Disaster Recovery Journal Summer 2026

that reward speed, scale, and cost reduc tion more reliably than resilience. When incidents occur, attention shifts quickly to controls and response. Those questions matter. Alongside them sits another reality. The organization is encountering the version of itself it has been constructing over time, one opti mized for uninterrupted digital function, with limited tolerance for uncertainty. In those moments, the CISO is often asked to explain not only what failed, but why the business feels as exposed as it does. What Incidents Reveal Public accounts of

was not merely systems failed, but alter natives were limited once confidence in those systems was lost. The incidents did not so much intro duce new weaknesses as clarify existing ones. Why the Arrangement Persists The prevailing distribution of responsi bility persists for understandable reasons. Specialization brings order. A named role provides a focal point. Reporting cadence creates the impression of oversight. More quietly, it allows

The gap between those states often remains invisible until it is tested. Where Exposure Forms Cyber risk grows most quickly in places security teams do not control. It accumu lates in efficiency drives that remove slack, in outsourcing arrangements that trade vis ibility for cost, and in architectures built for scale rather than isolation. These decisions are familiar and ratio nal. They are often rewarded. Taken together, they shape how disrup tion travels. When failure occurs, the result can feel abrupt. In retrospect, it often reflects the compound effect of incentives that were never reconciled. Rethinking Ownership Treating cyber risk as a business risk does not requires alignment. Alignment between authority and accountability. Between strategic deci sions and their operational consequences. Between how risk is described and how disruption is actually experienced. It begins with recognizing digital dis ruption is not exceptional in modern business. It is an ordinary condition that must be planned for, not merely resisted. Measurement reflects impact and recov ery, not prevention alone. Planning assumes systems will degrade at inconve nient moments. CISOs remain essential in this picture. Their expertise, preparation, and coordi nation matter. What they cannot provide, on their own, is ownership of decisions they do not control. Cyber incidents rarely demonstrate neglect. More often, they reveal how responsibility was distributed in ways that felt workable until they were tested. Organizations live within those arrangements every day. Failure makes them visible. v

“

organizations to defer less comfortable conver sations. Questions about how operating models behave under stress. About how much redun dancy remains after years of efficiency initiatives. About where recovery actually begins when automation stalls. Delegation creates

CISOs are often expected to account for outcomes shaped by decisions they did not make. Those decisions are rarely framed as security choices at the time.

cyber incidents tend to dwell on mechanics. How attackers gained access. Which malware was used. What vulnerability was exploited. The detail can be clarifying, but it rarely accounts for impact. When Maersk was affected by the NotPetya outbreak in 2017, the defining problem was not data loss so much as inter ruption. Shipping opera tions slowed because the digital coordination that

distance. As long as dis ruption is contained, that distance feels manage able. Risk appears to be handled. Attention shifts elsewhere. When disruption widens, the same struc ture offers fewer answers. Measurement and Distance Cyber risk is typically communicated through measures which make sense within security programs. Maturity models, con trol coverage, likelihood estimates. These metrics help teams prioritize effort. They also abstract away consequence. Executives tend to experience risk dif ferently. They want to know when opera tions resume, which commitments cannot be met, what customers will notice, and how long confidence takes to restore. Many organizations do not hold these answers in a shared, explicit form. The knowledge exists informally, distrib uted across functions and individuals. Documentation substitutes for rehearsal. Confidence is inferred rather than demon strated. “

sustained them disap peared. Ports, schedules, and documenta tion processes which normally functioned in the background became constraints. Recovery required restoring systems but also reconstituting how the organization operated without them. The Colonial Pipeline incident in 2021 followed a different path but exposed a similar dependence. A ransomware intru sion into corporate IT systems led to a precautionary shutdown of fuel distribu tion. Even without confirmed compromise of operational technology, uncertainty itself proved sufficient to halt activity. The effects extended quickly beyond the company, affecting markets and consum ers who had no direct connection to its networks. In both cases, disruption tracked depen dence rather than novelty. What mattered

Chris Adams is director of cyber resilience services at OctopusCRX. He has led resil ience efforts across public sector and Fortune 100 financial services organizations and previously worked as a criminal and

financial investigator for the UK government.

DISASTER RECOVERY JOURNAL | SUMMER 2026 17