From cybersecurity to cyber resilience: Four steps to move from numbers to action

Cyber security concept. Machine learning algorithms. Analysis of information. Technology data binary code network conveying connectivity, Data and information protection protocol. Secure connection.

What does cyber resilience mean? And how is it different from cybersecurity?

A security-centric organization focuses on prevention — deploying firewalls, limiting access, and training employees, among other cybersecurity processes and controls. A cyber-resilient organization anticipates the possible failure of those security measures and knows how it will act.

True cyber resilience is achieved when an organization has the capacity to not only anticipate and prevent attacks, but also to respond and recover from one. A cyber-resilient organization can minimize losses from a cyberattack and quickly resume operations.

How can my organization build or improve cyber resilience?

In today’s cyber environment, organizations must be prepared to battle through adversity and restore operations quickly. The case for cyber resilience has never been stronger. Organizations should take these four steps to help build cyber resilience into their operations and embed it within their culture.

Anticipate risk: Prepare, prepare, prepare! Preparation is the cornerstone of your cyber resilience plan. You can:
- Determine the degree of contingent business interruption risk that exists within your organization.
- Use financial stress testing to learn how much stress your organization can bear during and after a cyberattack.
- Develop early warning metrics to enable more effective decision-making during an attack.
- Consider your vendors and partners and create metrics that measure the potential security risks your supply chain partners pose.
Align cyber risks with organizational strategy: Consider integrating your cyber risk management program with your organization’s strategy. The Marsh Risk Resilience Report found that 25% of companies do not align risk and resilience planning and insurance buying with their long-term growth strategies. Key stakeholder alignment on cyber risk can help, but is often missing.
Look for gaps: Assess how prepared your organization actually is to withstand a cyberattack, and map that against the potential impact of an attack. There is often a misalignment between how an organization views a risk and how prepared it is to manage that risk. While more than 90% of organizations consider cyber/technology risks important or highly important, only 18% of them feel highly prepared to manage cyber risk.
Measure your cyber risk exposure: Take a holistic look at cyber risk across your organization. Identify potential issues, and quantify your exposure in terms of their operational, financial, and reputational impacts.

While most organizations rank cyber as an important or highly important risk, less than one-third of organizations use scenario-based financial metrics to model cyber risk. And more than a quarter of organizations do not model cyber risk at all.

To learn how leading global organizations perceive risk and define resilience, as well as the actions they are taking to increase their resilience, read Marsh's Risk Resilience Report.

Marsh.com Login

From cybersecurity to cyber resilience: Four steps to move from numbers to action

What does cyber resilience mean? And how is it different from cybersecurity?

How can my organization build or improve cyber resilience?

Marsh's Risk Resilience Report

Related articles