Events
Subscribe

Article

The board’s role in establishing effective digital resilience

May 27, 2025
#
Risk consulting Cybersecurity consulting Cybersecurity

The inevitability of cyberattacks and information technology outages has reframed organizational resiliency discussions—shifting them from prevention to mitigation of financial, operational and reputational impact, with a focus on business continuity and rapid recovery. These are key components of enterprise risk management and resilience.

However, digital risk represents only one of many types of risk that enterprises must address to achieve resilience.  Governance through an enterprise-as-a-system (EAS) approach can not only help your organization deal with digital risk—which can be less than intuitive—but also help contextualize other enterprise risks to drive your organization’s resilience strategy.

In previous articles we emphasized the importance of boards and management teams arriving at a shared holistic understanding of their business as an EAS. This is essential to governing and managing digital opportunities and risks to your business, both of which are expanding exponentially with the advent of artificial intelligence.

The EAS consists of interconnected elements (applications, servers, databases, hosted solutions) and networks, including the people who operate them, that support every organization. It defines your business from a cybersecurity perspective. Embracing the educational, organizational and cultural elements of EAS provides boards and senior executives with a holistic view of cyber risk and digital opportunity, a perspective essential to keep pace with the rapidly evolving digital landscape, strengthen business systems and minimize potential damage. Building resilience is foundational for your enterprise, but resilience to cyberattacks cannot be easily bolted onto weak or misunderstood business systems.

Rethinking digital risk: From defense to resilience

For years, organizations approached digital risk and cybersecurity with a fortress mentality: Build thicker walls and tighter perimeters and hope intruders stay out. That model is no longer sufficient. As AI accelerates the pace and sophistication of threats, businesses must shift from prevention to preparation and recovery. Cyber resilience is about minimizing damage, maintaining operational continuity and recovering quickly.

Compare your business to a warship. Business enterprises have evolved over the past several decades by converting manual processes into digital ones on top of internet technology designed without security in mind. On the other hand, warships are designed and built from the ground up to be resilient to threats, whether internal or external. In addition to having strong hulls, warships are compartmentalized to isolate damage. Critical assets are segmented and accessed on a need-to-know basis only. Crews envision threats and develop and practice procedures to recover from potential damage.

How does your EAS compare?

Because early cyberthreats were primarily from external actors, EAS protections were developed based on a perimeter/bastion mentality designed to protect vulnerable systems against intruders. This is like building a thicker hull on a warship while paying little attention to the potential spread of damage to compartments within. Critical assets remain unidentified and EAS choke points for business continuity are often misunderstood. Business continuity procedures (if written) do not support enterprise risk activities or coordinate with other risk disciplines, do not reflect the current business and technology environments, and are insufficiently practiced. Strong EAS “hulls” are an essential element of EAS protection and support business resilience, but alone are insufficient to mitigate damage from inevitable cyberattacks.

Fortunately, business leaders are signaling a new cybersecurity approach under the heading of resilience, one which recognizes the inevitability of damage and the impracticability of redesigning and overhauling the EAS given its complexity and the disruption it would involve.

Resilience from cyber incidents is a paradigm shift from perimeter protection thinking. It assumes cyberthreats can come from anywhere, inside or outside the EAS. However, resilience against cyberthreats or any other disruptions is not a capability easily bolted onto today’s enterprises. Instead, “warship-like” resilience requires board and executive support and governance, planning for all hazards (not just cyber), and program-level ownership.

Business leaders are encouraged to begin this journey today to begin to address the rapidly evolving threat landscape.

Boards should take the following actions:

Shift from quarterly cybersecurity briefings to real-time risk dashboards, ensuring continuous monitoring rather than fragmented, after-the-fact reporting.

Adopt cybersecurity risk appetite statements that align with business objectives—clearly defining acceptable risks, necessary investments and thresholds for escalating security incidents. 

Consider a governance approach that aligns with a leading cybersecurity framework, such as the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), which focuses on the core functions of identify, protect, detect, respond and recover.

Zero trust: The foundation of digital resilience

The linchpin of digital risk resilience is “zero trust,” a security model based on the principles of "never trusting, always verifying," limiting access, and frequently practicing incident responses. Unlike traditional models that assume users and devices inside the EAS are trustworthy, zero trust assumes that no access or interaction, whether inside or outside the organization, is trusted. This approach encompasses all security layers, including identity, data, end points, applications and the network.

Zero-trust principles include:

  1. Granting EAS access strictly on a “need-to-access, least privileged” basis, coupled with strong, continuous user authentication (not just at the perimeter)
  2. Leveraging monitoring tools to detect anomalous activity and user behavior
  3. Segmenting networks into small (even micro) elements that can be isolated to prevent the spread of cyber incidents
  4. Ensuring data, applications and all devices (end points) accessing the EAS are secure and trustworthy
  5. Implementing ongoing security improvements to the EAS, particularly as it changes with the addition of new digital systems and removal of existing ones
  6. Developing and practicing business continuity and incident response policies and procedures with clear lines of authority and responsibilities

Implementing zero trust is a long-term process that should proceed at a pace the board and management team can manage with minimum disruption. Legacy systems and communication networks will have to be modified with new systems and controls. In addition, employees will be burdened with extra steps to access the EAS and have limited access to data and workflows. All EAS stakeholders will need to be trained to understand the importance of zero trust to EAS protection and resilience. Boards should establish measurable milestones for achieving digital risk resilience—such as full zero-trust implementation within three to five years—while ensuring iterative improvements are made along the way.

