Understanding Cyber Resilience with the World Economic Forum

Why Is It So Hard To Be Cyber Resilient?

For years, organisations have invested in cyber security, building digital fortresses to keep threats at bay. Yet, the relentless pace of innovation, coupled with the rise of sophisticated adversaries and the emergence of Agentic AI, demands a new paradigm: Cyber Resilience. It's no longer enough to simply prevent attacks; the focus must shift to anticipating, withstanding, and rapidly recovering from them. That’s the key difference between cyber security and cyber resilience.

The Evolution: Moving Beyond Cyber Security

The journey from data security to information security, then to cyber security, and now to cyber resilience, reflects a profound shift in how we perceive and combat digital threats. We’ve known for a long time that preventing 100% of incidents is a completely unattainable goal, and we’ve said to judge us more on our response to an incident, than on whether an incident occurs in the first place. Cyber resilience acknowledges this reality, emphasizing an organisation's ability “to minimize the impact of significant cyber incidents on its primary goals and objectives,” as it is defined by the World Economic Forum. It’s about ensuring business continuity, having robust and exercised plans that can adapt when something goes wrong, and protecting strategic value, even when a breach occurs.

The WEF, in collaboration with The University of Oxford and Splunk, has been advancing this crucial mindset shift in its work on Cyber Resilience. We know that true cyber resilience goes beyond technical solutions; it demands comprehensive strategies across a range of teams, all aligned with overarching business objectives, and those emergency “break-the-glass” fallbacks for true black swan events.

Navigating the future with the Cyber Resilience Compass

“The Cyber Resilience Compass: Journeys Towards Resilience”, published by the World Economic Forum, is a paper built by collecting real-world experiences from dozens of experts, providing practical insights and best practices to help organisations to build their robust cyber resilience roadmaps.

The Compass outlines seven categories that are essential for fostering resilience:

1. Leadership: identifying the “crown jewels” and prioritizing their resilience, defining and owning the organization’s risk tolerance and embedding a cyber resilience culture.
2. Governance, Risk, and Compliance: Defining the organization’s risk profile, establishing clear ownership and accountability structures and ensuring compliance with legislative and regulatory requirements.
3. People and Culture: Growing and retaining talent, implementing training and awareness programmes to build employee ownership and engagement, and building a culture of psychological safety.
4. Business Processes: Prioritizing and tiering business services, preparing for worst-case scenarios and building adaptability and resilience into business operations.
5. Technical Systems: Understanding business prioritization of services, using data to prevent and predict incidents and implementing technical controls as preventive measures and to minimize the impact of incidents.
6. Crisis Management: Building and training crisis response teams, designing and reviewing plans and defining decision-making protocols.
7. Ecosystem Engagement: Building visibility of upstream and downstream dependencies with external parties, consistently assessing risk bidirectionally with dependent parties and responding in partnership with external actors.

These pathways underscore that cyber resilience is a continuous practice, not a static state. Organisations must operate under the assumption that significant cyber incidents will occur, and their ability to recover from them is what really counts.

Measuring And Testing Resilience

How can an organisation know if it's resilient? We need to measure; to find what needs fixing and how effective our improvements are to bolster our cyber resilience. But existing measurement systems fall short: traditional security audits can overfocus on preventative controls, and technical measurement misses the holistic approach that measuring cyber resilience requires. How can you measure the resilience of your crisis management function? It’s not only about time to contain, but also about the well-being of your teams.

Cyber resilience is a continuous journey, not a destination. It requires a commitment to ongoing learning, adaptation, and collaboration. Best practices from the World Economic Forum, The University of Oxford and Splunk, are just the start. We’re continuing the work on measuring cyber resilience to improve the baseline for everyone.

Are you ready to strengthen your organisation's cyber resilience? Join leading experts from Splunk and the World Economic Forum for some insights and expert discussion. Register for EMEA’s Digital Resilience Week 2025 here!