Operational resilience

January 22, 2025

In 2024, we saw real progress with cyber security being recognised as a factor in organisational resilience. Senior executives and directors became increasingly aware of the need for its oversight. Yet, as we look in the rear-vision mirror back to 2024, we see organisations continuing to roll-the-dice when it comes to cyber security. As we will discover shortly, the odds of a disruptive incident are shortening.

Shifting desensitisation to action

Forewarned & Forearmed: elements of resilient organisations

Prevention is obviously an objective; but in the event of a cyber incident organisations require sufficient information available to them to respond to an incident.

Be forewarned – Attacks can happen at any time. Having a monitoring capability to detect the early signs of an intrusion means that you can spot an attack and either prevent it or contain it before the attacker gets a foothold.

Be forearmed – Many of the steps in a recovery process can be anticipated and if necessary, adaptations made. Knowing the existing state of your cyber security defences, having processes to follow when IT systems are down, having secure backups, and expertise on hand will enhance your readiness.

The reality is, cyber security sits on a spectrum. Somewhere between a calamitous story of disaster, and a growing discomfort by all of us that the never-ending stream of new and emerging threats will continue to increase the stress on our security resources and business operations. Moving forward, this mentality must shift from “we’re doing what we can” to a more strategic and systematic approach to cyber security risk management. 

As  David Omand, former Director of UK GCHQ, observes in his recent book: not all serious emergencies need to become crises, provided we prepare well in advance to make ourselves more resilient and able to manage shocks as they arise1. A quick reflection on some of the ‘disaster news headlines’ from 2024 reveals that while no-notice events can, and do, result in crises; it’s also the slow-burn incidents where tell-tale markers are effectively ignored until it’s too late and major disruptions result.

Implementing and maintaining systematic cyber security resilience management processes – for known, and unknown threats – is a key first step in improved cyber security resilience.

Healthy cynicism around the AI hype

Every element of the cyber security value chain is reliant upon the integrity of the element that precedes it. Knowing the origin of these elements, including AI capabilities, is important as each represents an up-stream risk to your activities. And it doesn’t stop there. You probably check the credentials of staff before you hire. But, what about verifying the resilience of any other 3rd party software or service elements? You should not overlook the prospect of introducing unknown risks into your operations from even one supplier, of any type.

Hackers are increasingly identifying their targets by scanning target enterprises for vulnerable Internet facing IT assets2. This could further widen the gap between the offensive techniques of hackers and the effectiveness of defensive controls currently deployed by many organisations.

Cyber defence teams will certainly benefit from the use of AI, particularly in the performance of automated and repeatable processes. But, there are also problems. Sharpened attack methods with more authentic-looking social engineering approaches will also benefit from AI. This will undoubtedly improve the success and severity of cyber disruptions.

Breaking the cyber security risk equation

Traditionally we accept that: Risk = Vulnerability X Likelihood X Impact

The variables from this equation, reflect the key parameters of risk management and the emerging processes of threat exposure management. Threats likely to impact the functioning of key IT assets should be identified. Security controls should be deployed to limit vulnerabilities. And, regular monitoring should take place to identify any emerging gaps that need mitigation. The equation formalises that, in the absence of the effective management of vulnerabilities and their likelihood of exploitation, the level of risk to the target enterprise will increase dramatically.

The implications are significant. Minimising the exploitable vulnerabilities is vital for effective cyber security resilience. As noted by the NCSC, ACSC and others, that means, regular risk assessments and timely adjustments of control settings to counter the potential emergence of security gaps.

So, we have come full circle. It’s no longer the case of if someone is attacking you. They will try and find a weakness. That’s a risk that can be mitigated. If you have a weakness, someone will find it and attack through that vulnerability, making your mitigation options extremely limited. This crystallises the need for organisations to employ dynamic threat exposure management practices. As a result, it allows them to gain visibility of and then systematically manage cyber security risks.

