Organizational Resilience Insights

If you can’t prove impact, don’t expect to keep your budget. 🧙🏼♂️I see it all the time as an Advisor, 2 extremes:  💥 50 dashboards of useless data  OR  😞 Zero visibility of metrics that matter. Making decisions on gut feeling Struggling to translate cyber to business, unable to get budget Fingers crossed hoping nothing bad happens 🤞🏼 But the right data changes everything. So I put this together based on 26 years in the industry to help you watch what matters. Here’s what you should be tracking:👇🏼 1. Mean Time to Detect (MTTD):  ↳Average time to spot an incident, how quickly can you identify threats before damage. 2. Mean Time to Respond (MTTR):  ↳Average time to contain an incident, how effective your team can limit impact. 3. Incident Volume:  ↳Total incidents over a period, the level of threat activity and your team’s workload. 4. Phishing Click Rate:  ↳ Percentage of employees who fall for simulated phishing, showing the org's human risk exposure. 5. Patch Compliance Rate:  ↳Percentage of systems patched on time, how well you’re closing common attack paths. 6. Vulnerability Remediation Time:  ↳ Average time taken to fix vulnerabilities, how quickly you reduce exploitable weaknesses. 7. % of Critical Vulns Open Past SLA:  ↳High-risk vulnerabilities left unresolved past deadlines, revealing dangerous delays in protection. 8. Endpoint Detection Coverage:  ↳Endpoints with security agents deployed, showing where attackers may still have blind spots. 9. MFA Coverage:  ↳Percentage of accounts/apps protected by MFA, reflecting how well identity risks are controlled. 10. Backup Success & Test Rate:  ↳Percentage of backups completed & verified, readiness to recover = resilience. 11. Security Awareness Training Completion:  ↳Percentage of staff who finish training, orgs commitment to reducing human risk. 12. Third-Party Risk Assessment Coverage:  ↳Percentage of vendors assessed, how much supply chain risk you actually understand. 13. % of Incidents Escalated to External Notification:  ↳Incidents requiring disclosure, how often issues affect legal & reputation. 14. Dwell Time:  ↳ Average time attackers stay undetected, how long adversaries have to move before you respond. 15. False Positive Rate:  ↳Percentage of alerts deemed false, how much noise distracting your team. 16. % of Privileged Accounts Reviewed:  ↳Percentage of high-level accounts audited, control over insider and admin misuse risks. 17. Compliance Alignment Score:  ↳Percentage of required controls in place, indicating audit readiness & regulatory obligations. 18. % of Incidents with Root Cause Identified:  ↳Incidents where the true cause is found, preventing repeat attacks. Get these in place and you'll sleep at night, and get that budget to improve. Which one do you find the most important?⤵️ 🔄 Repost to help others improve cybersecurity 📲 Follow Wil Klusovsky for wisdom on cyber & tech business

Your attackers operate in the real world - are your defences keeping up? Most organisations build their cyber security on frameworks and compliance checklists. Attackers aren’t interested in your paperwork, they go straight for the gaps that actually exist. Too often, we invest in controls without seeing evidence they actually stop real, successful attacks. What I’ve learned from systems thinking research in cyber: you need to ground your defences in practical reality: 1️⃣ Review incidents and breaches and identify which controls might have truly changed the outcome. 2️⃣ Focus on how breaches really happen, not just how you imagine they could. 3️⃣ Prioritise controls where there’s evidence they disrupt attack paths you've seen used. 4️⃣ Build feedback loops and update and improve defences based on what you learn from each incident. This is like being a detective: you don’t rely on guesses about what “should” work, you look for the signs and footprints that show you what’s actually moving through your environment. If your controls are just theoretical, it’s easy to mistake feel-good compliance for real resilience. It’s only when you learn from what’s actually happened, good and bad, that you’ll know what’s working. Have you shifted your controls based on patterns found in real incidents? Read more about my research on the ST4C Loop to find out how to think like an attacker. Better Thinking. Better Actions. Better Outcomes. #cybercognition #cybersecurity #systemsthinking

