In this page we aim to provide guidance to organizations in defining the role of the Cyber Resilience Office in order to kick-start or evolve their journey in becoming cyber resilient. The role is tied to the NIST NICE Framework into the specialty area of "Executive Cyber Leadership", which covers a number of broader leadership and management skills needed for practitioners in this role to be succesful. 

Please drop us a note here for any comment or idea on how to make this page better: feedback@cyberresilienceofficer.org
Current NICE Framework Work Roles relevant to the Cyber Resilience Officer position:

Oversight and Governance
  • Security Control Assessment OG-WRL-012
  • Systems Authorization OG-WRL-013 
  • Executive Cybersecurity Leadership OG-WRL-007 
  • Cybersecurity Policy and Planning OG-WRL-002 
  • Systems Security Management OG-WRL-014 
Design and Development
  • Enterprise Architecture DD-WRL-002 
  • Cybersecurity Architecture DD-WRL-001 
Protection and Defense
  • Incident Response PD-WRL-003 
  • Threat Analysis PD-WRL-006 
  • Vulnerability Analysis PD-WRL-007 
Cyberspace Effects
  • Partner Integration Planning CE-WRL-005 
  • Mission Assessment CE-WRL-004 
  • Target Analysis CE-WRL-006 

Download the Cyber Resilience Officer Work Roles in table format, with Work Role title, Work Role ID and Description:

(cyber_resilience_officer_roles_table.html)

[June 2023] Submitted proposal to create a Cyber Resiliency Competency Area 
[February 2024] Met with key NIST, MITRE and industry representatives to agree on the Cyber Resiliency Competency Area and Systems Security Engineering Work Role
[June 2023] Informed the ENISA European Cybersecurity Skills Framework (ECSF) and ECSO Community of the need to add relevant tasks, competencies and skills to the Chief Information Security Officer role 

Why a Cyber Resilience Officer

"Cyber resilience must be governed from the top. Too many leaders who are not technical experts delegate cyber defence because they think it is too complex. In addition to taking responsibility, a dedicated Cyber Resilience Officer needs to report directly to the Board. In fact, boards should focus on which systems support critical activities, rather than approaching the problem through the lens of software vulnerabilities."
Link to Cyber Resilience Framework publication (WEF website)

Who is the Cyber Resilience Officer

The Cyber Resilience Officer is accountable for the organization’s ability to manage cyber resilience and for implementing cyber-resilience goals. The Cyber Resilience Officer should have regular Board access, sufficient authority, command of the subject matter, experience and resources to fulfil these duties. The role should be formally defined and documented with clearly understood expectations and obligations. The organization has clear mechanisms for providing the Cyber Resilience Officer ready access to each of the following: communication with the Board of Directors; empowerment over cyber-resilience strategy, management and enforcement actions; cyber-resilience expertise and executive training; the acquisition of personnel, financial and technology resources. 

Link to Cyber Resilience Index publication (WEF website)

The Cyber Resilience Officer is an experienced professional who masters cyber resilience skills: 

NIST 800-160 v1 & v2
  • Ability to design strategies and processes to architect, develop, implement, maintain, and sustain the trustworthiness of systems with the capability to anticipate, withstand, recover and evolve
NIST 800-172
  • Ability to identify and drive strategies and processes for penetration-resistant architecture , damage-limiting operations, and designing for cyber resiliency and survivability
MITRE Cyber Resilience Engineering
  • Ability to balance and prioritize cyber resiliency choices based on nodal analysis
  • Ability to perform cyber resilience architectural and engineering analysis based on MITRE artefacts

On top of Cyber Resilience skills, the Cyber Resilience Officer understands and drives value from these areas:




Cybersecurity threat management & incident response

Ability to understand the differences, implications and courses of action for security vulnerabilities, cyber threat intel, digital investigations and offensive security. 


Defensible enterprise security architecture

Ability to understand and put in place the translation of security objectives and strategy into architecture and engineering digestible artefacts. 

Disaster recovery, backup and storage, crisis management

Ability to understand the differences between operational resilience, cyber security and cyber resilience. Well versed in traditional "recover" and "reconstitute" capabilities.


Security frameworks, controls, risk & compliance

Ability to understand, design and drive a cyber resilience risk strategy within a given risk management framework where policies and standards help support strategic pillars - including third party risk.

Cyber Resilience Competency Area (NIST NICE)

This Competency describes a learner’s capability related to architecting, designing, developing, implementing, maintaining, and sustaining the trustworthiness of systems that use or are enabled by cyber resources to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks.

[Work in progress - due to be published in 2024]
Link to NIST NICE page

The Cyber Resilience Officer plays a pivotal role into this notional Cyber Resilience Operating Model

Cyber Resilience Officer Job Description - Sample

(cyberresilienceofficerjobdescription.pdf)

Cyber Resilience Officer - Job Description

The Cyber Resilience Officer is accountable for the organization’s ability to manage cyber resilience and for implementing cyber resilience goals. The role should have regular Board access, sufficient authority, command of the subject matter, experience and resources to fulfil these duties. 
The organization has mechanisms in place for providing the Cyber Resilience Officer ready access to each of the following: communication with the Board of Directors; empowerment over cyber resilience strategy, management and enforcement actions; cyber resilience expertise and executive training; the acquisition of personnel, financial and technology resources. 

 The role seeks to: 
 • Continuously understand and uplift the organization's cyber resilience posture.
 • Answer the question – Could we be the next victim of extreme but plausible cyber threats? 
 • Shape the reporting of cyber resilience risk at risk forums across the organization in order to drive awareness and change.

This requires an individual who can work across the various lines of defence and bring expertise and analysis in the area of cyber resilience: 
 • Understand current cyber threats and the technical aspects of the attacks used. 
 • Provide oversight and influence of the organization’s cyber assessment capabilities. 
 • Participate within threat action groups targeting cyber resilience related threats. 
 • Work with reporting and analytics teams to produce innovative risk reports related to cyber resilience. 
 • Mix quantitative and qualitative metrics to measure cyber resilience exposure in a non-technical way. 
 • Identify and collate cyber resilience requirements in support of enterprise security architecture engagements. 
 • Lead through influence and collaboration supporting constructive input and challenge. 
 • Collaborate and influence colleagues across various lines of defence including CISO and CIO teams. 
 • Continuously identify critical third parties and ensure a thorough understanding of the organization's important business services. 
 •  Set impact and risk tolerances, monitor threshold levels and contingency plans for important business services (including third parties).

 Qualifications: 
• Proficiency in the main cyber resilience frameworks like NIST 800-160, MITRE CREF and NIST 800-172. 
• Have significant experience working in cybersecurity threat management. 
• Experience of the tactics, techniques and procedures used by advanced cyber adversaries. 
• Experience of cyber resilience strategies, design, engineering and architecture.
• Significant technical expertise and able to communicate in depth with colleagues from blue teams, purple teams and red teams. 
• Ability to focus on extreme but plausible threats as well as other possible threats. 
• Experience in third party risk management and mapping of services to assets (people, assets, technology, vendors etc).
• Able to communicate to technical and non-technical audiences, able to explain complex topics with simplicity. 
• Able to articulate requirements clearly to non-cyber experts spanning data analytics, reporting and risk to ensure resultant cyber resilience reports are consumable and relevant.
Copyright ©2024 Cyber Resilience Officer, All Rights Reserved.
Research Partners