Resilience Check-Up: How to Assess Areas of Opportunity

By David Howard, President, NetWorks Group

Throughout my 30-year career, I've met with countless cybersecurity leaders as the industry has grown and changed. One thing has become abundantly clear: Security alone is no longer enough.

Today’s threat landscape is too fast-moving, complex and adaptive. Even the most secure organizations suffer breaches. That’s why when I start talking with a customer about their goals, our conversations are no longer just about prevention; they’re about resilience.

Cyber resilience is the capacity to prepare for, detect, recover from and adapt to adverse cyber events. For business leaders, the challenge isn’t just understanding what resilience looks like — it’s knowing how to measure, improve and embed it into the DNA of your organization.

In this latest blog post in our series on cyber resilience, I’ll share the kinds of questions we ask as we start working with a customer and the things we urge them to look for as they assess their cyber resilience. We’ll also include some guidance we often share around how you can identify areas of opportunity to improve. 

Assessing Your Key Capabilities 

In our first post in this series, we framed cyber resilience around five key capabilities. Consider the following questions alongside each capability as a starting point for assessing your resilience.

  • Anticipation: Are you continuously assessing risks and gathering intelligence to understand what’s coming?

  • Prevention: Are your controls, policies and resources — even if scarce — aligned to your actual threat landscape?

  • Detection: Do you have real-time visibility into threats and anomalies across your environment?

  • Containment: How confident are you that when something goes wrong — and it will — you’ll be able to isolate the threat quickly and contain the blast radius? If you’ve had a security breach already, how significant was its impact?
  • Recovery: How fast and effectively could you restore normal operations after an incident, and more importantly, how do you plan to capture lessons learned from the experience?

Each of these areas reflects a decision point — and often, an opportunity for improvement. The answer to these questions is rarely straightforward, and it can be hard to know where to start. But keep in mind that even not knowing the answer to one of these questions can be instructive because it shines a light on an area where you need to focus some time and thought within your organization. Getting a clear picture of where you are right now is the first step in building a plan of action to reach your goals.

Executive Alignment and Communication

As we’ve discussed in previous posts in this series, cyber resilience requires a cultural shift within your organization, and it starts at the top. Ask yourself these questions about leadership and executive alignment when you’re assessing your organization's resilience:

  • Does the leadership/executive team at your organization understand the importance of security strategy and resilience (are they bought in)?

  • Is your security team able to effectively communicate needs and priorities to executives?

  • Do you have the financial support necessary to drive your security strategy and improve your cyber resilience?

  • Do your executives understand their role in the security and resilience of your organization?

Effective communication with your executive leadership team requires concise and contextual information about your environment. Meaningful, relevant, digestible, contextual information is necessary to paint a clear picture of where you stand. You also need validation from outside parties and recommendations to help reinforce your ideas and initiatives.

Company Culture

One of the top qualities of resilient organizations is that their employees are engaged in and contribute to security, beyond just the security team. Questions to consider:

  • Does your organization have a culture that allows for mistakes, or is there an adversarial relationship between management and employees?

  • Do you see collaboration and input from all levels of the organization in security strategy?

  • When mistakes happen, are people in your organization comfortable speaking up, or are they afraid of being shamed or punished?

  • Do all departments understand that they are involved in the security and resilience of the company? Do they understand their role in prevention and response?

Security and resilience don’t end with your security team and decision-makers. One of the most effective methods we’ve seen of achieving company-wide security awareness and understanding is facilitating tabletop exercises. When we run through a breach scenario with not just the IT and security team, but with the executive team, marketing, human resources, accounting, etc., we witness the collective realization of how security connects all these departments and how everyone has a role to play in driving the security interests and strategy of the organization. 

Finding Your Areas of Opportunity

No organization is perfectly resilient. But as we discussed in our post on the top qualities of resilient organizations, the strongest ones share a few key traits:

  • They see cybersecurity as a business function, not just an IT issue.

  • They test and validate constantly, not just once a year.

  • They empower leaders at every level with the right context to make informed decisions.

  • And most importantly, they treat resilience as a continuous journey, not a one-time destination.

Resilience is a continuous process that involves prevention, detection, containment and recovery. Penetration testing, the foundation of cyber resilience, serves as your catalyst in this journey, allowing you to assess your current security posture and use actionable insights to strengthen security controls and enhance your ability to withstand attacks.

If there’s a gap between where you are and where you want to be, that’s not a sign of failure — it’s an opportunity to lead.

Resilience Is a Team Sport

Your ability to lead through uncertainty is tested more today than ever before. Cyber threats are now business risks. And your level of resilience can mean the difference between a minor disruption and a crisis.

Many organizations struggle because they’ve been sold tools instead of outcomes. They have frameworks without context, reports without resolution and strategy sessions that end in yet another to-do list. That’s where we’ve chosen to take a different path.

At NWG, we believe the path forward involves building the right partnerships, asking better questions, collaborating with your leadership and taking deliberate, informed steps toward resilience.

If you’re ready to have that conversation, we’re here, not just to advise, but to act.

Published By: David Howard, President, NetWorks Group

Publish Date: July 10th, 2025

Subscribe to get new content! Never miss a security update from the team.

Security news, tips, webinars, and more straight to your inbox.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.