Looking forward, vigilance is key

Attackers are deferring to web-based cyber security scanners to identify security gaps. Organisations are failing to keep up as the ability to defend against these improved attack techniques continues to deteriorate. Attackers have access to the same external scanners as the security team. Knowing this, organisations need to be at least as vigilant as their adversaries in order to meet the challenge.

The most likely means of ingress to targeted assets will be quickly revealed by any scan. This means AI models that apparently predict the nature of the next attack will quickly lose relevance.

Using 2024 to inform our path forward

We know that hackers are continuing to improve their technical practices. This is causing the growing gap between defensive cyber security capabilities of many organisations, and, the skills and acumen of their adversaries. This can no longer be ignored. An organisation might have thousands of potential gaps for exploitation across its attack surface. Senior executives and their security teams need to match the capabilities of their adversaries with improved processes and practices. This will eliminate security gaps – and the complexity is in the granularity of that task.

There is no silver bullet. Enterprises need to improve their security practices to find any gaps in their defences before their adversaries do. This means actively managing threat exposure to limit the emergence of potential security gaps. Automated threat detection and risk assessment technology will certainly improve the ability to identify and mitigate vulnerabilities, at scale; before they become a cyber security liability.  Regulations are requiring senior executives and the board to take greater responsibility for cyber security risk management and resilience as a part of routine business activities.

The impetus for change

The UK’s National Cyber Security Centre has observed3 that organisations can improve their cyber resilience, and reduce the likelihood of a cyber insurance claim, by >80% by the routine management and maintenance of an effective set of technical cyber security controls. Similar benefits from the use of comparable cyber security rules-based frameworks could be expected elsewhere. Microsoft went so far as to observe that: “Although threat actors continue to evolve and grow more sophisticated, a truism of cybersecurity bears repeating: Basic cyber security hygiene—enabling MFA, applying Zero Trust principles, keeping up to date, using modern anti-malware, and protecting data—prevents 98% of attacks.”4

There is plenty of evidence that regular threat exposure management will improve the resilience of your enterprise. The question leadership teams should be asking is – ‘Are we passively entering 2025, or actively leaning into cyber security and evolving our risk-management practices?’

In 2025 organisations need better Threat Exposure Management

Huntsman’s SmartCheck and Essential 8 Auditor and Scorecard solutions are designed to ensure that organisations can monitor and report on the state of their security controls. This enables effective vulnerability management, and significantly limits the risk of a cyber attack.

If attackers are going to scan a range of companies (including your own) before they attack, the best defence is to make sure that scan doesn’t turn up anything in your particular case, that might justify an attack on your organisation.

The need for threat exposure management, both to support and steer technical and operational efforts, and, enable board level reporting for governance and compliance purposes, isn’t a “nice to have” anymore. It’s a critical plank of cyber security risk management and ultimately enterprise resilience.

If you don’t find the exposure you have, it seems clear that someone else will.

Written by Peter Woollacott

Peter is the CEO and Founder of Huntsman Security and the driving force behind its success. With more than 20 years’ experience in cyber security, Peter continues to pioneer innovative software to set a benchmark within the global cyber security market.


  1. How to Survive a Crisis, David Omand, Penguin Books, 2024
  2. https://www.insurancejournal.com/news/international/2024/12/06/803859.htm – at end of this sentence: Hackers are increasingly identifying their targets by scanning target enterprises for vulnerable Internet facing IT assets.
  3. https://www.ncsc.gov.uk/blog-post/cyber-essentials-decade – after: The UK’s National Cyber Security Centre has observed
  4. https://www.microsoft.com/en-us/security/security-insider/practical-cyber-defense/cyber-resilience-hygiene-guide – after: using modern anti-malware, and protecting data—prevents 98% of attacks”

BLOG POSTS

Related Cybersecurity Content

SIGN UP TO RECEIVE CYBER SECURITY INSIGHTS

Read by directors, executives, and security professionals globally, operating in the most complex of security environments.