Disaster Recovery Journal Summer 2026

REGISTER TODAY! www.drj.com/fall2026

Summer 2026 u Volume 39, Number 2

Ending the Cycle of Failure

INSIDE ... The Nth Party Problem

We Gave Cyber Risk to the CISO and Walked Away Assessing Business Continuity Resilience Posture 2026 Consultant Directory

Don’t Miss An Issue u Subscribe Today! u www.drj.com/#sign-up

Small-Medium Business Integrated Toolkit BIA Surveys, Dashbaords BC/DR Plan Templates 350+ Reports Low Cost

Global Enterprises Unlimited User Access Asset Geo-tagging Flexible, Customazible Integrated Workflow Voice, SMS Notification

www.eZPlan

(888) 480-3277

Platform for Building a Resilient Enterprise

• Cloud hosted • Secure Solution • Scalable • Product support • FREE upgrades

BIA, Plan Templates Gap Analysis Reports Exercise Management Role-Based Access Management Dashboards Management Consultants

powered by

nner.net

Info@eZPlanner.net

Disaster Recovery Journal 1862 Old Lemay Ferry Arnold, MO 63010 636-282-5800 Internet: www.drj.com Email: drj@drj.com EXECUTIVE PUBLISHER Bob Arnold bob@drj.com EDITOR IN CHIEF Jon Seals jon@drj.com

Summer 2026 u Volume 39, Number 2

TABLE OF CONTENTS

PRESIDENT Bob Arnold bob@drj.com DIRECTOR OF EVENTS Lesley Vinyard lesley@drj.com REGISTRATION MANAGER Rose Chotrow rose@drj.com MARKETING & DESIGN LEAD

COVER Ending the Cycle of Failure By NEIL SAHOTA

Nathan Anton nate@drj.com EVENT MARKETING Sonal Patel sonal@drj.com

EXECUTIVE COUNCIL Robbie Atabaigi, Dan Bailey, Jeff Dato, John Jackson, Mike Janko, Margaret J. Millett, Ann Pickren, Steve Piggott, Damian Walch, Belinda Wilson EDITORIAL ADVISORY BOARD Erick Anez, Scott Balentine, Rich Cocchiara, Adam Ennamli, Sherri Flynn, Corey Hahn, Jason Hoss, Colleen Huber, Lisa Jones, Joe Layman, Melanie Lucht, Melissa Muñiz, Kristen Pope, Bogdana Sardak, Nicole Scott, Paul Striedl, Joy Weddington SOUTH AMERICA DRJ en Espanol Ruth Rocha , Directora Comercial + 51-1-436-6456 fijo Perú 786-600-1864 USA ruth.rocha@drjenespanol.com www.drjenespanol.com ASIA Business Continuity Planning Asia Pte Ltd (BCP Asia) Henry Ee 1 Commonwealth Lane #08-27 One Commonwealth Singapore 149544 Phone: 65-6325-2080 Fax: 65-6223-5363 General: enquiry@bcpasia.com Events: conference@bcpasia.com Direct: henry@bcpasia.com www.bcpasia.com UNITED ARAB EMIRATES Continuity and Resilience A Division of CORE MANAGEMENT CONSULTING Dhiraj Lal , executive director P. O. Box 127557, Abu Dhabi, UAE +971-2-8152831 | 7-971-2-8152888 dhiraj@continuityandresilience.com www.continuityandresilience.com

8

10 Why AI Resilience is a

23 The Auditor Hiding in Plain Sight By LAWRENCE ROBERT 25 AI Is Stress-Testing Your IT Stack. Are You Ready? By DON BOXLEY Jr. 27 Navigating SSD Shortages By JEROME WENDT 30 Career Spotlight: Leah Fitzgerald By PAUL STRIEDL 37 2026 Consultant Directory

Governance Imperative up to Board Level By GHONCHE ALAVI

14 The Nth Party Problem By LUKE BLAKE 16 We Gave Cyber Risk to the CISO and Walked Away By CHRIS ADAMS 18 Assessing Business Continuity Resilience Posture By SCOTT BALENTINE 21 The Forgotten Small Things By THOMAS MAGEE

DISASTER RECOVERY JOURNAL is copyrighted 1987-2026, by Systems Support, Inc., all rights reserved. DISASTER RECOVERY JOURNAL is a registered trademark of Systems Support, Inc. Reproduction in whole or part is prohibited without expressed written permission. Articles submitted by readers do not represent the views or opinions of DISASTER RECOVERY JOURNAL and are published for their informational content only.

DISASTER RECOVERY JOURNAL | SUMMER 2026 5

FROM THE PRESIDENT’S DESK

AI in Resilience Leadership A rtificial intelligence has officially moved beyond a future trend in resilience. It is now shaping nearly every conversation hap pening across business continuity, disas ter recovery, operational resilience, cyber One of our featured articles, written by Neil Sahota, examines how AI may finally help orga nizations stop repeating the same failures after disasters by turning response and recovery data into institutional intelligence.

