So what exactly is cyber resilience anyway?
There is no doubt that cyber resilience has become a board-level priority. There is, however, significant inconsistency in how the concept is defined and discussed. Concepts of cyber risk and preparedness are often framed as cyber resilience; in fact, the term cybersecurity is often used synonymously with cyber resilience. This undoubtedly creates ambiguity for those tasked with its oversight, particularly at the management and board level.
Without a clear definition of cyber resilience, boards will struggle to determine what they should oversee, what they should measure, and how to evaluate overall organizational cyber resilience. This challenge is amplified by several external factors such as regulatory pressure, increasing public scrutiny, and the growing economic impact of cyber disruption. All pressures that play heavily on executive teams and even more so on boards of directors.
What does current research literature tell us?
In an effort to synthesize the views that currently exist on this topic, a detailed literature review was recently conducted on 38 articles that examine how cyber resilience is defined and conceptualized in contexts that are relevant to boards of directors and executive teams. The review included peer-reviewed academic research articles, industry white papers, and outputs from recognized working groups conducting research in cyber resilience.
The goal of the literature review was to assess whether existing definitions and conceptualizations of cyber resilience demonstrate sufficient alignment to support a generalized definition of cyber resilience relevant to boards and executive teams and, over time, support meaningful measurement models. This brief provides a short synthesis of the findings, focusing on areas of convergence and divergence across the existing literature.
Where the literature converges
Organizational Outcomes vs. Policy and Controls
It is consistently agreed that cyber resilience should be tied to organizational outcomes rather than technical controls and policies. Rather than focusing on metrics such as mean time to detection or number of security controls, organizational resilience needs to evaluate levels of business continuity, preservation of stakeholder confidence and financial stabilization in the wake of major disruptions. To do so demands that cyber resilience be treated as a strategic priority that is integrated into organizational governance and business strategies.
Resilience is much Broader than Preparedness
While some articles framed risk prevention and protection in the context of resilience, business continuity and recovery featured prominently as important resilience themes in virtually every article reviewed. This demonstrates a common belief that disruption is inevitable and that resilience is demonstrated through rapid response and recovery rather than preparedness alone. Some articles went as far as to advocate for treating cybersecurity and cyber resilience as separate concepts to help address ambiguities.
Cyber Resilience is a Leadership Responsibility
Cyber resilience is increasingly framed as a leadership responsibility with the associated governance identified as one of the top governance challenges currently faced by boards of directors. Many sources explicitly position boards as being accountable for resilience outcomes with some articles stressing the need to assign responsibility to a single officer. This is clearly driven by governmental regulations where, in some countries, Board responsibility for cyber resilience outcomes is explicitly identified. Articles also highlight the importance of senior leadership which is critical in fostering a culture of cybersecurity awareness and resilience across the entire organization.
Industry Context
The review also investigated differences in definitions and conceptualizations of cyber resilience across industries and, while differences do exist, they are exclusively a reflection of prioritization and operating environment, not fundamentally different views of resilience. For example, articles that focused on the financial services sector emphasized regulatory compliance and systemic stability of the eco-system, while those that focused on the energy and industrial sectors make it clear that the priority is on operational continuity and safety. While these differences might influence how resilience is implemented and measured, the underlying concepts of cyber resilience remain consistent across industries.
Diverging views
Conceptual Framing – What exactly is Cyber Resilience?
One area where current cyber resilience literature diverges is in the overall framing or construct of cyber resilience. In many cases cyber resilience is framed as a component of cybersecurity, while others consider cybersecurity a precursor to cyber resilience. In many of the reviewed articles, terms such as risk management, cybersecurity preparedness and cyber resilience were used interchangeably. Approximately 30% of articles framed cyber resilience as a very distinct construct, differentiating it from general cybersecurity concepts. These articles exclusively positioned cyber resilience as a broader strategic governance construct.
Scope of Cyber Resilience - Where does it start and where does it end?
The most glaring area of debate is where in the lifecycle of cyber crises responsibility for cyber resilience starts and ends. For example, as previously noted, it’s often unclear whether preparedness is part of resilience or a precursor to it? Nearly half of the research articles reviewed consider risk analysis and preparedness separate from resilience. In such cases resilience is limited to response, recovery and adaptation. Essentially separating what happens before a crisis from what happens during and after a crisis. This separation makes sense as cyber risk preparedness is generally measured through policies and controls, while crisis response, recovery and adaptation require much different measures. Still, slightly more than 50% of the articles view cyber resilience as an overarching construct with responsibility for all aspects from anticipating risk through to recovery and adaptation. This view also makes sense and is one that is more relevant to boards and executive teams given their broad fiduciary responsibilities to protect the company and its shareholders.
Cyber Crime, the Catalyst for Cyber Resilience - What about unintentional disruptions?
Similar to the previous area of debate, is how broadly causes of disruptive events are defined in the context of cyber resilience. While cybercrime features prominently in the literature and remains the dominant driver of cyber risk, many definitions intentionally avoid tying resilience to a single type of threat. In fact, of the 38 articles reviewed, only two specifically linked their definitions of cyber resilience to events resulting from cyber-crime. This was a surprising realization but is encouraging when considering the number of recent highly visible unintentional disruptions that have caused massive outages. Surely cyber resilience governance needs to focus on an organization’s capacity to absorb and recover from any type of cyber disruption – intentional or not.
Governmental Regulation – an Enabler or a Constraint?
Regulatory frameworks for cyber resilience vary significantly across geographies and industries, creating challenges for standardization. Cyber regulations within the financial services sector are quite different to those in the energy sector, which are different again than those in the consumer technology sector. Several of the articles reviewed highlighted the complexity of navigating the sea of regulations and regulators. Relevant regulators include CISA, FTC and SEC in the United States, more than 10 sector specific regulators in the UK, individual member states within the EU, and many more. There is some disagreement on the benefits of regulation, but the majority opinion from this review is that for organizations, particularly multi-nationals, the complexity has become unmanageable. It is also noted that for small and medium enterprises, compliance with regulation can provide a false sense of security as it can be tempting to assume compliance equates to resilience.
Implications for boards and executive teams
Boards and executive teams are increasingly expected, and in some cases required by law, to bear responsibility for overall cyber risk and resilience outcomes. This responsibility far exceeds historical expectations of simply approving security investments or compliance activities. To do this effectively, it’s imperative that a clear definition and scope of cyber resilience be clearly communicated in business terms to the board and executive team. For such audiences cyber resilience must be framed in terms of operational impact, financial exposure, and organizational continuity rather than technical indicators alone.
As economies become more integrated and interdependent, their exposure to, and impact from cyber disruptions grow exponentially. As such the ability of individual organizations to withstand and quickly recover from cyber disruption is not just a measure of organizational cyber resilience, it also contributes to our overall global economic resilience. In this sense, cyber resilience should be considered one component of a larger resilience agenda, alongside financial, operational, and supply-chain resilience. Clarifying the scope of cyber resilience at the board level is therefore not only a governance issue, but also a foundation for understanding overall resilience in increasingly digital economies.