7 Essential Questions Every Leaders Must Ask to Achieve Business Resilience
David A. Cruz MS, CISSP, SANS GSEC
Business Coach and Consultant | Information Risks Strategist | CMMC | CCP | Doctoral Candidate| 23k+ Connections
Before you proceed, consider this: If you’re truly committed to business resilience, the traditional approaches to cybersecurity may not be enough. The reality is that no matter how advanced your technology or how skilled your staff, your organization is vulnerable to cyber threats. Just as humans are susceptible to nature’s forces, organizations are vulnerable to the unseen forces in the cyber world.
Recent reports from leading cybersecurity firms underscore the growing severity of these threats. Let’s look at the latest findings from Ponemon Institute, IBM, and Verizon—each revealing alarming trends in data breaches and cybersecurity incidents
The Ponemon Institute’s 2024 survey highlights that 61% of organizations experienced a data breach or cybersecurity incident in the past two years. (“Smart cybersecurity spending and how CISOs can invest where it matters”) More alarmingly, 55% of these organizations faced more than four or five such incidents, indicating the escalating nature of cyber threats. The report emphasizes the human element, with 55% of breaches attributed to negligent employees or contractors, reinforcing the need for continuous security awareness and training. This highlights the escalating frequency of cyber incidents, with over half of the organizations experiencing repeated breaches. It underscores the need for organizations to not only implement security measures but also continually reinforce them.”
According to IBM’s 2024 report, the global average cost of a data breach has risen to $4.88 million, marking a 10% increase from the previous year. This significant rise highlights the financial impact of breaches on organizations and underscores the need for proactive security measures to minimize risks. IBM’s report also shows that data breaches are increasingly costly, especially for industries handling sensitive personal data, such as healthcare and financial services. The financial toll of a breach is rising, with the global average cost now reaching $4.88 million. This shows that cyber threats are not just an IT issue but a financial one, requiring business leaders to take a more proactive approach.
The Verizon DBIR 2024 analyzed 30,458 security incidents, including 10,626 confirmed data breaches across 94 countries. Key findings from the report include:
Human Element: A staggering 68% of breaches involved non-malicious human actions, such as errors or social engineering attacks, making employee awareness and training crucial in defending against threats.
Vulnerability Exploitation: 14% of breaches were initiated through the exploitation of vulnerabilities, highlighting the importance of regular patching and vulnerability management in maintaining strong defenses.
Ransomware: Ransomware attacks accounted for 23% of breaches, with the median ransom demand at 1.34% of the victim’s total revenue, showcasing the growing threat of cyber extortion.
Third-Party Involvement: Around 15% of breaches involved third-party infrastructures, underlining the importance of third-party risk management and supply chain security.
This data reveals that breaches often result from human errors or vulnerabilities, making employee training and regular patching essential. The rise of ransomware also points to an increasing need for robust defensive measures.
As you reflect on these statistics, what comes to mind? Do you think, “That could never happen to us—we have a firewall and a solid IT team”? Or perhaps, “We’ve invested so much in cybersecurity, surely we’re secure”? The truth is, if your organization is online, it’s vulnerable. And as a leader, you are accountable for its health. It’s time to answer the tough questions that will help you better protect your business. I encourage you to seek answers to these questions from your information security personnel.
1. How do we ensure all our information assets are identified and inventoried?
An information asset is anything that stores, processes, or transmits information. This could be anything from computers to mobile devices. You can’t protect what you don’t know about, so it’s essential to inventory and control your information assets
2. What process do we use to assess business risks and implement appropriate information protection measures?
Every protection measure must be tied to a business risk. Simply safeguarding information because it’s part of cybersecurity isn’t enough. Resilience measures should address the risks that could most impact your business.
Recommended by LinkedIn
3. How do we identify vulnerabilities in our systems and prioritize mitigation efforts?
Just like humans will inevitably get sick no matter what they do, systems will eventually be compromised, regardless of the precautions we take. Therefore, we must stop wasting time trying to control the uncontrollable. While we cannot control threats or risks, we can control our vulnerabilities.
To do this, we must first identify those weaknesses. This is not a task that can be accomplished by human effort alone; we must rely on technology. Consider the number of systems in your organization—they are all vulnerable. Just as we monitor our health and identify weaknesses early on, we must take the same approach with our computing systems, which serve as the backbone of our organization.
4. What standards do we follow to strengthen our resilience against potential threats?
Several standards exist to guide organizations in building strong cybersecurity frameworks. The National Institute of Standards and Technology (NIST) guidelines are an excellent resource and are widely used by the U.S. government to safeguard national security.
5. What visibility do we have over data entering and leaving our environment?
While firewalls protect your systems from incoming threats, what about the data leaving your environment? If someone enters your systems and takes your data, the consequences could be catastrophic. Monitoring data flow is crucial
6. How do we ensure that authorized users have only the access they need to perform their respective duties?
Access control is essential. Employees should only have access to the information they need for their role—no more, no less. Think of it like military clearance—top-secret access doesn’t mean unrestricted access.
7. What process do we have in place for change and baseline configuration management?
Changes are inevitable. However, every change should follow a formal process: review, analysis for impact, and approval. Configuration management ensures that all systems are set up with business resilience from the start.
Conclusion.
These seven questions may seem simple, but they pave the way for deeper discussions about resilience, not just protection. The goal of cybersecurity shouldn’t be to completely avoid breaches—it should be to build resilience, enabling your organization to withstand attacks and turn potential disasters into manageable incidents. Remember, cybersecurity is an illusion; business resilience must be our true focus.
About the Author
David A. Cruz is a seasoned Governance, Risk, and Compliance (GRC) professional with over 15 years of experience in cybersecurity. He has worked with some of the world’s leading financial institutions, helping them enhance their security and compliance frameworks. In addition to his extensive experience in the financial sector, David provides expert consulting services to organizations across various industries, guiding them on risk management, cybersecurity strategy, and compliance. David holds a master’s degree in Information Assurance and is a certified Cybersecurity Model Professional. He is currently pursuing a doctorate in Information Assurance and co-authoring a book. His research focuses on data compliance and enhancing organizational information resilience.
Note
AI was utilized to refine and optimize the delivery of the message, ensuring greater clarity, precision, and impact.