BOB ARNOLD, MBCI Hon.

resilience, crisis management, and risk leadership. At DRJ Fall 2026, we received more than 100 session submissions focused directly on AI, plus another hundred that referenced it through auto mation, analytics, cyber defense, operational intel ligence, or crisis response. That level of focus is unprecedented. No other technology shift in recent memory has accelerated this quickly or touched so many areas of resilience at once. The reality is simple. AI is becoming a force multiplier. Organizations are already using it to analyze operational data faster, improve situational aware ness during incidents, identify vulnerabilities across vendor ecosystems, automate repetitive tasks, opti mize recovery planning, and strengthen exercises and after-action reviews. Used correctly, AI can help resilience professionals spend less time chas ing data and more time making informed decisions. At the same time, it is impossible to ignore how disruptive and difficult this technology is becoming to govern. One of the most common statements circulating today is that “AI will not take your job, but some one using AI might.” There is truth behind that. The professionals and organizations learning how to responsibly apply AI will move faster, identify risks sooner, and likely outperform those still wait ing on the sidelines. But there is another side to this equation. AI is evolving so quickly that governance, regu lation, and organizational guardrails are struggling to keep pace. Many organizations are deploying AI faster than they fully understand the risks associ ated with the data feeding it, the accuracy of its out puts, or the implications of relying too heavily on automated decision-making. That tension between opportunity and risk is exactly why this issue of Disaster Recovery Journal spends so much time exploring AI from practical operational resilience perspectives.

Another strong article by Ghonche Alavi explores why AI resilience is rapidly becoming a board-level governance issue, particularly as orga nizations face growing risks from misinformation, deepfakes, and AI-enabled manipulation. Those themes continue throughout this edition with other articles focused on the reliability of AI outputs, and using AI to audit resilience programs. We also explore organizational blind spots, common planning mistakes, third-party risk, evolving CISO responsibilities, modern disaster recovery strate gies, and career leadership within the profession. AI may be dominating headlines, but it is not replacing the fundamentals. Organizations still face mounting pressures from ransomware, cyberattacks, third-party depen dencies, geopolitical instability, supply chain dis ruptions, severe weather events, and increasing regulatory scrutiny. Operational resilience still depends on leadership, communication, gover nance, preparation, and people who can make informed decisions under pressure. That balance is also reflected in the DRJ Fall 2026 agenda. AI will be covered extensively throughout the conference, but so will cyber resilience, operational resilience maturity, crisis leadership, third-party risk, cloud recovery, executive communication, supply chain resilience, governance, business continuity planning, and disaster recovery mod ernization. The conversations are becoming more interconnected every year because resilience itself is becoming more interconnected. As we continue “Moving Resilience Forward,” the theme of DRJ Fall 2026, the challenge ahead is not deciding whether AI matters. That decision has already been made for us. The real challenge is learning how to use it responsibly, govern it effec tively, and combine it with the operational disci pline and leadership that have always been at the core of strong resilience programs.

PRESIDENT bob@drj.com

6 DISASTER RECOVERY JOURNAL | SUMMER 2026

Make Confident Decisions When It Matters Most Fusion Is the Leading Platform for Enterprise Resilience Trusted by the Fortune 100

Scan to book a Meeting Today

“

We are not short on data. We are short on intelligence that carries forward from one disaster to the next.

“

Ending the Cycle of Failure By NEIL SAHOTA

8 DISASTER RECOVERY JOURNAL | SUMMER 2026

E very major disaster produces two pre dictable outcomes. First, we mobilize enormous resources, money, people, and logistics under extreme pressure. Second, once the immediate crisis fades, we fail to learn systematically from what just hap pened. That second fail ure is far more costly than we admit. Over years of advising governments, infrastructure operators, and international organizations on technology adoption, I’ve seen the same pattern repeated across earthquakes, floods, wildfires, and humanitarian crises. We are not short on data. We are short on intelligence that car ries forward from one disaster to the next. While AI doesn’t eliminate natural disasters, it may be the only scalable way to improve response and recovery (and, perhaps, prevent institutional amnesia.) For executives, policymakers, and board members, disaster preparedness and recovery are often framed as moral obligations or regulatory necessities. In reality, they are operational risks with direct economic consequences. Disasters disrupt supply chains, destabilize labor markets, inflate insurance losses, and strain public trust. The faster recovery happens (and the smarter it becomes), the less secondary damage compounds across the economy. Globally, disaster-related losses now exceed $300 billion annually, with only a fraction insured, according to the World Bank and UN agencies. Climate events are increasing both in frequency and complexity, stretching response systems designed for a different era. However, most disaster responses remain reactive, fragmented, and manu ally coordinated. Response failure is not usually caused by lack of effort or fund ing. Rather, it is rooted in poor coordina tion under uncertainty. We have multiple

agencies that operate with partial visibil ity, outdated information, and conflict ing priorities. Consequently, decisions are made sequentially when they should be parallel. This is precisely where AI excels. In disaster scenarios, our AI models (trained on historical response data) can predict where resources will bottleneck before shortages become visible on the ground. Logistics optimization algorithms can dynamically reallocate supplies as conditions change. Satellite imagery com bined with computer vision can assess damage across regions in hours instead of weeks, allowing responders to prioritize where human intervention matters most. Please note, these capabilities already exist. What’s missing is institutional integration. Consider damage assess ment. Traditionally, governments rely on manual inspections and self-reporting to determine aid eligibility. This process is slow, inconsistent, and vulnerable to fraud. AI multimodal assessment (com bining imagery, sensor data, and historical baselines) provides faster, more objec tive estimates of impact. This reduced disputes, accelerated funding release, and allowed recovery teams to focus on rebuilding rather than verification. Remember, speed matters because delay multiplies harm and damage. Fraud is another area quietly draining recovery budgets. After major disasters, opportunistic fraud increases sharply, often because systems are overwhelmed. AI anomaly detection can flag suspicious claims and aid requests without treating every applicant as suspect. This preserves both integrity and dignity, an ethical balance that manual systems struggle to achieve under pressure. Next, we have the learning gap. Postmortem reports are written, filed, and forgotten. Data from each disaster lives in separate systems, rarely used to improve the next response. As a result, we’re not tapping into a key capability: AI can turn disasters into training data. Response patterns, decision timing, and outcome correlations can be analyzed to continu ously improve preparedness. This helps