Board and management actions to create a resilient EAS

Action

Steps

Considerations
Discover, identify and inventory all EAS elements. Present a high-level business process map to the board, identifying critical assets, how elements interact, and EAS choke points and weaknesses.

EAS mapping facilitates understanding your business needs for cybersecurity.

Scanning the entire EAS reveals vulnerabilities.

Discovered weaknesses can be assessed against industry standards.

Internal and external penetration tests and vulnerability assessments develop strength/weakness perspectives.

Engage third parties to assess the vulnerability of existing EAS systems.

Regularly update inventory to remain current.
Commit to an EAS risk mitigation plan employing a zero-trust framework. Begin constructing a zero-trust environment in which no internal or external device, person, end point or third-party interaction with the EAS is trusted. Assume all access is a potential threat.

Start with a pilot project focus on a high-risk critical asset, process or application.

Be prepared for a long-term process that may require redesigning and compartmentalizing EAS systems and processes.
Restrict EAS access to a “need-to-know” basis. Evaluate who and what needs to access the EAS. Assign access permissions on a needs-only basis.

Multifactor authentication (MFA) reduces unauthorized access.

Single sign-on (SSO) reduces the access frequency for authorized users.

Do not grant local administrative access privileges to user devices.

Avoid platforms that do not employ MFA and SSO.
Evaluate the impact to the EAS before making changes. Develop and follow procedures that analyze and preapprove every digital system modification, addition or deletion for compliance with zero-trust principles.

EAS additions and modifications may have unintended consequences.

Include all legacy systems added through acquisition or removed by divestiture, as well as any new digital systems, particularly AI.
Compartmentalize EAS physical and virtual communication channels.  Present an analysis of EAS physical and virtual communication channels and vulnerabilities to the board. Engage third-party communication experts to recommend steps to improve network compartmentalization and isolate EAS communications.

Start with applications that target the most vulnerable communication interfaces and will yield the highest return on investment.

Compartmentalization of communication channels substantially reduces the spread of cyberattacks, thereby minimizing damage to the EAS.
Continually strengthen EAS digital systems. Embark on an ongoing program to strengthen both existing and added systems.

Add systems designed with security in mind.

Foster a culture of awareness of internal and third-party systems vulnerability.

Gradually improve or eliminate the use of weak systems.
Accelerate patching cadences to protect critical EAS systems processes. Stay ahead of the bad actors by performing early vulnerability patching to protect the most important assets.

Automated patching timed to meet compliance requirements may not provide sufficient protection.

Think of “just-in-time” patching to protect the most valuable systems and processes.
Imagine risk scenarios, events and consequences. Engage management and outside advisors to imagine and predict the consequences of as many risk events as possible. Prepare accordingly.

Identifying risk is the leading element of the enterprise’s cybersecurity framework, followed by protect, detect, respond and recover.

Analysis of the expected frequency and consequences of cyber incidents is important for protecting critical assets.

Map risks to consequences and report both to the board. Which ones would hurt the most?

Add procedures to eliminate, mitigate, transfer or ignore each risk scenario.
Create and practice business continuity policies and procedures.  Start by relating policies and procedures to the highest threats affecting the most important EAS assets.

Delineate clear lines of authority and responsibility.

Identify and include all relevant management team and board members in practice sessions.

Transforming leadership for a resilient digital future

Just as boards have developed fluency in financial oversight, they must now do the same with digital risk. Building business resilience requires more than strong defenses—it demands proactive leadership, strategic investment and cultural change.

By embedding digital risk into your enterprise resilience strategy, you not only protect your business and increase agility amid evolving threats but also position it to thrive in an era when cyberthreats are persistent and the only constant is change.

RSM contributors

  • Rod Hackman
    Rod Hackman
    Advisor, Board Excellence
  • Robert Snodgrass
    Principal, Risk Consulting

Trending business insights for board members

Curated content to keep you informed
Swipe to view more

Do you know how to protect your business from the latest cybersecurity threats?

Our one-day workshops enable you to understand current trends and challenges and strengthen your business’s cybersecurity approach.

Fight back against cybersecurity threats

Contact our cybersecurity and data privacy risk consulting professionals

Complete this form and an RSM representative will be in touch shortly.

THE POWER OF BEING UNDERSTOOD

ASSURANCE | TAX | CONSULTING

RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent assurance, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit rsmus.com/about for more information regarding RSM US LLP and RSM International.

© 2025 RSM US LLP. All rights reserved.

"