Start tracking your progress
Trailhead Home
Trailhead Home

Understand and Promote Cyber Resilience

Learning Objectives

After completing this unit, you’ll be able to:

  • Define what cyber resilience is, why we care, and what we have to do.
  • List the 10 cyber resilience principles.
  • Provide an overview of each principle.
  • Ask questions created for each principle.
Note

Note

This module was produced in collaboration with the World Economic Forum. Learn more about partner content on Trailhead.

The World Is Changing

Change is constant. We live in a world where technology is everywhere, with devices that can manage nearly every aspect of our lives. In the next few years, billions of new devices will connect to the Internet as well as to corporate and government networks. 

And while the horizon is infinite and the possibilities endless, new cyber risks and threats arise daily. Leaders must take an active role to prepare their organizations to handle and “survive” these threats. Just like a spacecraft on a voyage of discovery needs direction from mission control on Earth, your organization needs you—the executive leaders and board of directors—to set objectives, maintain oversight of the big picture, and appreciate the details. You must serve as your organization’s mission control. The goal is more than cybersecurity—it’s a long-term, strategic approach to cyber resilience.

What Is Cyber Resilience?

Cyber resilience is an organization’s ability to continuously deliver solid results despite challenging cyber events. It’s about being prepared, anticipating threats, determining the appetite for risk, and developing the response and recovery plan when something occurs. 

Cyber Resilience Is a Leadership Issue

Leadership plays a vital role in the pursuit of cyber resilience. Board members are ultimately responsible for including cyber resilience in their organizational strategy, yet many lack the expertise to prepare for cybersecurity risks. Leaders need tools and frameworks that can help them navigate these new challenges. Approaches with minimal oversight or based on trial-and-error will no longer work. It’s time for boards to embrace their role as mission control—understanding the details and guiding the organization safely toward its goals. 

A group discussing operational strategy in a mission control setting similar to NASA

Leaders must behave like a strong mission control operation, providing the best strategy to guide the organization. They must identify and prepare for risks, putting the organization in the best position to achieve their mission.

Cyber Resilience Principles

Enter the World Economic Forum (WEF). Working with several partners, the WEF has developed an important new resource, Advancing Cyber Resilience: Principles and Tools for Boards, a framework for boards to integrate cyber resilience into business strategy.  

It all starts with 10 cyber resilience principles. 

Board Principles for Cyber Resilience
Principle
Description
1. Responsibility for Cyber Resilience
The board takes ultimate responsibility for oversight of cyber risk and resilience.
2. Command of the Subject
Board members receive cyber resilience orientation and are regularly updated.
3. Accountable Officer
One corporate officer is accountable for reporting on cyber resilience.
4. Integration of Cyber Resilience
Management integrates cyber resilience into business strategy.
5. Risk Appetite
The board defines and quantifies business risk tolerance, including cyber resilience.
6. Risk Assessment and Reporting
Management is accountable for reporting assessments of cyber risks to the board.
7. Resilience Plans
The board ensures the creation and implementation of cyber resilience plans.
8. Community
The board encourages collaboration with relevant stakeholders.
9. Review
The board ensures that formal, independent cyber resilience reviews occur.
10. Effectiveness
The board reviews its own performance and seeks independent advice.

Do You Know What You Don’t Know?

It’s easy to create principles. Putting them into action is the real challenge. In the pursuit of cyber resilience, boards must actively seek the information they need to lead their organizations.

The world of cybersecurity continues to change and boards must stay on top of this ever-mounting cascade of information. The first step is to ask the right questions of the right people. 

A group of leaders asking questions about the next mission

To get the information they need, the leaders of mission control ask the right questions of the right people. Information leads to a strong cyber resilience strategy for the organization.

Ask the Right Questions

Boards need to understand where the organization stands and then determine where it needs to go. Ask the leadership team and the organization’s experts. Listen to them to get the information you need to make the best decisions. 

Questions to Ask the Experts
Principle
Questions
1. Responsibility for Cyber Resilience

1. Should you designate a committee?

2. Is there a current board member with the right skills and expertise?

2. Command of the Subject

1. Does the board receive cyber training?

2. Are there regular updates to the board?

3. Accountable Officer

1. Is there a cyber resilience officer with the right level of authority?

2. Are sufficient resources and budget available?

4. Integration of Cyber Resilience

1. Who governs cyber resilience?

2. Is cyber resilience incorporated at all levels?

5. Risk Appetite

1. Is risk appetite applied to business decisions?

2. Does the board understand the full impact of different risks?

6. Risk Assessment and Reporting

1. Can the organization manage anticipated vulnerabilities and threats?

2. Are risks and threats shared with the board?

7. Resilience Plans

1. Are there cyber resilience plans in place?

2. Are the plans regularly tested and updated?

8. Community

1. What benchmarking occurs?

9. Review

1. Is there third-party analysis of cyber resilience plans?

2. What internal and external audits occur?

10. Effectiveness

1. Is the board oversight effective?

2. Is the board getting the information they need?

Sum It Up

Cybersecurity continually presents new challenges and opportunities for organizations. Think of the various cyber breaches and attacks that have been in the news over the past several years. How did leadership handle such events? Were they prepared? Can your organization handle a serious breach or attack?

It’s critical that leaders adopt an active role to promote and ensure cyber resilience. Board members act as mission control and are ultimately responsible for their organization’s cyber resilience. Advancing Cyber Resilience: Principles and Tools for Boards is a resource for boards to become more engaged in their essential role. 

Resources