us reduce repeated failure modes. Why isn’t this transformation already underway? Because disaster response sits at the intersection of too many authorities. Responsibility is diffuse. Incentives are misaligned. Success is hard to attribute, while failure is highly visible. AI intro duces accountability into systems that have long relied on heroic effort rather than institutional learning. This account ability makes leaders nervous. In addition, there is a misconception disaster AI is only relevant to govern ments. It isn’t. Corporations depend on stable infrastructure, functioning logis tics, and predictable recovery timelines. Insurers, manufacturers, retailers, and utilities all bear downstream costs when recovery falters. Organizations that engage proactively (through data-sharing partnerships, scenario modeling, and joint preparedness) reduce exposure others accept as inevitable. This is where leadership matters. The most effective disaster response lead ers I’ve worked with don’t ask how AI replaces human judgment. Instead, they ask how it preserves human judgment for the moments that matter most. They understand intelligence is not about control but rather about clarity under pressure. The next decade will bring more disasters. Will institutions keep relearn ing the same lessons at enormous cost or finally build systems that remember? AI offers a rare opportunity to convert crisis into capability, but only if leaders are willing to treat preparedness and recovery as strategic systems rather than episodic events. In an increasingly fragile world, this competence may be the most valu able advantage we have. v

Neil Sahota is an IBM Master Inventor, a United Nations artificial intelligence advisor, an AI strategist, and the author of two books, “Own the A.I. Revolution” and “AI Activation Code.” With more than 20 years of business experience, he works with organizations

to create next-generation products/solutions powered by emerging technology. His work experience spans multiple industries, including legal services, healthcare, life sci ences, retail, travel and transportation, energy and utilities, automotive, telecommunications, and sports.

DISASTER RECOVERY JOURNAL | SUMMER 2026 9

This acceleration compresses crisis timelines and erodes the familiar cues leaders rely on, particularly during high pressure situations. For business continu ity and risk professionals, the reality is that AI-driven threats can no longer be contained within the category of “IT risk.” They now present a broader governance concern capable of disrupting operations, distorting markets, increasing regulatory exposure, and damaging trust and reputa tion. Despite this shift, cybersecurity, and AI governance often remain isolated within technology functions. Many organizations still treat AI resilience as a technical matter or “problem for IT” rather than a founda tion of enterprise stability. Phishing and social engineering attempts have affected nearly every organization, yet fewer than half maintain a tested incident response plan. Even where such plans exist, many have not been updated to reflect the speed, precision, and psychological manipulation AI now enables. As a result, a widening gap has emerged between the velocity of threats and the readiness of organizations to confront them. AI and the Manipulation of Reality AI-generated misinformation requires governance frameworks rather than purely technical solutions. Forward-leaning orga nizations are beginning to expand the scope of their board’s risk or audit com mittee to include oversight of informa tion integrity and executive impersonation threats. These committees help define decision rights, verification authority, and reporting expectations so misinformation incidents are treated with consistency and as enterprise level risks. To operationalize this, some orga nizations are creating information risk command structures that activate during crises. A designated lead is responsible for authenticating executive communica tions and challenging fabricated narra tives. This governance approach is often reinforced through enterprise-wide verifi cation rules, clearly defined single sources of truth, mandatory out-of-band confirma tion for high-risk instructions, and cultural norms that give employees permission

Why AI Resilience is a Governance Imperative up to Board Level

10 DISASTER RECOVERY JOURNAL | SUMMER 2026 By GHONCHE ALAVI A

I is reshaping the threat landscape faster than orga nizations are adapting. Attackers ranging from organized crime groups to state-backed actors are now able to compro mise identity, distort real ity, and undermine the decision-making structures upon which business continuity depends. Recent industry data indicates 62% of organizations experienced at least one deepfake-enabled social engineer ing attempt in the past year, illustrating how quickly this threat has become main stream.

SHAPING THE FUTURE OF GLOBAL RISK MANAGEMENT UNIFIED INTELLIGENCE, SECURITY, AND MEDICAL OPERATIONS Advanced Technology. AI at Scale. Human Expertise.

FUTURE READY, NOW. GLOBAL RISK FORECAST 2026 Navigating risk with operational insight.

Crisis24’s Global Risk Forecast 2026 equips leaders to anticipate what’s next and act fast - with precision. Our annual report will show you where to focus, when to move, and what to do.

