and active management of their organization’s cyber risks. CISOs’ engagement with top leadership includes the provision of context- specific cyberthreat briefings for top leadership, personalized cybersecurity and awareness training, scenario-based tabletop exercises and expert briefings. –Top leadership builds trust and open communication with CISOs and technical teams to cultivate effective cross-organizational collaboration. Top leadership engages with the CISO, asks critical questions and helps prioritize cybersecurity investments to enable swift responses in crises and alignment of resources with the organization’s risk appetite and strategic goals.3.1 Leadership The Cyber Resilience Compass: Journeys Towards Resilience 8