• United States




How do we build digitally resilient organizations?

Sep 04, 20185 mins
Backup and RecoveryBusiness ContinuityDisaster Recovery

As we head towards a digitally dependent future, the need for digital resilience has never been greater. Defining digital resilience and describing the need was the first step, but how do we build organizational capability?

trouble ahead 166144370
Credit: Thinkstock

In my previous blog I set out the case for digital resilience being a step up from cybersecurity and described the need to convince organizations of its importance in a business context.

At its core, digital resilience represents a fundamental change in the way we understand digital technology, risk and opportunity.

In my blog I proposed the following definition:

Digital resilience – an organization’s ability to maintain, change or recover technology-dependent operational capability.

Assuming organizations heed the warnings and take on board the need for digital resilience, how do they go about building organizational capacity?

I would suggest the starting point is to hold an internal audit to identify and address digital resilience issues within the organization. As with any cybersecurity-related matter, this should be led from the top-down, with all departments involved. This is a crucial issue and one that needs to be discussed by the leadership team and not just seen as something for the IT department to deal with.

In a recent blog post, U.S. consultancy firm McKinsey says achieving digital resilience requires the involvement of multiple stakeholder groups. “Oversight from the board and senior management is essential to ensure that cybersecurity programs are rigorous and effective,” it adds. This is further supported by the Digital Resilience white paper published by the Shearwater Group, in which the extent of the risk is exemplified in the very public demise of Kodak, once a giant in its day, and a relatively recent example of a failure to embed and foster digital resilience: “Within a decade [Kodak] had gone from a technology leader to bankrupt.” After all, the roots of the failure to build digital resilience capabilities lie not in technology but in organizational culture.

The first question an organisation should ask itself should be ‘do we understand digital resilience?’ It is important to know not only what it means but also how it is different from cybersecurity. Organizations must also understand how dependent they are on digital technology, and be sufficiently aware of the opportunities and risks that carries.

The next question should be ‘how digitally resilient are we?’ Organizations must assess if their level of resilience is appropriate, decide what level of digital weakness they consider acceptable, and assess their capacity to innovate.

Next, “have we assessed our digital resilience exposure?” Organizations must look at how a lack of resilience will harm their business, processes and people, and work through potential consequences and build scenarios for how these may evolve.

The final question should be “do we have an active program to build and embed digital resilience thinking and practice throughout our organization?”

If the answer to the final question is “no,” then remedial work must be carried out immediately.

It is important that any strategies or solutions implemented to build digital resilience within an organization must be done so in the knowledge that the challenges and opportunities arising will change constantly. They must also be done in the knowledge that there is no going back – pre-digital strategies simply will not work in a digital environment.

So, what does a digitally resistant organization look like? In a recent column, Ray Rothrock, a CEO who has written a book on Digital Resilience, says: “Instead of cowering behind a wall and hoping for the best, those who lead digitally resilient businesses ensure that they know the strengths, weaknesses, gaps and vulnerabilities of their networks.”

Rothrock equates the traditional practices of cybersecurity with the way “misers protect their money” – by putting it in a safe and keeping it out of the reach of thieves. However, he makes the point that this approach also puts an organization’s most vital assets beyond any possibility of growth through exchange or investment.

“The resilient approach to cyber security is to defend data dynamically and actively while also making it work for you,” he adds. But I believe digital resilience encompasses a whole lot more.

In the previously-mentioned blog, McKinsey makes the point that organizations face the tough task of protecting their most important information without making it so difficult to access that it slows down their operations.

I firmly believe CEOs and their boards need to build resilience-by-design capabilities, both for themselves and their organization at the appropriate level. This includes:

  • Ensuring the entire organization incorporates resilience thinking with regard to boththreats and opportunities.
  • Understanding that the effects of risk can be both negative and positive, and that taking or ignoring opportunities presents different types and levels of risk.
  • Understanding that discovering, creating and understanding new opportunities and threats requires cross-functional working and a multidisciplinary approach.
  • Ensuring the organizational culture and capabilities to enable decisions to be made and implemented within relevant timeframes and then adapted as required in response to resilience threatsand opportunities.
  • Encouraging and empowering senior individuals to critically discuss existential threats, with appropriate management mechanisms to collect and analyze these in combination.
  • A culture where the potential impacts of digital weakness are communicated early to boards so that mitigation can be incorporated into strategy where they may actually end up creating opportunity – and with opportunity, don’t forget, comes competitiveness.
  • Assessment exercises that test the ability of the organisation and its management to respond, and highlight where decision-taking and capability gaps exist.

I am in no doubt that digital resilience will eventually come to be seen as one of the most important long-term assets of an organization, perhaps even the most important. For that to happen CEOs need to start having serious conversations about digital resilience now to ensure their organizations are fully prepared to face the digital future. It is easy for me to say what needs to be done, words oft come cheap, but implementing a digital resilience strategy is a different matter.

So in a future digital resilience blog, part 3, I will look at mapping out a generic framework that can be used as a starting point for your very own digital resilience audit.


Debbie Garside is founder of GeoLang, a provider of sustainable cyber solutions, and a renowned cyber security and cloud computing expert.

Debbie has been an entrepreneur successfully running IT companies for past 25 years. She is an expert in cyber security and natural language, was appointed the first Prince of Wales Innovation Scholar at the University of Wales and has just finalized her PhD thesis on Human Visual Perception in Cyber Security – her related patent to a new Pseudo-isochromatic second generation CAPTCHA system based on her PhD has been granted. As the Principal UK Expert for Language Encoding, Debbie was until recently editor of two international ISO standards, and a BSI and ISO Chair.

Also a member of the advisory board for HPC Wales, a €40 million high performance computing project, Debbie is a named contributor to a number of internet standards produced by the Internet Engineering Task Force, and has been an advisor to Wikimedia Foundation (overseeing Wikipedia activity) on natural language.

Debbie currently sits on the KTN Defence and Security Advisory Board and is a member of the Cloud Industry Forum. Debbie recently accompanied the UK Prime Minister on a bi-lateral trade mission to India as part of a “Best of British” showcase. Debbie is also the Product Owner for Ascema feeding insights from industry into product development.

The opinions expressed in this blog are those of Debbie Garside and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.