Access Report

to slow down and verify unusual direc tives. Continuous monitoring of narra tive threats, supported by regular upward reporting, helps ensure synthetic-media risks remain visible at the board level. Since executive identity itself has become an attack surface, strong gov ernance increasingly includes digital footprint controls, identity authentication measures, and monitoring for synthetic misuse of leadership likenesses. Boards are also strengthening oversight of AI tools used internally by requiring model audits and insisting on human review to prevent overreliance on automated judg ments. Governance further extends to third parties through contractual require ments to address breach and imperson ation reporting, as well as assessments of vendor readiness. Most organizations already possess adequate cybersecurity technology. The persistent weaknesses tend to involve authority structures, escalation routes, and verification procedures. Under pres sure, employees frequently act on instinct, responding to familiar voices or urgent requests. AI impersonation amplifies these vulnerabilities by exploiting human trust and established communication habits. Our experience in corporate and pri vate wealth settings repeatedly reveals the same governance gaps. Unencrypted channels, outdated off-boarding pro cesses, and inconsistent verification prac tices remain common exposures. Even sophisticated organizations struggle to enforce cyber hygiene across dispersed teams, subsidiaries, and third parties. Meanwhile, cultural factors such as tra ditions of discretion, decentralized com munication, or reliance on long-tenured staff can further undermine resilience. These breakdowns are seldom technical in nature, but almost always reflect insuf ficient mandates governing verification authority, escalation rights, and policy enforcement. At the management level, some firms are addressing this by establishing infor mation risk steering groups that include Where AI Resilience Fails: Not in Technology, but in Governance

cybersecurity, legal, communications, HR, and business continuity leaders. These groups preapprove verification protocols and rehearse rapid authentication pro cedures. Others are appointing a single executive responsible for information ver ification during crises, with the authority to validate or halt critical directives. Many organizations are now embedding out of-band verification requirements, docu mented chains of authority, and regular misinformation drills within their broader risk management programs. From Awareness to Enforceable Governance Training remains important, but it cannot counter AI-enabled deception on its own. Organizations need governance architectures that clearly define, enforce, and routinely test decision making, escala tion pathways, incident response, and veri fication processes. Cultural reinforcement is also essential, ensuring employees feel permitted to question unexpected instruc tions and escalate concerns even when circumstances seem urgent. Detection tools can support these processes, but they cannot replace them. Organizations that run regular cross-functional exercises con sistently demonstrate quicker containment and recovery when incidents occur. Why Boards Must Own AI Governance Regulatory and insurance require ments are constantly evolving. Cyber related insurance premiums are rising, and insurers increasingly require evidence of AI-specific safeguards, tested incident response plans, and well-documented ver ification controls. Regulators now expect organizations to demonstrate not only technical preparedness but also gover nance practices capable of sustaining legal scrutiny. In this environment, AI resilience has become inseparable from enterprise risk, operational continuity, and reputational durability. Boards must therefore treat AI governance as a core responsibility. Integrating AI risk into the agendas of risk or audit committees, strengthening verifi cation requirements for sensitive actions, and overseeing the governance of AI tools

within the enterprise are becoming essen tial elements of responsible oversight. Boards must also ensure organizational structures support resilience through clear authority, empowered crisis decision making, and regular tests of these systems under realistic conditions. The Imperative for Business Continuity and Risk Leaders For business continuity and risk profes sionals, the path forward lies in reframing AI-driven threats as systemic risks which can disrupt essential business functions rather than as narrow technical issues. Boards engage most effectively when threats are expressed in terms of opera tional continuity, fiduciary exposure, regu latory liability, reputation, and enterprise valuation. Every one of these areas is now affected by AI-enabled manipulation across communications, treasury opera tions, payroll, supply chain processes, and other core functions. This is fundamentally a governance challenge that requires governance solu tions. Organizations whose boards and leadership teams adopt proactive over sight will be far better positioned to pre serve stability as threats evolve. Those that fail to modernize their structures may find themselves facing crises in which nei ther information, nor identity, nor internal directives can be trusted. For business continuity and risk lead ers, this moment represents a critical opportunity. Their roles already span oper ational integrity, crisis decision making, and enterprise risk, which are precisely the domains targeted by AI-driven threats. They are uniquely positioned to guide their organizations by designing, testing, and embedding AI resilience practices that support both present needs and future challenges. v

Ghonche Alavi, CDFE, is a trusted informa tion and network security advisor and ethical hacker who founded and leads Crisis24’s cyber practice. With deep expertise serving high net worth individuals and family offices,

she provides comprehensive cyber security solutions spanning OSINT and digital investigations, cyber incident management, and cyber resilience consultancy.

12 DISASTER RECOVERY JOURNAL | SUMMER 2026

A Leader in Business Continuity for Now 25 Years

3 solutions

has been helping worldwide organizations manage the unpredictable for 25 years. Whether you need to implement your business continuity program, strengthen it or automate it, you can count on us. Work with a well-rounded BC partner, with a collaborative and holistic approach that supports your teams at every step of your BCM program. Premier Continuum

Automation software

Certified training

World-class consulting

LET'S BUILD SMART RESILIENCE

6 fields of expertise We've been in the business for 25 years. Talk about resilience.

BUSINESS CONTINUITY

OPERATIONAL RESILIENCE

IT/DR

CRISIS MANAGEMENT

RISK MANAGEMENT

EMERGENCY RESPONSE

The Nth Party Problem By LUKE BLAKE T he fragility of a system is not about its visible parts. It is about the recursive dependencies you cannot see. This analysis applies the prin ciples of Nassim Nicholas Taleb’s in the hidden layers of the nth party, those entities which are unknown and unmoni tored yet essential to your survival. Current events in the Strait of Hormuz illustrate this. Since February 2026, the effective halt of shipping traffic in the strait has shown we are in a state of struc tural volatility, not manageable friction. When a maritime chokepoint is throttled, the failure is non-linear. A disruption in Hormuz does not just raise the price of oil. It threatens every nth-party industrial pro cess that relies on petroleum-based poly mers or energy-intensive manufacturing. This is the physical reality of the nth-party problem. A collection of independent parts is safe because a failure in one is localized. A complex system is different. Its dependen cies are non-linear. Risk in these systems follows power laws, not Gaussian curves. When you outsource to a second party, you inherit the risks of every entity in which they rely. These connections are usually invisible. The March 2026 compromise of the Axios npm package is a primary exam - “Incerto” — specifically the concepts of antifragility and the black swan — to the current structural volatility of 2026. Most practitioners confuse a lack of past failure with current safety. They believe because they can name their primary suppliers, they have measured their risk. This is an epis temological error. The real threat resides

