Bridging the gap between cybersecurity and real-world risk management
22nd January 2026 • Crowne Plaza Congress Hotel, Frankfurt
As adversaries continue to disrupt state entities, CNI and CNI-adjacent organisations, CISOs and their leaders need a new paradigm.
If you can’t stop ransomware, then what can you do?
If you run any organisation large or small today, the best way to test your cybersecurity function is simply to ask, “are we 100% secure against a ransomware attack crippling the business?”. The answer will, in almost all cases, be “no” and that is where all real conversations about cybersecurity should start.
In that discussion, ransomware is simply a placeholder for any type of attack that can disable critical business processes to the extent that the enterprise is materially affected. And to answer the question, the enterprise has to do a lot more than give the task to the CISO and rely on a security stack that focuses on specific threats without reference to enterprise risk.
Risk prioritisation requires a complete understanding of the minimum viable business, the processes and assets (end-to-end) which that business would need to run, and then an analysis of the IT systems and vulnerabilities implicated.
That requires the business, the CRO, IT and operational risk staff, the business continuity team, the cybersecurity team and senior management all to co-operate actively to put together a true picture of what the firm really is – in terms of the businesses, people and processes that cannot be lost.
In all likelihood, this analysis has never been done before, and the pace of technical change probably means that figuring out the technology aspects will never have been done either. Does anyone know every single element in a particular business process? If not, then no security team will be able to secure it. And no-one in the business or anywhere else will have a decent handle on their operational risk either.
This is the real visibility organisations need – visibility down through business processes into the most granular dependencies (not all of which will be technical). Only with the minimum viable business mapped out to this level can cyber teams then create a risk-based security strategy as part of a broader ops risk strategy.
At that point, security is not about generically securing the network or securing applications or securing the Cloud; it’s not about EDR or IDAM or zero trust per se. It’s about asking how best to protect the core of the business. If trying to secure everything doesn’t work, then that core itself cannot be secured.
Admit that and then you only have two options: devote far more of your resources to true resilience, or, more controversially and problematically, pulling those critical processes out of the normal IT infrastructure that cannot be secured.
Defence companies do not do security like normal firms: they avoid Cloud, they airgap, they do not interact with third parties in the same way that most organisations do. We’ve spent years saying that the old perimeter is dead. Maybe it’s time to recreate it inside organisations to protect the core. And if not, then resilience and not security is the answer. The company with perfect resilience does not need security – it will still want it to avoid the costs of constant response but if the true operational risk aim is to keep the business running, rather than to mitigate some CVE or other, then surely security has to change?
So, is anyone really doing this outside those forced to by regulation? If not, do they understand the risk they are taking? How do they think about cybersecurity risk and how do they prioritise resources to mitigate it? Do CISOs understand the fundamental change that resilience brings?