Cyber Performance Goals (CPGs): What are they? Why should we care? 🤷♂️ Every organisation, regardless of industry or location, faces unique cyber threats. Traditional frameworks like #CIS, #ISO, and #NIST are a good starting point for security guidance, but they often lack clear connections between real threats, adversary attack techniques, and the associated mitigations. This is where Cyber Performance Goals come in. CPGs bridge that gap through traceability and practical application by starting with a good security outcome, linking this to a valid risk or TTP, and providing the recommended action to address the key risk(s). In CISA's words, “The CPGs are voluntary practices with high-impact security actions that outline the highest-priority baseline that measures businesses and critical infrastructure owners of all sizes can take to protect themselves against cyber threats.” ⚡ Enhanced Cyber Performance Goals (eCPGs). CPGs alone are an excellent resource for understanding how to achieve secure outcomes, but using them in isolation won’t do much without the necessary business context. Here are my insights when working with CPGs in real-world engagements: 💡 Use Threat Events (as defined in NIST 800-31r1) - Sector-Specific Scenarios: Identify realistic threats and attack vectors relevant to your industry/organisation. - E.g. Threat = "Steal valid customer account information/online banking credentials". (Financial Services) - Threat Modeling: Identify and map potential attack paths and initial access vectors within your high-value assets and hosting environments. - Risk Prioritisation: Focus on high-impact, high-likelihood scenarios first. 💡 Vulnerability and Weakness Mapping (CVEs / CWEs) Before an attack can be successful, there must be a vulnerability or weakness. This part is crucial for validating any downstream attack TTPs and mitigating controls. - Example: Threat = "Steal valid customer account information/online banking credentials". ➡️ Weakness = "CWE-306: Missing Authentication for Critical Function", “CWE-308: Use of Single-factor Authentication". 💡 Link To Cyber Performance Goals (CPGs) - Leverage existing CPGs as adequate mitigating controls. - MITRE ATT&CK Alignment: CPGs already map ATT&CK TTPs to recommendations for threat-informed risk mitigation. - NIST CSF Compliance: Helps ensure control standards alignment for organisations that use NIST. 💡 Bringing it all together This might seem like a lot of effort, but in practice, it’s very straightforward once you understand the threats and weaknesses facing a target organisation. Using these CPGs with this approach gives your impact assessments and control recommendations a lot more credibility when they come from reputable and threat-informed sources, not just you. Check out the complete list of CPGs here: https://lnkd.in/gdTQ_n_W #cybersecurity #performance #goals #cpgs #threatintelligence #CISA #NIST #mitreattack

The Illusion of Security: Why Most Organizations Are Vulnerable Despite Their Investments 💰 The words of Sun Tzu echo through time with uncomfortable relevance: "Strategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat." Two and a half millennia later, this wisdom exposes a critical vulnerability in how we approach cybersecurity today. I've observed a dangerous pattern across enterprises: security leaders implement robust tools and technologies (Tactics) but rarely validate their effectiveness against sophisticated real-world attack scenarios (Strategy). This false confidence is more dangerous than acknowledged ignorance. Organizations deploy EDR solutions, implement zero-trust architectures, and conduct compliance audits; checking all the right boxes, yet remain fundamentally vulnerable because these defenses aren't tested against adaptive, persistent adversaries using current techniques. When I ask security leaders about their confidence level in withstanding a targeted attack, most express high certainty. Yet when pressed about whether their defenses have been validated through adversary simulation or red team exercises, their confidence wavers. The Hard Truth: you cannot claim security resilience based solely on deployed technologies or compliance frameworks. Real security emerges from strategic validation under pressure, where assumptions are challenged and invisible gaps are exposed. The most effective security programs I've witnessed embrace this uncomfortable reality. They systematically pressure-test their defenses (by running consistent Cyber-Drills), document failures, and continuously evolve. Are you investing in tactics without validating your strategy? Or are you strategically challenging your security assumptions through effective realistic testing? The survival of your business in tomorrow's threat landscape may depend on your answer. #Cybervergent #CyberDrill #ControlsEffectiveness #esentry #DigitalTrust