14 DISASTER RECOVERY JOURNAL | SUMMER 2026

A disruption in Hormuz does not just raise the price of oil. It threatens every nth-party industrial process that relies on petroleum-based polymers or energy-intensive manufacturing. This is the physical reality of the nth-party problem. “

ers’ suppliers are. If the answer is “I don’t know,” you have found a source of poten tial ruin. People ignore these dependencies for short-term profit. It is cheaper to ignore the fifth layer of the network, but the cost of one collapse far outweighs years of effi ciency savings. Humans have evolved to react to local, visible threats. We have not evolved for globalized networks where a kinetic con flict in a strait thousands of miles away causes a systemic failure in a local manu facturing plant. This mismatch creates a false sense of security. We assume because the system worked yesterday, it will work tomorrow. This is the Turkey Problem. The turkey is fed for a thousand days and concludes the farmer is its friend. On the thousand and first day, it receives a sur prise. The only way to avoid this is to treat an unknown nth-party dependency as a defect. If a system cannot be fully mapped, it is dangerous. We should prefer simple, legible systems over those that are efficient but opaque. A legible system is one that can actually be defended. We are building a civilization on hidden risks, assuming the top layer compensates for the weak ness of the bottom. The inverse is true. The strength of the whole is determined by the most fragile link in the nth layer. Survival requires looking past the visible and into the shadows of the network. Only there can you identify the points of fragility and begin the work of becoming robust. v specializing in operational resilience, crisis management, and security risk management. Drawing on a background that spans both corporate and high-risk environments, Blake has worked extensively across the public and pri vate sectors, helping organizations navigate complex challenges with practical insight and strategic clarity. He leads the design and delivery of training and consultancy programs covering business continuity, crisis response, security risk management, and investigations. Blake has supported a wide range of organizations, from global cor porates to critical national infrastructure, enabling teams to prepare for, respond to, and recover from major incidents. He holds multiple professional qualifications in security, risk, and resilience, including an MBA with a focus on risk and resilience. “ Luke Blake, CPP, is a founding director of Oakwood Risk and Resilience, and a former police officer in the UK, with more than 20 years of experience in risk and resilience. He is an experienced consultant and trainer

ple. A single malicious dependency in a piece of code used by millions allowed a state-sponsored actor to deploy mal ware across thousands of organizations simultaneously. The victims had no direct relationship with the attacker. They were compromised through the recursive trust of their digital supply chain. This creates what Taleb calls an “epistemic wall” that better data cannot fix. Modern management defines effi ciency as the removal of redundancy. This is a primary driver of fragility. In biol ogy, redundancy is not waste. It is insur ance. Humans have two kidneys because the environment is unpredictable. Global supply chains and digital networks, how ever, are designed to be thin. They are optimized for a narrow set of stable con ditions. When those conditions shift, as they have with the recent surge in U.S. tariff volatility, the lack of slack causes total collapse. The 2026 Thomson Reuters Global Trade Report found supply chain reliability concerns have doubled in a single year. Mapping nth-party dependen cies is the only way to find where the nec essary slack has been removed without your consent. We currently have extreme concentra tion disguised as diversity. You may think you have diversified by using three ven dors. But if those three vendors all rely on the same energy grid, the same cloud provider, or the same shipping lane, your diversification is a lie. The 2026 landscape of cloud infrastructure has only deepened this. While organizations believe they are becoming more resilient, the vast major

ity of digital infrastructure is now tied to a few hyperscalers. The system has a single point of failure which remains hidden until it breaks. This is a black swan event. It is only a surprise because your map was incomplete. To manage risk, stop obsessing over the most likely scenario. Probability is for people who do not understand the con sequences of ruin. Survival depends on understanding the worst case and ensuring it is not terminal. If you were hit by a total encryption event today, the primary threat would not be the ransom demand. It would be the realization your recovery process relies on a third-party key manager or a specialized configuration which is also inaccessible. If you have a dependency you cannot name, you are flying blind. You are betting your existence on a system you do not comprehend. That is not risk taking. It is gambling with tail risk. Risk management has been ruined by bureaucrats. They believe a compliance spreadsheet is a substitute for reality. They check boxes and assume the danger is gone. A naval blockade in the Strait of Hormuz does not care about your compli ance form. If a factory in a remote prov ince shuts down because it cannot receive raw materials, your business is finished. This is why Taleb emphasizes “skin in the game,” meaning the person managing the risk must be the one who suffers if it fails. True resilience requires a move toward antifragility, which is the ability to not be destroyed by disorder. This requires a forensic mapping of every link in the chain. You must know who your suppli

