What does it take to be ready?

Written By Susanne Alfs

Have you experienced that boardroom struggle – trying to get your head around cyber risk while diving deep into the threat landscape? You’re shown traffic-light charts and lists of “high” and “medium” risks but still have limited clarity what would happen if a key service failed, or where to invest next in resilience – not just in more technology.

A more practical starting point than overthinking the threat landscape:

Start not with the risk event, but with the possible impact on your services, products and stakeholders. That shifts the conversation from a technology-led, threat-first view to an operations-focused, impact-first view. The advantages are immediate:

  • Threats change faster than you can track. New attack types appear constantly, so it’s hard to base decisions on specific scenarios.

  • No organisation can prevent every incident. At some point an adversary will get through, so planning to limit impact and recover quickly matters as much as prevention.

  • All incidents ultimately affect availability, integrity or confidentiality of systems and data. It’s easier to discuss the impact of those three types of damage than to debate every possible attack path.

  • Impact thinking widens the lens. An impact analysis naturally includes your stakeholders, customers, people you serve, regulators and the ecosystem you operate in.

  • Starting with impact helps you prioritise what truly matters. You focus on the most critical services and, in mapping them, build a clear inventory of the key technologies they rely on instead of treating your whole estate as equally important.

This way of looking at cyber risk also highlights where there is still work to do. In the UK, for example, only about 32% of businesses overall have a business continuity plan that explicitly covers cyber security. There is clear scope to strengthen how organisations think about disruption and recovery.[1]

Importantly, this is also the direction regulators are taking:

In financial services, the UK’s operational resilience rules require firms to identify “important business services”, set impact tolerances for maximum tolerable disruption. The EU’s Digital Operational Resilience Act (DORA) explicitly calls on firms to analyse impact tolerance for technology disruptions. NIS2 (a European Union directive establishing cybersecurity requirements for critical infrastructure)[2], and now the UK’s proposed Cyber Security and Resilience Bill, emphasise protecting essential services and considering the societal and economic impact of incidents.

Five questions to ask in the boardroom:

If you want a better grasp of cyber risk and a stronger foundation for cyber strategy, ask these questions:

1.     Have we identified our most critical services and mapped the key systems, data, locations and suppliers they depend upon – in genuine collaboration between business and technology teams?

2.     Have we described realistic cyber scenarios that could affect those critical services?

3.     How bad could it get – and how quickly? What is the maximum downtime and data loss we can tolerate before customers, income, safety or reputation are hit unacceptably?

4.     Who else is affected if this service fails? How would disruption impact our customers, donors, patients, members, regulators, our reputation and our supply chain?

5.     How does this impact picture guide our decisions? How should it inform our cyber risk register, mitigation actions, investment priorities and incident response plans?

You will still want a risk register with clear ownership and controls. You will still discuss investments in cyber resilience. But starting with impact allows for better-informed decisions and a far broader, more confident engagement of all board directors in governing cyber risk. If you’d like support in structuring these conversations and turning them into a practical cyber strategy, you can find more about the services we provide at Cyber4Directors here: https://www.cyber4directors.com/cyber-impact-analysis.


[1] UK Government, Department for Science, Innovation and Technology, Cyber security breaches survey 2025, section 3.8, https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2025/cyber-security-breaches-survey-2025

[2] European Union Agency for Cybersecurity, NIS2 Technical Implementation Guidance, Section 4.1.3 page 53, 2025, https://www.enisa.europa.eu/sites/default/files/2025-06/ENISA_Technical_implementation_guidance_on_cybersecurity_risk_management_measures_version_1.0.pdf

Susanne Alfs
Next

Plan it. Rehearse it: Respond with Confidence!