Re-defining the CISOs’ mandate: why resilience changes everything
28th January 2026 • Scandic Grand Central Hotel, Helsinki, Finland
In resilient organisations, does security comes second? If so, what changes for technology, people and process?
Can you pass the ransomware test?
The “ransomware test” is deceptively simple: if attackers encrypted your systems tonight, would your organisation still be standing tomorrow? For almost every enterprise, the answer is negative. This truth is uncomfortable, but it is the only starting point for a serious conversation about cybersecurity.
Too often, organisations approach cyber risk as a collection of tools, frameworks, and buzzwords — EDR, IDAM, zero trust, Cloud security — without reference to what truly matters: the business itself.
The centre of gravity for security must shift. Instead of trying to secure everything, CISOs must lead efforts to identify and protect the minimum viable business (MVB) — the processes, systems, and assets without which the organisation ceases to function.
This shift in mindset also requires a technical transformation. Security must be embedded within broader operational risk strategies, resilience must be prioritised alongside prevention, and in some cases the “perimeter” must be rebuilt — not around the whole enterprise, but around its most critical core.
But neither resilience nor security can be effective without visibility into what really matters. Yet few organisations have mapped their MVB — the minimum set of processes, assets, and systems required to keep the enterprise alive.
Firms need service and dependency discovery. Only then can CISOs apply breach and attack simulation (BAS) tools to model attacker pathways into MVB components and figure out the architectures and tooling they need.
Only then can they look at OT/IT threats to dependencies on physical infrastructure (power, HVAC), regulatory processes and external feeds.
But it’s not the CISO’s job to do all this. They should be able to ask, “Which processes, if destroyed, make us non-viable?” If no one can answer, the security strategy is already blind.
This also means firms must shift from generic security to core protection – and accept that core protection will impact the business. Sacrifices have to made to secure Tier 1 assets and processes and a refusal to do so simply means that companies are explicitly risk-accept the possibility of a truly material security incident.
This shift from security to resilience isn’t just technical — it’s cultural. Who can answer:
• Who has mapped the MVB in your organisation, and how recently?
• How much of your security budget protects Tier 1 assets/processes versus “everything else”?
• How many full recovery drills have included the executive committee?
• Can critical processes operate manually, even for a short time, if IT fails?
• Are you prepared to trade efficiency and flexibility for fortress-style protection?
The resilient enterprise may still want strong security, but it doesn’t depend on it for survival. That is the difference between security as a collection of tools and security as a business enabler.
For CISOs, the challenge is stark: embrace this new paradigm or continue pretending that securing everything is possible. The first path leads to resilience and credibility. The second leads to inevitable failure.