DISASTER RECOVERY JOURNAL | SUMMER 2026 15

itself. It tends to surface only under pres sure. How Cyber Drifted Away from Governance Cyber risk entered organizations as a technical concern because, for a time, it largely behaved like one. Early incidents were bounded. Systems went offline, were restored, and operations resumed. Responsibility rested, understandably, with those who ran the technology. As digital systems became inseparable from business operations, the nature of the risk changed. Software came to govern logistics, payments, compliance, identity, and coordination. In many organizations, there is no longer a meaningful distinction between technology and operations. When one falters, the other does too. What did not change as quickly was the way responsibility was distributed. Rather than becoming part of the same executive conversation as financial expo sure or operational continuity, cyber risk remained associated with technical exper tise. Security functions grew more formal. Reporting became more regular. The CISO role gained visibility, and in some cases proximity to boards. This professionalization brought real gains. It reduced disorder. It created common language. It allowed complex issues to be discussed with greater clarity. It also helped preserve the sense cyber risk could largely be managed within a specialist domain. Decision authority remained elsewhere. Ownership, in prac tice, became diffuse. Responsibility Without Control CISOs are often expected to account for outcomes shaped by decisions they did not make. Those decisions are rarely framed as security choices at the time. Platform consolidation, rapid cloud migration, acquisitions integrated under compressed timelines, outsourcing arrangements which reduce internal vis ibility. Each choice can be justified on commercial grounds. Rarely are they con sidered together, as a system. Cyber risk accumulates in that space. It develops quietly, shaped by incentives

We Gave Cyber Risk to the CISO and Walked Away By CHRIS ADAMS I nstitutions tend to believe persis tent problems will, over time, settle into place. A risk emerges. It creates friction. Eventually responsibility is assigned, processes form around it, and the problem becomes manageable, if not resolved. Cyber risk has never quite followed that pattern. What remained less clear was whether responsibility had been meaningfully inte grated into how the business itself was run, or whether it had simply been set aside. The modern chief information security officer (CISO) occupies that ambiguity. The CISO is expected to anticipate threats, prevent incidents, coordinate responses, explain technical realities to senior leader ship, and help navigate disruption when it occurs. At the same time, the role rarely carries authority over the decisions that most shape exposure. How systems are designed. How tightly operations are coupled. How much disruption is consid ered acceptable in pursuit of efficiency or growth. That tension rarely draws attention to Instead of being absorbed into general management, it was professionalized. Organizations hired specialists, built secu rity teams, invested heavily in tools, and elevated a role meant to sit at the center of digital uncertainty. Over time, the presence of this role came to function as reassurance. Someone was responsible. Someone was paying attention.

16 DISASTER RECOVERY JOURNAL | SUMMER 2026

that reward speed, scale, and cost reduc tion more reliably than resilience. When incidents occur, attention shifts quickly to controls and response. Those questions matter. Alongside them sits another reality. The organization is encountering the version of itself it has been constructing over time, one opti mized for uninterrupted digital function, with limited tolerance for uncertainty. In those moments, the CISO is often asked to explain not only what failed, but why the business feels as exposed as it does. What Incidents Reveal Public accounts of

was not merely systems failed, but alter natives were limited once confidence in those systems was lost. The incidents did not so much intro duce new weaknesses as clarify existing ones. Why the Arrangement Persists The prevailing distribution of responsi bility persists for understandable reasons. Specialization brings order. A named role provides a focal point. Reporting cadence creates the impression of oversight. More quietly, it allows

The gap between those states often remains invisible until it is tested. Where Exposure Forms Cyber risk grows most quickly in places security teams do not control. It accumu lates in efficiency drives that remove slack, in outsourcing arrangements that trade vis ibility for cost, and in architectures built for scale rather than isolation. These decisions are familiar and ratio nal. They are often rewarded. Taken together, they shape how disrup tion travels. When failure occurs, the result can feel abrupt. In retrospect, it often reflects the compound effect of incentives that were never reconciled. Rethinking Ownership Treating cyber risk as a business risk does not requires alignment. Alignment between authority and accountability. Between strategic deci sions and their operational consequences. Between how risk is described and how disruption is actually experienced. It begins with recognizing digital dis ruption is not exceptional in modern business. It is an ordinary condition that must be planned for, not merely resisted. Measurement reflects impact and recov ery, not prevention alone. Planning assumes systems will degrade at inconve nient moments. CISOs remain essential in this picture. Their expertise, preparation, and coordi nation matter. What they cannot provide, on their own, is ownership of decisions they do not control. Cyber incidents rarely demonstrate neglect. More often, they reveal how responsibility was distributed in ways that felt workable until they were tested. Organizations live within those arrangements every day. Failure makes them visible. v

“

organizations to defer less comfortable conver sations. Questions about how operating models behave under stress. About how much redun dancy remains after years of efficiency initiatives. About where recovery actually begins when automation stalls. Delegation creates

CISOs are often expected to account for outcomes shaped by decisions they did not make. Those decisions are rarely framed as security choices at the time.

