In this Help Net Security interview, Vivien Bilquez, Global Head of Cyber Resilience at Zurich Resilience Solutions, discusses how organizations are rethinking cyber resilience. He talks about the priorities CISOs should focus on and the risks that are often overlooked. Bilquez also explains how to align cybersecurity efforts with business goals to gain executive support.
What trends or emerging threats are pushing organizations to rethink their resilience strategies?
AI is making it easier for attackers to automate ransomware and social engineering attacks. While AI is not yet highly advanced, it mainly reuses existing data and lacks true creativity, it still poses a growing risk. The good news is that defenders can also use AI to strengthen security and counter these threats.
I would say we are even. However, hackers often manage to stay a step or two ahead, so it’s essential to remain vigilant and well-prepared.
Unlike the financial industry, which has long been subject to strict regulations, many critical infrastructure sectors are only now starting to catch up, especially with new directives like NIS2 in Europe.
A key challenge is that operational technology in these sectors often includes outdated equipment that can’t be easily updated or secured, making them vulnerable to attacks. The potential impact is severe, not just data loss, but harm to people. While IT security is well established in most companies, organizations now need to make OT security a strategic priority.
What are the hidden or less obvious dependencies that often become resilience blind spots?
One major blind spot is the reliance on third parties. Even small businesses typically outsource some operations, and this often involves sharing sensitive customer data.
To address this, it’s vital to have a third party management strategy, starting with governance. Classify suppliers based on how critical they are to your business, and ensure contracts include cybersecurity and data protection requirements, as well as “the right to audit”. Introducing penalties for non-compliance can also help enforce these standards.
When the relationship is managed at the governance level, it becomes easier to demonstrate a partner’s compliance through technical assessments such as penetration testing. When we perform audits and assessments, we always add the third-party risk assessment, as these are often major blind spots.
If a CISO were to benchmark their current resilience strategy, what three metrics or indicators should they focus on first?
A CISO should start with these three key metrics:
Number of security incidents: Track how often security issues occur, what are the impact and how they are managed/mitigated. It will help to know if the company is targeted, by whom and how.
Vulnerability remediation: Measure the time it takes to fix critical vulnerabilities and the percentage of systems fully patched within the Information Security Management System (ISMS). CISO will track their cyber exposure.
Third-party compliance: Assess how well third-party partners are meeting security and compliance requirements. Visibility across the entire supply chain matters. Issues often arise not from within the organization itself, but through gaps or weaknesses in the chain of trust with suppliers and partners.
Are there any common mistakes you see when organizations run resilience tests or simulations?
We often see with customers this frequent mistake: investing in security tools just for compliance, but not configuring or using them properly. This can give a false sense of security.
Testing means making sure tools are not only in place but also set up and maintained to protect your business. Our best advice is to focus on investing in experienced professionals rather than relying solely on tools. While technology, including AI, continues to evolve, it cannot yet replace the expertise and judgment of seasoned cybersecurity engineers. Skilled people remain the foundation of a strong and resilient cybersecurity strategy.
How can CISOs effectively communicate cyber resilience priorities to the board and other executives?
I often talk to boards, and what I highlight the most is the importance of Cyber Risk Quantification (CRQ). By translating cyber risks into financial terms, CISOs can help the board understand the impact. Instead of using broad categories like low, medium, or high, it’s more persuasive to show the potential financial exposures.
When risks are presented in financial terms, CISOs can demonstrate how specific projects or investments make a difference. For instance, showing that a $100,000 investment in cybersecurity could lower ransomware risk exposure from $5 million to $1 million creates a compelling return on investment. This approach makes budget approval much more likely. With Cyber Risk Quantification, we can also benchmark a company with their peers on the market, which is also an argument toward the board and other executives.
It’s important to position cybersecurity as a business enabler. By connecting cyber investments to resilience, growth, and profitability, CISOs can build a strong case for executive support.