Cannabis 2023:  Survival is the 'New Black' “This ain't no party, this ain't no disco.  This ain't no fooling around.  No time for dancing, or lovey-dovey.  I ain't got time for that now”     Life During Wartime, The Talking Heads Many cannabis companies are facing the balance of 2023 and 2024 with a great deal of trepidation.  The number of business failures (some were leading firms) grows weekly.  Unprofitability continues to plague the sector, with up to 75% of all companies losing money.  Serious macroeconomic, funding and industry headwinds are not relenting - and may even get worse.   And don’t count on regulatory or tax relief any time soon.  For most operators, it’s time to get real. Leaders need to adopt a survival mindset and prioritize unsexy (for the sector) things like free cash flow, operational agility and cost reduction.   Unfortunately, too many firms have taken far too long to make the requisite changes, whether out hubris, naiveté or being a ‘deer in the headlights’. For most firms, the only thing that’s going to save them is to outlast their peers.  Unless you have access to lots of cheap capital (i.e. a long runway), you won’t innovate or brand your way out of this mess.   Its time to psychologically reset, channel your latent Darwinism and focus on practical survival strategies that can generate short-term financial wins.   Here are 8 'must-do' tactics that prioritize costs and clarity: > Cost Reduction 1) Finally purge that excess inventory, ugly write down be damned.   2) Prune your workforce. My analysis shows that many firms are overstaffed on a revenue/worker basis. But use a scalpel not a chainsaw so as to not degrade core capabilities or harm your culture. 3) Optimize procurement through negotiating deeper supplier discounts, adding procurement controls and reducing the number of vendors. 4) Take the company private if you see little prospect of a share price lift.  This will save big time compliance costs and shield you from predatory short sellers and online investor trolls.  > Business Clarity 5) Pick a strategic lane where you can win.  Exit unprofitable or long time-to-revenue markets. 6) Outsource non-strategic and underutilized operations. A 3rd party contact center like HelloMD can handle inbound and outbound customer education to drive higher retention (+40% in cases), while you focus resources on what’s makes you special.  Extraction operations could move from a fixed to a variable cost by using an ‘extraction-as-a service’ firm like extractX 7) Get your financial management house in order.  Too many businesses fail to undertake table stakes financial activities like real time reporting and budgeting. 8) Cut organizational, IT and product complexity to speed up execution and unlock waste. Subscribe to my free newsletter (link in comments), the Cannabis Management Review, for more unique content #cannabisindustry #costreduction #outsourcing #cannabisusa #operations #MSOs #LPs

Here we go, week 8. I hope everyone is enjoying these as much as I am enjoying posting them. If you're just joining: I'm sharing 32 specific mindset shifts from my upcoming book that help risk professionals transition from traditional risk management (heat maps, gut feelings) to decision-based risk using quantification. We're in THEME 2: MEASUREMENT THINKING, moving from vague categories to decision-ready metrics leaders can actually use to make trade-offs. This week, we're tackling one of the most frustrating barriers in risk management: risk appetite statements that sound official but provide zero guidance when you actually need to make a decision. 8. Vague Risk Appetite → Quantified Thresholds Traditional Risk: Use vague statements like "low risk tolerance" or "acceptable risk levels" that force teams to guess what leadership actually wants when facing real decisions. Decision-Based Risk: Create quantified risk appetite statements with specific probability limits and measurable criteria. For example: "We accept no more than 10% chance of cyber losses exceeding $5M annually, and no more than 1% chance of losses exceeding $25M." Mindset Shift: Train your brain to question fuzzy appetite statements and seek out measurable thresholds. When you hear "moderate risk tolerance," your mind should immediately ask: "Moderate means what dollar amount? What probability levels?" Instead of "We have a low risk appetite for cyber threats," try "We accept no more than 10% chance of cyber losses exceeding $5M annually, and no more than 1% chance of losses exceeding $25M." Here's where it gets really powerful: quantified thresholds enable much richer risk conversations. Instead of blanket statements like "we don't tolerate high risk" or "$50M is too much risk," you can have nuanced conversations: "We feel a 50% chance of losses exceeding $50M is unacceptable, but we're willing to accept a 5% chance of $50M losses if we're pursuing something with really big upside potential." This transforms risk discussions from binary yes/no decisions into sophisticated trade-off conversations about opportunity cost, investment priorities, and strategic bets. Your security team isn't just "minimizing risk" - they're optimizing for the right risk/reward profile that enables business growth. #RiskManagement #RiskQuantification #DecisionMaking #CRQ #FAIR

Some tips on surviving the cannabis industry (or any industry, tbh): - Build your network! When (not if) your role disappears, you'll need options. The industry is small; everyone knows everyone. - Along with that - do people solids! Be a connector; if someone wants an intro, make the intro. Don't be afraid to be a resource. - Document everything. Your wins, your processes, your impact. Proof of value when looking for new roles or internal restructuring will always help your case. - Keep consulting on the side. Even if it's just advising friends or brokering introductions. Multiple income streams are a key component to survival. - Learn the regulations yourself. Don't rely on compliance teams. Understanding the rules makes you invaluable. The first thing I did in 2017 was read MAUCRSA multiple times. Love the plant. Love the mission. Love the industry as a whole. Lots of great work is happening in this space, but the brand that's hot today may be out of business next week. I've stuck around because despite the chaos, I believe in what we're building. Everyone should be consuming cannabis in some way shape or form, and I believe I have skills to help businesses succeed in their march towards that mission. But... Protect yourself. Build your skills. Keep your options open. After 7+ years in this industry - these aren't just tips - they're battle-tested survival tactics. Do you agree? What other tips would you add? What do you think?

