Prevention is not enough

Loss is inevitable. You just can't prevent everything bad from happening.

The question is, when loss happens, will you be prepared to face it?

We put so much emphasis on prevention that we forget about resilience.

Being prepared means being ready to respond in the face of danger.

Fire drills exemplify this. You rehearse a behavior in a moment of calm so that you know what you have to do when things go wrong. Because when things go wrong, you don't think straight. So you need to practice ahead of time to be ready.

Use tabletop exercises to walk through potential loss scenarios. It's a bit like playing Dungeons & Dragons, but more systematic.

Start with exploring a few likely scenarios, like misconfigurations leading to production downtime. Then cover a few high impact scenarios, like that one risk that is unlikely but could bring your whole company down.

You can keep these workshops short and get good value out of them. Schedule a few sessions throughout the year and invite people from every corner of the business.

You might not prevent every cyber risk, but you will be ready to deal with the unexpected.