Business and government leaders are being urged to fundamentally rethink how they measure cyber resilience, as the traditional focus on post-incident recovery, including how quickly systems are restored and damage contained, is no longer considered sufficient on its own. The rise of AI-enabled attacks, growing digital dependencies, and increasing third-party risk exposure are pushing organizations to adopt a broader approach that measures resilience before disruptions occur, not just after.
“Cyber resilience should now be measured further upstream: first as a capacity for risk mitigation and preparedness – the ability to reduce the probability, scale and business impact of disruption before damage occurs – and only then as a capacity for recovery when prevention falls short,” Humberto Luiz Ribeiro da Silva, head at the Center for Cyber Incident Prevention, Ciberlab for University of Brasilia, wrote in a World Economic Forum (WEF) story. “As cyber resilience gains greater prominence in board-level and C-level discussions worldwide, leaders increasingly recognize cyber risk as a core business, operational and governance issue.”
However, da Silva observed that cyber resilience has traditionally been measured mainly at the point of recovery: how quickly systems can be restored, how effectively crisis teams can respond, and how well organizations can contain damage after an incident.
A 2025 Verizon analysis of more than 22,000 real-world security incidents found third-party involvement in 30% of breaches, roughly double the previous year’s figure, underscoring how far cyber risk now extends beyond an organization’s own systems. Experts argue that measurement must now shift across four dimensions: from static audits to continuous monitoring, from self-reported assessments to observable evidence, from compliance checklists to findings that drive concrete action, and from siloed internal reviews to ecosystem-wide visibility.
da Silva noted that cyber incidents have become a costly reality for organizations, underscoring the urgency of shifting toward preparedness and risk mitigation as attacks occur daily across organizations of all sizes worldwide. He emphasized that recovery is typically far more expensive than preparation, making a strong economic case for changing this mindset.
He added that organizations using AI and automation extensively shortened breach lifecycles by 80 days and reduced average breach costs by US$1.9 million, the report added. Public cases make the asymmetry even clearer: Maersk estimated the NotPetya attack cost the company $200-300 million in business interruption and recovery.
Noting that the takeaway for leaders is clear, da Silva observed that resilience is not just about surviving disruption, but about reducing the likelihood and cost of recovery altogether. That requires a fundamental rethink in how cyber resilience is measured, driven by four connected shifts. Measurement must move from static snapshots to dynamic, real-time visibility, from declarative claims to observable performance, from compliance-driven reporting to actionable insight, and from isolated controls to a systemic, organization-wide view of resilience.
To drive a shift from static to dynamic, he said that occasional questionnaires and point-in-time reviews are no longer sufficient in digital environments that evolve daily through new architectures, third-party dependencies, software updates, AI deployments, and expanding identity exposure. Resilience measurement must shift into a continuous monitoring discipline rather than a periodic audit. At its core, the principle is straightforward: measurement must operate in real time and keep pace with the environment it is meant to protect.
As cyber risk shifts from declarative to observable, growing more complex and fast-moving, da Silva argues that resilience can no longer rely on interviews, self-assessments, or policy documents alone; it must be grounded in observable evidence that systems, controls, processes, and teams are actually performing under real conditions.
Leaders and security teams are increasingly turning to external intelligence to strengthen preparedness before incidents unfold. This includes assessing internet-facing vulnerabilities, unintended exposures, and early indicators of emerging threats to gain warning. The timing advantage is critical, as outside-in visibility can surface risks before internal tools detect compromise, giving defenders a window to act before threats reach the perimeter.
Observability, in this context, is not about confirming damage after the fact. It is about using external signals, from vulnerability scanning to leak site and dark web monitoring, to identify where the organization may already be exposed or targeted, and to act before compromise escalates into disruption.
On the shift from compliance to actionable, da Silva makes a blunt point that compliance still matters, especially in regulated sectors, but scores alone do not protect the organization. What matters is whether measurement drives decisions, such as which vulnerabilities to prioritize, which suppliers to escalate, and which assets should be removed from exposure.
Established incident response frameworks reinforce this logic, where governance, identification, and protection are tightly linked to response and recovery. Together, they help prevent incidents, limit impact, and improve response over time. Measurement only delivers real value when it translates into clear prioritization, targeted investment, and timely remediation.
da Silva also points to a shift from individual to systemic thinking, noting that many organizations still assess cyber resilience as if risk ends at their own perimeter. In reality, resilience now depends on coordination, information sharing, and visibility across an interconnected ecosystem.
He leads organizations to rely on mature frameworks and standards to support consistent measurement across all four shifts. For example, NIST CSF 2.0 provides a practical structure for governing, identifying, protecting, detecting, responding to, and recovering from cyber risk. MITRE ATT&CK adds a knowledge base to help organizations map defenses against real-world adversary behavior. Together, these and other frameworks offer a common language across boards, security teams, suppliers and regulators.
“Leading organizations are already shifting,” da Silva said. “Cyber resilience is no longer measured only by what happens after an incident, but by whether organizations are strengthening preparedness, reducing exposure, translating findings into action and addressing the systemic nature of digital risk.”
