Businesses still fall short when it comes to embedding resilience in their operations, according to a Gartner expert, due to low collaboration across teams and a lack of business focus.
Arthur Sivanathan, senior director analyst at Gartner, led a talk on organizational resilience at the Gartner Security & Risk Management Summit, held in London at the end of September.
In his talk, Sivanathan advocated for far more focus on business processes via business impact assessments (BIAs), for a more holistic approach to securing critical business functions.
"Gone are the days when we did business impact assessments purely for business continuity and disaster recovery, it doesn't work anymore," he said.
In today's digitally-connected world, he said, BIAs must be carried out at the business function layer, so that CISOs and CIOs can demonstrate to the business teams the areas that need the most urgent attention and investment.
"The business impact assessment is the heart of cyber resilience," Sivanathan said in conversation with ITPro after the talk.
Sivanathan showed an example of a BIA diagram assessing the procurement management processes of a finance unit.
This BIA could be used to scrutinize the effect of disruption to processes such as inventory management, purchasing, distribution, and supplier payments and how each is tied to dependencies like IT infrastructure, workforce decisions, and third-party vendors.
Without this level of cross-department detail and agency, cybersecurity professionals won't be able to adequately embed resilience throughout the organization, he added.
"Traditionally, people focus more on detection, response and recovery but I think there's a bigger play here because if you look at third-party risk, that's in governance," Sivanathan told ITPro.
"Identification is crucial. Have you got full visibility over not just your hardware assets, your software assets, your critical third parties, your data?"
Cross-party collaboration is key to this, he said, with security teams and neighbouring capabilities such as crisis management, business continuity, disaster recovery, IT, and the business needing to work together on establishing BIAs.
'Resilience' can be hard to define
Measuring cyber resilience is a recurring issue for cybersecurity leaders, Sivanathan explained, because it can't be measured across just one metric.
"I think there are a lot of vendors out there who try and come up with that metric, and it doesn't really work, because they're looking at one pillar in isolation... so that's something we're looking to establish."
In his talk, Sivanathan cited a number of definitions for cyber resilience, including NIST SP 800-172, the Global Cyber Security Capacity Centre at the University of Oxford, and the International Organization for Standardization.
Sivanathan said that the multitude of definitions can be confusing for leaders, but urged attendees to look beyond them to the scope of their role.
"The key statement is the ability to limit the impacts and adapt quickly to resume business operations in the rise of cyber regulations."
He acknowledged the rising pressure on leaders to adhere to the Digital Operational Resilience Act (DORA) and Network and Information Systems 2 (NIS2) Directive.
The majority of audience members at the talk raised their hands when asked to identify if they're currently dealing with this legislation in their day-to-day work.
In the past 18 months, he said, there's been a big shift away from enquiries about the implications of DORA, with around 80% of the 15-20 enquiries he takes per week now focused on NIS2.
Many organizations are struggling to comply with NIS2. But in the pursuit to meet legislative requirements, Sivanathan warned against coming to see resilience as a mere "tick box exercise".
He pointed to NIST CSF 2.0 as a fundamental framework for resilience, citing Ireland and Belgium as regions leaning on this legislation to put accountability at the very top level of decision-making.
In contrast, Sivanathan showed data from Gartner's August 2025 Cybersecurity Controls Assessment, which found large gaps between the average importance CISOs place on functions such as response and recovery and the average maturity of their organizations in these areas.
The importance of practical exercises
To improve maturity and business buy-in, Sivanathan advocated for more foundational steps such as running tabletop exercises, to test cyber resilience strategies against real life incidents.
Sivanathan said 46% of organizations test less than 20% of their business continuity plans using tabletop exercises each year, while more mature organizations are running these tests at every level including at the top with executives.
This is essential in cases such as deciding whether your organization will agree to ransomware payments in the event of a severe ransomware attack, Sivanathan added:
"The number of organizations I speak to that say, when I first ask about this, 'oh no, we'd never pay ransoms, it's company corporate policy, we would never pay the ransom.
"However, when I started to dig or to ask pointed questions, there was suddenly an aha moment of 'no, I think we need to go and check' because if all of your data's gone, your infrastructure's gone, what are you going to do? You can't sustain it as an organization; maybe there is a thing where you have to pay a ransom."
Sivanathan added that tabletop exercises should be run at multiple levels, including wider stakeholders, business teams, and technical teams, for maximum effectiveness.
But he cautioned that every organization will need to take a slightly different approach, particularly when it comes to using tabletop exercises to clue in executives, as they aren't the individuals who directly manage a crisis.
"You definitely need legal and compliance in some of those activities, especially around messaging, because the first message that goes out after an incident can mitigate the reputational damage. If that's not worded correctly, it can have serious implications."
Looking ahead to 2026, Sivanathan said organizations would continue to struggle with NIS2 as it embeds in various regions, with UK businesses also closely tracking the passage of the Cyber Security and Resilience Bill in parliament.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
AI isn't taking anyone's jobs, finds Yale study – at least not yetReviews Researchers say it's too soon to know what generative AI's impact will be on the workforce
-
A new 'top-tier' Chinese espionage group is stealing sensitive datanews Phantom Taurus has been operating for two years and uses custom-built malware to maintain long-term access to critical targets
-
A new 'top-tier' Chinese espionage group is stealing sensitive data
news Phantom Taurus has been operating for two years and uses custom-built malware to maintain long-term access to critical targets
-
Asahi production halted by cyber attackNews Yet another big brand suffers operational disruption following apparent hacking attack
-
Kido nursery hackers threaten to release more details – along with the personal data of 100 employeesNews The attack is the first to be claimed by the new threat group 'Radiant'
-
Simplifying Password Management eBookWhitepaper
-
Living off the Land eBookWhitepaper
-
The Public Sector's Guide to Privilege and Password ManagementWhitepaper
-
Zero Standing Privilege: Automating Cybersecurity Without Disrupting ProductivityWhitepaper
-
‘The worst thing an employee could do’: Workers are covering up cyber attacks for fear of reprisal – here’s why that’s a huge problemNews More than one-third of office workers say they wouldn’t tell their cybersecurity team if they thought they had been the victim of a cyber attack.
