Achieving cyber resilience starts with what organizations should do to focus on cyber risks today. Armed with knowledge, organizations can methodically ask the right questions to address cyber risk as an enterprise risk – to conduct a thorough assessment of cyber maturity and close the gaps that exist today.

Use this blueprint to help you ask the right questions to making informed decisions around your cybersecurity budget.

Assessment

• What is the state of our security and controls, in particular as they apply to digital evolution, third-party risk, ransomware, and regulatory risk?
• What are the most important assets we need to protect?
• What are the most likely threats?
• How do we balance business needs with cyber risks?

Quantification

• Do we know the type and materiality of our potential losses? For ransomware, do we know this beyond risk of data encryption?
• Do we understand key regulatory requirements and costs associated with non-compliance?
• How are we making security investment decisions?
• Can we measure the effectiveness of our current risk management and insurance, in terms of total cost of risk (TCOR)?

Insurance

• Do we understand our exposures?
• Do we have an effective strategy to mitigate loss?
• Should we transfer a portion of our risk to the insurance market, or consider alternative risk transfer strategies?

Incident Response Readiness

• Do we have an appropriate, usable incident response plan? If yes, is the response team trained and ready to act?
• Do we have the right security and forensic tools, processes and procedures? 
• Have we properly configured our cyber security technology?
• Can we quickly and effectively respond to an incident?