Imagine this scenario: Alan, the CFO at FinanceCo, Inc., is suddenly dealing with a major data breach. Sensitive customer information is compromised, and the board is in a frenzy. They ask Alan the million-dollar question: ‘What’s our risk appetite for such events?’ 😬 The room falls silent. Why? Because they never defined one! Alan quickly realizes that managing cyber risk without a clear appetite is like sailing without a compass. 🧭 He teams up with the cyber risk team to implement Cyber Risk Quantification (CRQ). They dive into the numbers, using CRQ to assess potential losses and translate them into meaningful financial terms. 💰 After multiple risk assessments, they finally establish a risk appetite threshold that everyone agrees on. With a clear appetite in place, they can now align their cybersecurity budget and optimize their cyber insurance policy. Gone are the days of ‘gut-feeling’ decisions. Now, FinanceCo has a solid framework that not only helps them absorb financial impacts but also keeps their board informed. 🎯 Alan even goes a step further, setting up a capital allocation plan to handle any residual risk that falls outside of their insurance coverage. 📊 The lesson here? CRQ isn’t just about crunching numbers; it’s about transforming how we think about cyber risk. By quantifying the risks, companies like FinanceCo can make data-driven decisions, set realistic budgets, and ensure that they are prepared for the unexpected. Ready to put your cyber risk strategy on the right track? #CyberRisk #RiskQuantification #Governance #RiskAppetite #FinancialResilience

Cyber risk is now a fundamental business issue rather than merely an IT one. Resilience depends on knowing your organization's appetite for cyber risk and establishing explicit risk tolerance thresholds. Smarter decision-making, cybersecurity alignment with company strategy, and stakeholder confidence are all made possible by quantifying cyber risk. For more effective, proactive protection, adopt a data-driven approach to risk management rather than relying solely on intuition. In addition to being recommended practices, establishing a defined cyber risk appetite and employing cyber risk quantification are necessary to satisfy SEBI's Cyber Security and Cyber Resilience Framework (CSCRF) standards. In order to fit with CSCRF's emphasis on comprehensive risk assessment and resilience, organisations can set precise risk appetite levels, continuously monitor exposure, and prioritise measures by quantifying cyber hazards in monetary terms. In addition to adhering to legal requirements, this strategy fortifies proactive defences and makes sure that the company's resilience plan and cyber risk appetite coincide.

I have a hard time with the squishiness of cyber risk management generally, for example the concepts of "risk appetite" and "risk tolerance". So, let's land that plane into practical application (feel free to steal this example):  𝗢𝗿𝗴𝗮𝗻𝗶𝘇𝗮𝘁𝗶𝗼𝗻𝗮𝗹 𝗖𝘆𝗯𝗲𝗿 𝗥𝗶𝘀𝗸 𝗔𝗽𝗽𝗲𝘁𝗶𝘁𝗲 𝗦𝘁𝗮𝘁𝗲𝗺𝗲𝗻𝘁 (𝗱𝗲𝗳𝗶𝗻𝗲𝗱 𝗯𝘆 𝗹𝗲𝗮𝗱𝗲𝗿𝘀𝗵𝗶𝗽) "Our organization is committed to maintaining operational continuity and protecting customer data while embracing innovation. We are willing to accept moderate levels of cyber risk to support strategic growth initiatives, provided those risks do not jeopardize regulatory compliance, critical infrastructure, or stakeholder trust." 𝗥𝗶𝘀𝗸 𝗧𝗼𝗹𝗲𝗿𝗮𝗻𝗰𝗲 𝗠𝗲𝘁𝗿𝗶𝗰𝘀 🔒 Data Breaches Appetite: Zero tolerance for breaches involving personally identifiable information (PII) or customer financial data. Tolerance: Up to 3 minor incidents annually involving non-sensitive internal data, provided they are contained within 48 hours and do not escalate to legal or reputational impact. 📧 Phishing Attacks Appetite: Acknowledges phishing as a likely and manageable threat, provided impacts are minimal and well-controlled. Tolerance: Up to 2% of employees clicking on phishing links during quarterly phishing tests, provided response times remain under 24 hours. ⚙️ System Downtime Appetite: Accepts moderate downtime for non-critical systems to enable upgrades or innovation. Tolerance: 99.9% uptime for critical systems; non-critical systems may experience up to 8 hours of downtime per quarter, if planned and communicated. #CyberRisk #RiskAppetite #Cybersecurity #Leadership