CIO100: Business-First Approach To Cyber Resilience

No photo availableCIO Africa authorBySteve Mbego
4 min read
If only we could work out what our worst business day was going to be, we could make sure we never had to experience it.
Steve Jump, Steve Jump, vCISO, Strategist, Coach & Mentor, Custodiet Advisory Services [Photo: CIO Africa]

Every organisation fears the moment when everything goes wrong, when systems fail, customers panic, competitors circle, and revenue disappears.

According to cyber security strategist, Steve Jump, the biggest mistake businesses make is assuming that their “worst business day” is unpredictable. Speaking at the 17th edition of CIO100 Awards & Symposium, Jump argued that organisations can not only model their worst-case scenarios, but that doing so forms the foundation of modern cyber resilience.

Jump delivered a message that cut through the noise surrounding cybersecurity. His central argument was simple, sharp, and uncomfortable: your worst business day is predictable if you are willing to define it.

Jump began with a truth many leaders prefer to ignore: “When cyber is not included in your business continuity plan, it doesn’t just create a bad day; it makes your bad day worse.” Cyber incidents are not only legitimate triggers for activating a business continuity plan, but they are also highly likely to occur during a continuity event. Treat them as separate domains, and the chaos doubles.

He then asked the audience a deceptively simple question: What would your worst business day look like? It is a question he has refined for years. “Someone once told me: If only we could work out what our worst business day was going to be, we could make sure we never had to experience it. He was presenting, I was actually awake long enough to take notes, and that’s where this whole model started.”

The model has evolved into one of Jump’s most powerful tools for helping executives understand risk.

The method begins by identifying three to five nightmare scenarios. These are not a laundry list of risks or a 40-page register, but the specific events that would cause meaningful loss. Jump’s slides highlight the focus: What are your most valuable assets? What threatens them? What cannot be recovered? What will your competitors think?

Once those “worst day” elements are identified, the organisation evaluates its ability to detect early signs, prevent escalation, respond when things go wrong, and recover once the damage is contained. Each area is scored from one to ten, with around fourteen people participating. “Yes, for some this is advanced mathematics,” Jump joked. “It’s easier with coffee.”

Beneath the humour lies a structured, business-aligned approach that maps cleanly to the NIST Cybersecurity Framework and satisfies ISO 27001’s requirement for annual risk assessment. “If you can show you go through this exercise once a year,” he said, “you’ve met the full requirement.”

The simplicity is intentional. Add up the four numbers, divide by 40, and you get what Jump calls the Barnwell Coefficient, named after Robin Barnwell. The result is a percentage offering a comparative measure of resilience:

  • Under 25 percent: serious gaps
  • 25–50 percent: early foundations
  • 50–75 per cent: good progress
  • 75–95 per cent: strong resilience
  • Above 95 per cent: “Let’s talk. You need to share your secrets.”

With each retake of the exercise, organisations can track progress year over year without drowning in documentation. It is risk assessment that executives actually understand.

Throughout his talk, Jump emphasized that cybersecurity is not a technical discipline bolted onto business operations. “This is business,” he said plainly. “Don’t think IT’s hands inside the rack. Security can never be an add-on.” Compliance is a start, not a destination. True cyber resilience comes from knowing what matters most and ensuring that controls and telemetry serve the business purpose.

This approach filters oceans of cybersecurity data down to the signals that matter, the handful of metrics that indicate risk to critical systems. “It might only be one data element out of a thousand,” Jump explained, “but if it goes from one to seven, something should go boom in your head.”

When executives ask the dreaded question, “Are we secure today?” Jump offers a practical escape hatch. “The honest answer is, I can’t tell you that without getting fired.” But with the right metrics, he can respond confidently: “Last week’s indicators show our risk exposure is lower this week than it was last month,” or “Our exposure is higher this week than it was last week.” This reframes security from guesswork to trend analysis — a business conversation grounded in measurable reality.

In the end, Jump’s message was clear. Cybersecurity is not about firewalls, dashboards, or threat feeds. It is about understanding how your organisation creates value, what threatens that value, and how you recover when things go wrong. Cyber risk is, at its core, a business risk, and resilience begins with being brutally honest about your worst day.

“Write those numbers down,” he urged. “Capture them. Build them into your risk models.” Once you understand the cost of failure, you finally understand the value of resilience.

Leave a Reply

Your email address will not be published.

Do you have a story that you think would interest our readers? Write to us editorial@cioafrica.co