cyber resilience framework
Threatonomics

The Rise of The Cyber Resilient Leader

Navigating digital opportunity and loss while under duress

by Rob Brown , Sr Director of Cyber Resilience
Published

Resilience (n.)

  • 1620s, “act of rebounding or springing back.” From Latin resiliens, “to rebound, recoil,” In physical sciences, the meaning “elasticity, power of returning to original shape after compression, etc.” by 1824. – Online Etymology Dictionary

The Risk Of Isolation

In the not too distant past, when capital flowed and postponing profitability was a badge of honor, finance teams transferred risk and security teams mitigated it – often in complete isolation. They didn’t align their objectives – nor were they motivated to do so. After all, times were good and nobody seemed to care – until now.

“Corporate and infrastructure cybersecurity budgets are increasingly under pressure amid reduced revenue outlooks owing to economic uncertainty… Cybersecurity investment is not immune to overall budget cuts that could increase downside risk of attacks” – Fitch Ratings

Due to severe financial headwinds, security budgets are now scrutinized and the value of insurance is brought into question. This is also done in isolation – which courts catastrophe. As budgets for security controls get cut, the likelihood of compromise grows. Similarly, as insurance investment shrinks, the likelihood of loss grows. One cost-cutting effort compounds the other.

The Need For Shared Objectives

When isolation of responsibility and financial duress meet, it naturally leads to cost cutting. The knife will be raised without an integrated view of the cost of risks to the organization being calculated. Leadership calls it risk acceptance. But can risks truly be accepted that haven’t been calculated? No. That’s nothing more than unstructured worry, as one praying to Fortuna (lady luck) hoping to avoid a bad day.

The good news is that you can structure and manage your worries. It requires finance and security to share, align, and prioritize strategic objectives. Those objectives consider how business opportunity and risk mitigation work together – particularly when under duress – and support making informed trade-offs when necessary. We call this alignment of objectives Cyber Resilience.

The Call To Cyber Resilience

To be successful in this digital economy, a company must now be Cyber Resilient and integrate its risk mitigation, risk acceptance, and risk transfer so it can take a hit without impacting its ability to deliver value. This requires operating from a core set of principles and practices that tear down the walls of isolated objectives, leading to an integrated and economically efficient approach to managing cyber risk.

The Five Principles Of Cyber Resilience

Cyber Resilience tolerates losses – within limits. This is different to most security strategies, which portray complete loss elimination as an end goal. Operating with shared, aligned, and prioritized objectives reveals what the business can tolerate to lose – without incurring operational disruption. For example, “With this configuration of controls, we can live with a 5% chance of losing $10 million and a 1% chance of losing $25 million…”

Cyber Resilience connects security with insurance – avoiding silos. Security investments reduce the likelihood of loss. Insurance investments reduce impact. They work together (as opposed to in isolation) to keep risk within tolerance. That means they consider both the probabilities and dollar-based impacts expressed above as important trade-offs.

Cyber Resilience seeks capital efficiency – while preventing hazards. Over or under investing in protection leads to distraction— or worse. The former takes needed capital away from important business opportunities. The latter (negligence) threatens the business with outsized losses. Resilience optimizes return on controls and insurance so you can keep risk within your tolerance. The goal is to have a set of rank-ordered strategies that satisfy your needs while avoiding the pitfall of moral hazard.

Cyber Resilience makes cybersecurity visible – so it can be managed. Keeping risk within tolerance requires seeing what’s coming, counting the costs, and responding in kind. This starts with the integrated trio of threat intelligence, vulnerability management, and incident response. Security data is analyzed in relation to the financial losses your business may face. Losses include things like: a data breach, business disruption, extortion, wire-fraud and more. Analysis leads to optimized decisions – decisions that cut across investment strategies and day-to-day security operations.

Cyber Resilience incentivizes cyber hygiene – by maximizing ROI. What is good cyber hygiene? It’s security controls that target the value at risk. It’s also controls that meet industry standards – thus avoiding the perception of moral hazard. Control acquisition and rollout is rank ordered based on return on investment (ROI). High ROI controls reduce the most loss at the lowest cost. Maximizing ROI allows for more controls spread across more risks – which leads to better cyber hygiene. As an added bonus, demonstrable cyber hygiene leads to better insurance terms.

The Practices Of Cyber Resilience

If you want to be a cyber resilient leader, you need to not only embrace the principles of cyber resilience – you must develop the following practices:

Risk Superforecasting: Cyber resilient leaders are trained (like bookies) in risk forecasting. They use their forecasting skills to make accurate measurements and judgements about important (and often uncertain) events that can affect key objectives.

Calculating Value at Risk: Cyber resilient leaders know how to accurately gauge the potential losses they face from threats. Using superforecasting skills they assess the probabilities that threats materialize, and then evaluate the range of losses that may occur to the value their businesses expose.

Resilient Strategy Design: Cyber resilient leaders create strategies that minimize both the likelihood and impact of compromise. Strategies are economically efficient combinations of controls and insurance that keep risk within tolerance without introducing moral hazard.