cyber incidents tend to dwell on mechanics. How attackers gained access. Which malware was used. What vulnerability was exploited. The detail can be clarifying, but it rarely accounts for impact. When Maersk was affected by the NotPetya outbreak in 2017, the defining problem was not data loss so much as inter ruption. Shipping opera tions slowed because the digital coordination that

distance. As long as dis ruption is contained, that distance feels manage able. Risk appears to be handled. Attention shifts elsewhere. When disruption widens, the same struc ture offers fewer answers. Measurement and Distance Cyber risk is typically communicated through measures which make sense within security programs. Maturity models, con trol coverage, likelihood estimates. These metrics help teams prioritize effort. They also abstract away consequence. Executives tend to experience risk dif ferently. They want to know when opera tions resume, which commitments cannot be met, what customers will notice, and how long confidence takes to restore. Many organizations do not hold these answers in a shared, explicit form. The knowledge exists informally, distrib uted across functions and individuals. Documentation substitutes for rehearsal. Confidence is inferred rather than demon strated. “

sustained them disap peared. Ports, schedules, and documenta tion processes which normally functioned in the background became constraints. Recovery required restoring systems but also reconstituting how the organization operated without them. The Colonial Pipeline incident in 2021 followed a different path but exposed a similar dependence. A ransomware intru sion into corporate IT systems led to a precautionary shutdown of fuel distribu tion. Even without confirmed compromise of operational technology, uncertainty itself proved sufficient to halt activity. The effects extended quickly beyond the company, affecting markets and consum ers who had no direct connection to its networks. In both cases, disruption tracked depen dence rather than novelty. What mattered

Chris Adams is director of cyber resilience services at OctopusCRX. He has led resil ience efforts across public sector and Fortune 100 financial services organizations and previously worked as a criminal and

financial investigator for the UK government.

DISASTER RECOVERY JOURNAL | SUMMER 2026 17

By SCOTT BALENTINE During the 2011 Tōhoku earthquake and tsunami, manufacturing organizations with documented continuity plans experi What Organizational Patterns Reveal Long Before a Disruption O rganizations rarely fail during disruptions because they lack documented plans. More often, failure occurs because everyday decisions quietly shaped how the organization would perform under stress. Long before a natural disaster, technology outage, supply chain failure, or workforce disruption interrupts operations, lead ership behaviors establish what can be described as an organization’s business continuity resilience posture. Resilience posture is not defined by a business continu ity plan, a maturity score, or a compliance audit. It is revealed through consistent patterns in how orga nizations invest, what they delay, which assumptions they test, who they reward, and what leaders ask when nothing appears urgent. These patterns determine whether continuity and recovery will be coordinated and disciplined or improvised and fragile. In the language of NIST CSF 2.0, resil ience posture reflects how governance, risk management, preparedness, response, and recovery capabilities function together to sustain important services. In ISO 22301 terms, posture reflects whether continuity is embedded into management practice and operational decision-mak ing or treated primarily as docu mentation. The fundamental question is straightforward, what is the organization rehearsing every day when no disruption is occur ring? A Practical Example: When Continuity Is More Than Documentation Assessing Business Continuity Resilience Posture

18 DISASTER RECOVERY JOURNAL | SUMMER 2026

Actionable reflection: Over the past 18 months, which con tinuity capabilities received sustained investment, which were deferred, and which were acknowledged as necessary but never resourced? Signals to watch: n Exercises funded only after major incidents n Investment concentrated on documentation rather than capability n Continuity work treated as discretionary or voluntary Organizations with a strong continuity posture treat delays as explicit risk accep tance decisions. Leadership understands that postponing a recovery exercise or dependency review increases uncertainty around outcomes. Weak posture emerges when delays occur quietly, without escala tion, accountability, or reassessment. ISO 22301 emphasizes operational con These patterns determine whether continuity and recovery will be coordinated and disciplined or improvised and fragile. “ What Is Getting Delayed? Every organization delays work. Business continuity resilience posture is revealed by which continuity activities are repeatedly postponed and how those delays are framed. Deferred business impact analyses, postponed exercises, incomplete dependency documenta tion, and delayed plan updates are often described as temporary. In practice, they represent ongoing risk decisions.

enced markedly different outcomes. Firms that had diversified suppliers, invested in alternate sourcing arrangements, and reg ularly exercised cross-functional response protocols were able to stabilize operations and resume production significantly faster than peers who relied on single-source sup pliers and untested recovery assumptions. In contrast, organizations whose continu ity efforts focused primarily on maintain ing plans, without sustained investment or operational rehearsal, encountered cas cading supply chain failures that extended downtime well beyond initial impact. The differentiator was not the existence of con tinuity documentation, but the presence of embedded investment, tested assumptions, and leadership attention before disruption occurred, a clear illustration of how resil ience posture shapes outcomes long before a crisis. Where Is the Investment? Investment decisions are among the clearest indicators of business continuity resilience posture. Organizations that con sistently prioritize growth, efficiency, and transformation initiatives while under funding continuity capabilities implicitly assume disruptions will be rare, manage able, or absorbed elsewhere. That assump tion is often revealed only when recovery objectives are missed. A strong continuity posture is reflected in sustained investment across the con tinuity lifecycle. This includes business impact analysis refreshes, dependency mapping, alternate work strategies, crisis coordination capabilities, recovery test ing, and plan maintenance. Importantly, it also includes funding for time, allowing operational leaders and staff to partici pate meaningfully in exercises, validation activities, and post-incident reviews. From a NIST CSF 2.0 perspective, balanced investment supports Govern, Respond, and Recover outcomes by ensur ing continuity capabilities are not isolated from enterprise risk management. From an ISO 22301 perspective, it demonstrates leadership commitment to maintaining and improving the business continuity management system.

