Most organizations think of cybersecurity as a technology responsibility, and it is—at least to an extent. Cybersecurity addresses the risks of information in digital form, and many of the ways companies can protect their information assets are indeed technological, in the form of either security controls or improvements to the broader IT environment.

However, achieving digital resilience requires far more than technology change. As noted in Chapter 3, changes in business processes can have an enormous impact in protecting important information assets. Two levers in particular point the way in driving change far outside the IT organization: integrate cybersecurity into enterprise-wide risk management and governance processes, and enlist frontline personnel to protect the information assets they use.

The first lever requires getting managers in almost every business function to take protecting information assets into account as they make an endless set of decisions that affect their company’s exposure to cyber-attackers.

Most, if not all, of these decisions involve trade-offs between accepting some form of business risk and furthering a business objective. Companies cannot force executives to take cybersecurity into consideration with rules and mandates; they have to help them both understand the risk implications of the actions they take and also accept their responsibilities as stewards of the company’s information assets—just as they ...