Resilient Operations Measurement: Cyber resilient leaders know how to measure their operational strategies when put into action. Visibility coming from threat intelligence, the state of cyber hygiene, and value-at-risk is continuously analyzed. If risk tolerance is threatened, actions are taken to bring risk back within tolerance by adjusting security controls and insurance.

Resilient Communications: Cyber resilient leaders are trained to effectively quantify, qualify and communicate about cyber risks. They tell the money people and board what is needed and why (in economic terms) – and they have the operational data and analytics to defend their budgets when scrutinized.

Creating a new role around Director, Cyber Resilience

We believe that the principles and practices of cyber resilience necessitate a new leadership role. We are notionally calling it the Director, Cyber Resilience. It sits between finance, security and risk management. The role’s leveling is based on the dual strategic and operational nature of the job.

Strategically, the Director is responsible for developing a cyber resilient strategy. That is an executive function that collaborates across CFOS, Risk Managers, and CISOs.

Operationally, the job includes ample amounts of analytics to support decision making and alerting. Visibility coming in from security operations like threat intelligence, vulnerability management, and incident response is analyzed in relation to value exposure. Results from analytics are used to determine (and alert) if risk is out of tolerance.

Ultimately, the Director’s objective is keeping cyber risk within tolerance. They are accountable to governing that process. That means they work with the responsible organizations by doing the following:

  • Advocating for cybersecurity capabilities that are economically efficient, target value at risk, and avoid moral hazard – all informed by continuous operations analysis and backed by a resilient strategy.
  • Recommending changes to insurance limits and related coverage – helping to keep risk within tolerance in conjunction with recommended cybersecurity capabilities.
  • Transferring and or mitigating risk that has been accumulated under the guise of “risk tolerance” that can lead to loss and the ensuing perception of moral hazard.

Conclusion

“Necessity, the mother of all inventions.” – Plato.

Risk leaders must make trade-offs. They must respond responsibly to economic headwinds. And they must react to the myriad threats created by digital transformation. A cyber resilient leader makes those tradeoffs without exacerbating loss nor incurring moral hazard. They operate from a set of principles that emphasize building economically efficient strategies. Efficiency maximizes return on security controls and insurance together – protecting the value the business puts at risk. In day-to-day practice, the resilient leader uses modern analytics fueled by increased cyber visibility – responding to risk that threatens to exceed business tolerance.

This is how the resilient principles and practices define “The Cyber Resilient Leader.” It’s a modern role for the modern organizations – purposed to navigate trade-offs while staying resilient in the face of financial and digital duress.

About the Author
Rob Brown , Sr Director of Cyber Resilience

Robert has over 25 years of experience in strategic planning and advising, working across startups, government agencies, and Fortune 100 companies. One of the masterminds behind our popular cyber risk quantification (CRQ) training series, Rob spent the last 25 years as a decision scientist and strategic consultant assessing value and risk tradeoffs for complex projects in oil and gas, manufacturing, homeland security, pharmaceuticals, asset allocation, and more. He is the author of Business Case Analysis with R - Simulation Tutorials to Support Complex Business Decisions (Springer-Nature, 2018).

You might also like

What business leaders need to know about post-quantum cyber risk

Quantum computing is on the horizon and with it comes a seismic shift in how organizations must think about cybersecurity risk. The ability of future quantum machines to break today’s cryptographic protections–what we call quantum decryption–could undermine the trust, confidentiality, and resilience of digital business.                                                                                          As part of Cybersecurity Awareness Month, throughout October we are […]

The false promise of paying criminals to delete your data

On October 6, 2025, hackers demanded ransom from Salesforce for nearly one billion stolen customer records. The company’s response was unequivocal: no payment, no negotiation. While the refusal made headlines, the more important question is why Salesforce—and increasingly, other mature organizations—are walking away from the table when criminals offer to “suppress” stolen data. The answer […]

A CISO’s guide to winning the annual budgeting battle

It’s that time of year again. Finance has sent the email with the budget template attached. Your CFO wants preliminary numbers by next week. And you’re staring at a spreadsheet wondering how to justify the security investments your organization desperately needs when last quarter’s board meeting included the phrase “do more with less.” Welcome to […]

How brokers and CISOs can lead the charge for Cybersecurity Awareness Month 2025

October is Cybersecurity Awareness Month, and this year’s theme—”Building a Cyber Strong America“—has never been more relevant. For over two decades, this initiative led by CISA and the National Cybersecurity Alliance has spotlighted the importance of taking daily action to reduce online risks. In 2025, the focus shifts to the government entities and small-to-medium businesses […]

What the Collins Aerospace outage reveals about vendor risk

On September 19, 2025, chaos erupted at airports across Europe—but not because of weather, strikes, or mechanical failures. Collins Aerospace’s MUSE platform, the digital backbone handling passenger check-in and baggage processing from Heathrow to Dublin, went dark after a ransomware attack. Within hours, major airports including Brussels, Berlin, and Dublin were forced to revert to […]

Does Resilience use your company data to train AI?

In an era where “AI training” has become synonymous with data collection, we get this question a lot: “Does Resilience use our company data to train AI models like ChatGPT?” The short answer? No. But the full answer reveals something more interesting about how we approach cyber risk modeling and why we chose a different […]