16-06-2025
Why Measuring Maturity Is Critical To Cyber Resiliency
James Blake is the Vice President of Cyber Resiliency at Cohesity and has over 30 years of experience as a CISO and in incident response.
getty
I often say that cyber resilience isn't something you can buy—it's an emergent property, the result of an organization taking the appropriate preparatory and operational steps to withstand a cyberattack.
I once worked for a CEO whose boilerplate answer to any problem was to back a proverbial truck full of money into it—dumping dollar bills until the issue disappeared. He was used to traditional business continuity and disaster recovery scenarios, and he grew increasingly frustrated when "those cyber guys" couldn't give him a clear answer about how long systems would be down.
This CEO was used to disruptions with obvious root causes: natural disaster, equipment failure, power loss or misconfiguration. Recovery in those cases was largely predictable—restoring operations en masse in the same or an alternate environment. You just needed to understand interdependencies and calculate speed—of network, storage and backup. Recovery time objectives (RTOs) and recovery point objectives (RPOs) could be measured and tested.
But cyber incidents—especially large-scale destructive ones like ransomware or wiper attacks—are different. Attackers choose from hundreds of techniques across MITRE ATT&CK's 14 tactics. They disable end-point controls using vulnerable device drivers, hide in plain sight with legitimate IT tools, and rapidly weaponize and exploit vulnerabilities through Ransomware-as-a-Service platforms—faster than most organizations can patch.
Did the attacker pivot through one machine or 50? If each machine could be a beachhead for reattack, investigation and remediation timelines vary wildly. Recovery could involve patching, configuration rollbacks, new controls, rotating credentials—all of which take time. How much time? Unfortunately, the adversary is often the one in control of that timeline.
This lack of definitive timelines makes business leaders uneasy, but it's the reality we live in. Ironically, I've found that organizations with the most rigid RTOs are often the least prepared. They recover too quickly, skip remediation and are just as quickly reinfected or reattacked.
Once we clarified the difference between business continuity, disaster recovery and secure cyber recovery, the CEO began to see that the headcount and spending were only part of the solution. What worked better? Planning. Cross-functional collaboration. A phased, pragmatic improvement plan. In short, maturity.
Achieving cyber resilience isn't just about deploying the latest-and-greatest technology. It's about operationalizing that technology—building the appropriate workflows, processes and muscle memory so everyone knows their role when the inevitable attack happens. If we want to shorten those unpredictable recovery timelines, resiliency is our best tool.
Think of cyber resilience as a chain—made up of technology, people and process. Each link matters. As the saying goes, a chain is only as strong as its weakest link.
Any weak point—alert monitoring, threat hunting, vulnerability management, backup protection, digital forensics, incident response, logging, authentication, tabletop exercises, control tuning and threat intelligence—can degrade overall resilience. Yet organizations often launch massive projects to fix just one aspect, while ignoring another that is a dumpster fire. Modest improvements to the weakest link usually yield more value than myopic focus on perfecting a single, siloed initiative.
Recent headlines show that organizations with massive cybersecurity budgets still suffer significant impacts from ransomware damage. That should be a wake-up call: It's not just about increasing spending and hiring more people. It's about applying those resources where they will measurably increase cyber resilience.
The only way to do that? Step back, measure the relative maturity of each capability in your cyber resilience chain, and keep measuring as you evolve. That is how you avoid discovering—too late—that the chain was always going to break at the weakest link.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
