For the longest time, the fundamental question around cybersecurity was how well the organization protected itself from evolving threats. The focus was on prevention. However, advanced technologies like AI have forced us to tweak the question to, how resilient is the organization in the face of cyberattacks? Organizations must lead from the position of knowing an attack is not only imminent but also likely to succeed. The focus is on surviving such an attack, with resilient systems and processes that ensure business continuity against all odds.
Cyber risk equals business risk
The days of thinking of
Three forces shape the threat landscape
We at the ISF believe these three primary forces are reshaping the threat landscape and will continue to do so for the foreseeable future.
• The rise of AI: So-called vibe coding involves feeding plain-language instructions into AI to generate programming code without fully understanding its antecedents and precedents. Its use has the potential to introduce vulnerabilities at scale. Attackers can exploit AI hallucinations — the gap between what is true and what AI systems believe to be true. Algorithm poisoning, prompt injections, and AI agent manipulation are related threats that should be included in any risk management evaluation.
• Sophistication of cybercrime: The organizational structure of cybercrime resembles that of legitimate corporations. They recruit experts, invest in R&D, and establish front companies to launder money and reputation. As tech companies undergo layoffs, there is a real possibility that disaffected individuals will join such underground operations.
• Geopolitical instability: This scenario creates an environment where nation-state actors hold sway and serve as tools of disruption. Tensions between countries mean energy providers, transport networks, healthcare systems, and other critical services fall in the crosshairs of attackers.
Anatomy of the minimum viable organization
How does an organization begin sowing the seeds of resilience? Think from the perspective of a minimum viable organization, in which you identify the critical processes without which a business cannot function. After identifying these processes, zero in on the crown jewels of information assets that support them. These are the assets that cannot be lost or compromised, as doing so would devastate stability. Assets at the top of the asset pyramid require comprehensive security controls to ensure they are inaccessible.
Fundamentals of cyber resilience
An organization's crown jewels are priceless, but building genuine resilience relies on establishing the right fundamentals.
• The nature of assets: Classify your information estate into mission-critical, confidential, or of negligible importance.
• Define accessibility: Overprivileged access is a common enabler of insider threats and phishing attacks. Ensure that access is limited to users who absolutely must have it.
• Identify the greatest risks: Have risk management processes in place that inform whether the organization is being targeted by AI, nation-states, criminal groups, or environmental hazards.
• Vulnerabilities: Systems must be patched as quickly as possible. Legacy systems or operational technology environments that cannot be patched must be protected with compensating controls.
There is a growing need for security leaders to move closer to the business: to understand business priorities, communicate in commercial language, and show how security enables decisions rather than merely reporting technical risks to the board.
A resilient framework begins with a strong security culture, meaning good security habits permeate into processes and comprise a large part of how work gets done. Prioritization is key. It begins with defining the minimum viable organization well before an attack occurs, not in the midst of a crisis. Secondly, get the basics right, including asset classification, privileged access management, and plugging known vulnerabilities. But these mitigations can unravel if there is no leadership commitment to a mature cyber culture that makes every employee a stakeholder in risk management.
