Many organisations say they want to be “cyber resilient”, but the term is often vague. Too often, we still see absolutes like “zero appetite for cyber loss” — a phrase that, taken literally, would require shutting down email, disconnecting from the internet, and probably ceasing to trade. At its core, resilience means the organisation can absorb shocks and adapt services so essential outcomes continue.
In our work with clients across industries, we often see a gap between the rhetoric of resilience and the reality of how it is really managed (and measured). This gap may explain why many firms feel they are spending more on cyber but seeing little improvement in confidence.
Regulators are reinforcing the same point: resilience must be evidenced in business terms. In Europe, DORA now applies and NIS2 is being transposed across Member States, raising requirements on risk management, testing and incident reporting. In the UK, firms must operate within defined resilience requirements under the operational resilience regime, and with a new Cyber Security and Resilience Bill on the way. In the US, SEC rules require disclosure of material incidents within four business days and annual reporting on governance. All that to say… the direction of travel is consistent. None of these regulations prescribes a single method, but each expects boards to evidence resilience in business terms and to test readiness against severe-but-plausible disruption.
To put an actionable perspective on this topic, I wanted to share five principles that I see as critical to embedding resilience as a discipline.
No organisation can eliminate all cyber risk. The right goal is to define how much loss is acceptable, then ensure exposure stays within that boundary. For large, low-frequency losses, cyber insurance can play a role in protecting capital reserves. For more likely losses, resilience depends on operational capacity to absorb disruption.
Unfortunately, it is still common to see statements such as “we have a zero appetite for cyber risk.” This is like saying you have zero appetite for getting wet in the rain. Taken literally, the only way to achieve it would be to never step outside. In the same way, a blanket “zero appetite” statement for cyber is unrealistic and unhelpful for decision-making.
Define and communicate your cyber risk appetite quantitatively, so leadership knows what “within limits” means. This limit defines the residual risk you either transfer or accept.
Too often, security investments and insurance decisions are made in isolation. True resilience requires viewing mitigation and transfer together. The business needs a single view of how much risk to reduce directly, how much to transfer, and how much to accept.
We partnered with Beazley to help clients do exactly this by offering CRI (our CRQ SaaS platform) licences at zero cost to eligible Beazley insureds. Contact me if you would like to know more about this.
Build a combined view of cyber exposure, investment, and insurance cover or retentions, and test different mixes against appetite. Once residual exposure is clear, the next question is whether current spend is financially efficient.
Resources are finite. Resilience is not about spending the most, it’s about spending financially efficiently. In our cost-benefit modelling, we often see one investment deliver more than three times the loss reduction of another at a similar cost.
The aim is to reduce the likelihood of material losses at the lowest sustainable cost, balancing internal capability with external support.
Use quantified analysis to rank initiatives by marginal risk reduction per pound, then re-order the roadmap accordingly. Efficiency ranking relies on quantified scenarios, which come from linking threats to potential losses.
Resilience is achieved when control prioritisation is directed by the threats that could actually drive material losses. Threat intelligence must connect to financial impact, not just technical activity.
Cyber Risk Quantification (CRQ) provides the economic backbone that connects the risk decision to the resilience decision, by translating attacker behaviours into quantified loss scenarios that leaders can compare and act on.
Map the threats most likely to cause material loss, link them to the business services they stress, and assess how existing controls shift frequency or impact. Use those outputs to help choose which scenarios to exercise and to focus continuity improvements where they matter most.
Good hygiene underpins a resilient business. Not all controls are equal - some make a disproportionate difference in reducing risk exposure. Organisations should concentrate improvement on those, while embedding a culture where basic discipline is routine.
Our attack path modelling often shows a neat application of Pareto's principle, that is to say 20% of controls deliver about 80% of the risk reduction.
Identify which hygiene controls drive the largest risk reduction and ensure they are continuously maintained. These high-leverage controls are often the top-ranked items in cost-benefit analysis and help keep you within appetite day-to-day.
These principles provide a framework for better decision-making, but they only work if exposure is expressed in measurable terms. Without that, “within limits” or “material risk” remain subjective. CRQ provides the economic backbone, giving one financial baseline to link risk appetite, investment, risk transfer, and resilience preparations.
Our new CRQ Accelerator is designed to help organisations make both risk and resilience commitments explicit and actionable. In six weeks, it delivers an executive-ready report that quantifies cyber risk in financial terms, aligns with risk appetite, and benchmarks against peers. You also receive two months of complimentary access to our CRI platform to explore scenarios and build quantified business cases as you socialise the results.
