During our research for this book, we shared our interim findings about the economic implications of cyber-attacks and the importance of getting to digital resilience with a reporter for a national business publication.

We discussed that the risk to the global economy and the imperative for action is clear. He said he understood that companies were not protecting themselves effectively but he had one probing question. If it was so clear that companies needed to move beyond cybersecurity as a control function and focus protection on the most important assets, so obvious that they needed the help of their staff, so beneficial to embed security into IT more broadly, then why haven’t they just gone ahead and done it?

Stephen Biddle wrestled with a similar quandary in his book Military Power: Explaining Victory and Defeat in Modern Battle. Biddle convincingly demonstrated that the way armies used their forces overwhelmingly outweighed the size of those forces or their technological sophistication in determining who had won battles over the past century. In particular, he laid out a “modern system” of force deployment—a tightly interrelated complex of cover, concealment, dispersion, suppression, small-unit independent maneuver, combined arms, depth, reserves, and differential concentration—that had succeeded in every major clash of arms since World War I.¹

However, despite the dramatic success of this system, relatively few armed forces have adopted it. Why? Biddle explained that building the skills required to employ the modern system is difficult and is also organizationally threatening for many in the military. For example, generals serving autocrats may not be comfortable empowering noncommissioned officers to make independent decisions.

The situation in cybersecurity is similar. More resources do not necessarily yield better protection. No single technology, no matter how hyped, can provide protection alone. Instead, as we have set out in this book, there is a set of tightly interrelated, mutually reinforcing levers that can be applied to achieve digital resilience.

Understanding business risks and information assets gives companies the ability to put differentiated protections in place. Integrating cybersecurity considerations into business processes and enlisting frontline users to make security more robust complement each other in making business models more resilient. Building cybersecurity into the application and infrastructure environments creates transparency that is critical for putting in place active defense. Using continuous testing to improve incident response processes across business functions backstops the other levers. Taken together, the seven levers are a way of making companies more resilient in the face of attack—as opposed to the traditional practice of locking down technology environments ever more tightly, putting control processes in place, and making it harder to use enterprise technology in innovative and value-creating ways.

Why have companies not done more in terms of putting these levers in place and making progress toward digital resilience? Because, like changing the culture of the military, it is difficult and organizationally challenging. Getting to resiliency requires three things:

1. Collaborative engagement between the cybersecurity team and its business partners to prioritize risks, make intelligent trade-offs, and, where appropriate, change business processes and behaviors, rather than implement technology solutions to manage risks.
2. A focus on resiliency in the broader IT organization, to facilitate the convergence of security, efficiency, and agility—and to make sure that IT managers design technology platforms from the outset to be resilient and secure.
3. A dramatic uplift of the skills and capabilities of the cybersecurity team so its managers can understand business risks, collaborate effectively with business partners, navigate a rapidly changing technology environment, influence application and infrastructure environments, and implement active defense tactics.

Unfortunately, many companies fail to design their cybersecurity programs with the right level of ambition. They assume that they can proceed step by step, first putting in place basic cybersecurity capabilities and worrying about more sophisticated activities later on—unfortunately, their attackers do not have as much patience. Senior leaders at many companies do not give the time and attention required to foster the collaboration between cybersecurity teams and business managers; they continue to accept outdated and opaque application and infrastructure environments that are simultaneously inflexible, inefficient, and intrinsically insecure.

The value promised by the digital economy is apparent: it should deliver radically more efficient business processes, profoundly more intimate customer relationships, and exponentially better fact-based decision making.

Senior business leaders and policymakers can continue to let cybersecurity be a bureaucratic control function and see the value inherent in the digital economy diminished by $3 trillion in 2020. Or they can recognize that cybersecurity is one of this century’s critical social and economic issues, and demand that their organizations drive the transition to digital resilience. Specifically, senior business leaders can make sure that business, IT, and cybersecurity managers collaborate to adopt the resiliency levers in their organizations. Technology vendors can make sure they build their products and services for security. And regulators can design policies that enable forward-looking cybersecurity strategies rather than lock in the outdated methods of the past.

The choice is clear: We must move beyond cybersecurity to digital resilience.