AI · Cyber
Cyber Resilience
Cyber resilience is not the same conversation as cyber security. Security is whether the controls held. Resilience is whether the enterprise — its revenue, its customers, its reputation, its regulators — kept functioning when something got past the controls. I run cyber as a resilience discipline because that is the question the board is actually asking.
Assume something will get through. The question that matters is not whether you were breached. It is whether your customers, your auditors, and your regulators could tell — and how quickly you could prove you were back in control.
The frame
From security posture to resilience posture
Most enterprises still measure cyber by inputs: tools deployed, training completed, vulnerabilities patched. Those metrics matter, but they do not answer the board's actual question, which is whether the business can absorb a serious incident without losing the trust of customers, regulators, and counterparties. Resilience is the right unit of measure, and zero-trust is the architectural posture that supports it.
I run cyber programs around four operating questions: who is on my network and what are they allowed to do; what are my critical processes and how fast can I recover them; who in my supply chain can hurt me and how would I know; and when something happens, how do we tell the truth, on time, in the language each stakeholder requires. Every control, tool, and tabletop traces back to one of those four.
Zero-trust components
What a credible zero-trust posture looks like
Zero-trust is a useful label only if it produces evidence. These are the components I expect to be in place and demonstrable on demand.
- Identity as the perimeterStrong authentication, conditional access, and device posture checks for every human and service identity — internal, contractor, and vendor. The network is no longer the boundary; identity is.
- Least privilege & just-in-time accessStanding privilege removed wherever it can be, just-in-time elevation for the rest, and quarterly access reviews owned by the business — not by IT alone. Privilege creep is the single most common precondition I see.
- Microsegmentation & blast-radius controlNetwork and application segmentation that contains a compromise to a defined zone, with explicit east-west controls. The point is not to prevent every intrusion; it is to make the intrusion small enough to manage.
- Continuous verification & telemetryEndpoint, identity, network, and cloud telemetry feeding a single detection layer with named analysts watching it 24x7. Detection mean time to less than an hour for the scenarios that matter most.
- Encryption & key stewardshipEncryption in transit and at rest is table stakes; the differentiator is key management — rotation, separation of duties, and a documented recovery procedure that has actually been rehearsed.
Digital trust & vendor landscape
Resilience across the supply chain
Most material breaches I have studied entered through someone else's environment. Digital trust is the discipline of holding the extended enterprise to a defensible standard — and being able to evidence it to a regulator or a customer who asks.
- Vendor tiering & inherent-risk scoringEvery vendor classified by inherent risk before due diligence begins, with critical and fourth-party providers reviewed continuously rather than annually.
- Contractual security & right to auditSecurity obligations, breach-notification windows, and audit rights written into contracts in language the security team and the GC both signed. A handshake is not a control.
- Continuous monitoring of critical providersExternal attack surface monitoring, SOC report review, and incident-trigger clauses for critical and fourth parties — not a point-in-time questionnaire.
- Customer-facing trustA trust center, current SOC 2 / ISO 27001 attestations, and a standardized response to security questionnaires — so deals are not held up while procurement teams chase the same answers.
Resilience operations
Detection, response, recovery — rehearsed
A plan that has not been rehearsed is a hope. The resilience layer of the program is where that hope is converted into capability.
- 24x7 detection & responseCoverage that does not sleep, with documented playbooks for the top scenarios — ransomware, business email compromise, credential theft, model abuse, vendor compromise.
- Tabletop & full-stack exercisesAt least one board-level tabletop and one full technical exercise per year, scoped to a destructive scenario. Lessons learned tracked to closure with the same rigor as audit findings.
- Backup integrity & immutable recoveryAir-gapped or immutable backups, tested restoration of critical services within stated RTOs, and a rehearsed playbook for ransom-without-paying. Ransomware reset the bar; the program has to meet it.
- Crisis communicationPre-staged messaging for customers, regulators, employees, and the public — reviewed by legal and comms before the incident, not during it.
Disclosure & regulator readiness
Telling the truth, on time, in the right language
The SEC cyber rule, NYDFS Part 500, GDPR's 72-hour clock, and the patchwork of state and sector rules now make disclosure a security discipline in its own right. The four-business-day clock should be a process, not a panic.
- Materiality frameworkA pre-approved framework for assessing whether a cyber incident is material, with named decision-makers and a documented decision log. The first time you decide what 'material' means cannot be at 11 p.m. on day one.
- 8-K & regulator narrative libraryPre-staged narrative drafts for the most plausible scenarios, reviewed by disclosure counsel — so the writing is editing, not drafting, when the clock is running.
- Single inbox for regulator inquiriesA named legal, comms, and technical owner for every regime that can ask a question, and a single record of every answer given. Inconsistency between answers is where investigations escalate.
If the question your board is trying to answer is not 'are we secure' but 'are we resilient — and can we prove it under disclosure pressure', this is the practice I built for that conversation.