trol and continual improvement. Persistent delays without review undermine both. NIST CSF 2.0 similarly reinforces the importance of risk-informed prioritization across preparedness and recovery activi ties. Actionable reflection: Which continuity activities have been delayed more than once, and where has risk acceptance been explicitly docu mented versus assumed? Signals to watch: n “Next quarter” becoming the default response for continuity work n Known single points of failure remaining unresolved year after year n No formal mechanism to escalate deferred continuity activities Are Assumptions Tested? Business continuity strategies rely on assumptions about staff availability, alter nate facilities, vendor support, data acces sibility, and decision authority during disruptions. A strong resilience posture is characterized by a deliberate effort to surface and test these assumptions before they are tested by real events. Tabletop exercises, functional exer cises, and simulations serve a purpose beyond compliance. They reveal coor dination gaps, conflicting priorities, and unrealistic expectations. Organizations that avoid testing often mistake plan com pletion for readiness and familiarity for capability. From a NIST CSF 2.0 standpoint, assumption testing strengthens Respond and Recover outcomes by validating coor dination and execution under realistic con ditions. From an ISO 22301 standpoint, it supports exercising, performance evalua tion, and improvement requirements. Actionable reflection: When was the last time continu ity assumptions were tested end-to-end, including people, processes, facilities, technology, and third-party dependencies? Signals to watch: n Exercises that stop at discussion rather than execution “

DISASTER RECOVERY JOURNAL | SUMMER 2026 19

n Recovery time objectives never measured or validated n Repeated surprises during real disruptions Who Gets Promoted?

consistently becomes what teams mea sure, test, and prioritize. NIST CSF 2.0 highlights governance and risk oversight as critical enablers of resilience. ISO 22301 similarly empha sizes leadership engagement as founda tional to effective continuity management. Actionable reflection: Which continuity-related questions appear on standing leadership agendas, and which only surface after incidents? Signals to watch: n Metrics focused solely on plan completion n Limited executive visibility into recovery readiness n Continuity discussions triggered only by failures Turning Awareness into Action Improving business continuity resil ience posture does not require wholesale transformation. It requires intentional behavior change when pressure is low. Organizations that make posture visible can select one or two indicators each quar ter to address deliberately, such as fund ing a long-deferred exercise, formally documenting risk acceptance for a delayed activity, or changing how recovery confi dence is reported to leadership. These incremental actions align with ISO 22301’s emphasis on continual improvement and NIST CSF 2.0’s focus on risk informed decision making. Over time, small, consistent changes reshape posture far more effectively than reactive remediation after a disruption. Many organizations have successfully used these questions as a recurring gover nance tool, selecting one posture indicator per quarter for discussion in continuity, risk, or operational forums. This approach shifts business continuity from a compli ance obligation to a leadership habit. Patterns Reveal Posture Long Before a Disruption Business continuity resilience posture is not revealed during crises. It is revealed in the accumulation of everyday deci sions made when nothing appears urgent.

Investments, delays, testing practices, rec ognition patterns, and leadership questions collectively determine whether continuity will be confident or chaotic. Organizations seeking stronger con tinuity outcomes should begin not by rewriting plans, but by honestly assess ing these patterns. The posture they reveal may explain far more about future perfor mance than any documented strategy ever could. Self-assessment prompt: To start evaluating your organization’s continuity posture, consider this quick self-assessment: n Over the last 12 months, have we made clear, sustained investments in critical continuity capabilities? n Which continuity activities or improvements are consistently delayed or deprioritized, and why? n When was the last time our key continuity assumptions were tested in a realistic scenario? n Are individuals who champion continuity recognized and supported in advancement decisions? n Do leadership teams regularly ask about resilience, recovery readiness, and continuity risks outside of crisis moments? Reflecting on these questions can help illuminate both strengths and gaps in your current posture, creating a fact-based start ing point for improvement. v for Methodist Le Bonheur Healthcare, where he leverages his extensive background in strategic planning, financial management, and operational efficiency to drive organiza tional success. Balentine has held various leadership roles in Memphis area healthcare organizations, where he was instrumental in implementing transformative initiatives to enhance service quality and operational performance. His expertise spans across multiple facets of healthcare man agement, including disaster recovery, IT management, and business operations. Balentine is known for his strategic vision, collaborative approach, and dedication to fostering a culture of continuous improvement. He is passionate about mentoring emerging leaders and contributing to the advancement of the healthcare industry. Scott Balentine, MBA, MHA, FACHE, PMP, MBCP, CCRP, is a seasoned healthcare executive with more than 20 years of expe rience in healthcare administration and operations. He manages disaster recovery

Promotion and recognition patterns shape business continuity resilience posture more powerfully than policies. When individuals who identify risk early, strengthen continuity capabilities, and coordinate across functions are recog nized, resilience becomes embedded. When advancement is driven solely by speed, cost reduction, or crisis heroics, continuity becomes reactive. Organizations that reward response without rewarding preparedness uninten tionally rehearse fragility. Over time, staff learn continuity work is invisible unless something fails and rarely rewarded unless it coincides with a visible disruption. Both ISO 22301 and NIST CSF 2.0 emphasize accountability and governance. These principles are weakened when rec ognition and advancement do not rein force continuity behaviors. Actionable reflection: Which behaviors are most vis ibly rewarded today, proactive continuity improvement or reactive crisis response? Signals to watch: n Continuity work described as “extra” or “non-core” n Preventative improvements receiving little recognition n Praise focused primarily on response rather than readiness What Do Leaders Ask? Leadership questions are among the strongest drivers of business continuity resilience posture. Leaders who routinely ask about recovery confidence, depen dency exposure, staffing resilience, and third-party continuity signal that prepared ness matters continuously, not only after failures. When continuity questions arise only after disruptions, audits, or regulatory findings, organizations internalize that resilience is episodic. What leaders ask

20 DISASTER RECOVERY JOURNAL | SUMMER 2026