'Inside Security' with Linda Fry (Head of Enterprise Resilience & Technology Risk, Netflix)

The security space can often be fixated on avoiding risk –– patching vulnerabilities, blocking attacks, and fortifying defenses. But no wall is unbreakable. Does this then mean that security is only about prevention? Or could it be that true security is also about resilience: the ability to not just defend but also endure and recover.

In this edition of 'Inside Security', Linda Fry (Head of Enterprise Resilience & Technology Risk) talks us through how enterprise resilience can (and should) be built into the very skeleton of an organization — shifting cybersecurity from mere risk avoidance to a critical feature of strategy that ensures businesses withstand, adapt, and thrive even in the face of threats.

Risk and Resilience: Two Sides of the Same Coin?

As a concept and even business function, risk and resilience are usually considered distinct and discussed separately, even though they are fundamentally interconnected–and businesses are now increasingly recognizing how one reinforces the other. 

Risk management focuses on identifying, assessing, and mitigating threats before they cause harm, while resilience ensures an organization recovers quickly in the aftermath of a disruption. In essence, risk management is about reducing the likelihood of adverse events, while enterprise resilience is about minimizing their impact. Together, they can create a comprehensive strategy for long-term business stability.

“Risk is a form of ensuring that the business is resilient against threats, and resilience is a form of specialized risk management. When they are aligned with business objectives, their interrelated nature becomes more apparent.”

How is Cyber Risk Resilience Different from Cyber Risk Quantification?

Before we proceed, let's take a quick minute to establish a few differences between Cyber Risk Resilience and Cyber Risk Quantification; terms that are often used interchangeably, and perhaps not always in the right way.

Cyber Risk Resilience refers to an organization’s ability to withstand, respond to, and recover from cyber threats and attacks while maintaining business operations. It focuses on preparation, response, and recovery rather than just risk assessment.

Cyber Risk Quantification on the other hand, is the process of measuring cyber risk in financial terms, helping organizations make data-driven security investment decisions. It provides a probability-based analysis of potential losses due to cyber incidents.

Both play a vital part in cybersecurity strategy, but they address different dimensions of risk management –– one focusing on preparedness and recovery, the other on financial impact and prioritization. Understanding where each fits ensures a more comprehensive approach to security.

The Evolution of Enterprise Resilience & Technology Risk 

The Early Days: Compliance-driven and Siloed Functions

In the early days, business continuity was housed under physical security or enterprise operations, while disaster recovery fell under GRC (Governance, Risk, and Compliance) or engineering teams. Similarly, technology risk was often managed by security teams, while broader enterprise risk functions were shouldered by finance or legal departments. This fragmented approach more often than not created misalignment and inefficiencies.

As Linda explains:

“These roles were initially lumped together to churn out risk register entries and business continuity plans that are looked at once a year to make auditors happy. Risk management used to be about producing policies and controls, not necessarily informing business strategy. Resilience, too, was mostly about having plans on paper rather than actually preparing organizations to respond to real crises.”

 Today: Proactive & Data-Driven

Organizations now are more aware of the interconnectedness between risk and enterprise resilience, leading to a more strategic, business-aligned approach. Rather than treating them as discrete compliance-driven functions, companies now view risk as an enabler to resilience, helping anticipate threats while ensuring swift recovery from disruptions. 

Restructuring of leadership followed these changes, with more businesses placing the functions under technology executives such as CISOs or CTOs, aligning them closely with cybersecurity and core business operations rather than leaving them on the fringes of some department far removed from their purpose.

"Risk is about ensuring the business is resilient against threats, and resilience is a specialized form of risk management."

A major driver of this shift was the need for data-driven decision-making in risk management. Instead of relying on vague risk assessments (red/yellow/green indicators), organizations began quantifying risks in financial terms to help executives prioritize investments in resilience.

As Head of Enterprise Resilience & Technology Risk at Netflix, Linda explains how companies must adopt data-informed strategies to anticipate threats and ensure rapid recovery from disruptions.

"At Netflix, we use financial modeling (FAIR methodology) to quantify cybersecurity and business risks in financial terms. This allows us to compare risks objectively and prioritize them effectively."

This sentiment was also echoed by Prashanthi Koutha in our previous edition where we discussed the impact of CRQ teams on security.

Instead of risk assessments being a one-time, annual exercise, enterprises are integrating continuous risk monitoring, real-time analytics, and financial quantification models into their decision-making process–eliminating exhaustive, overly complex continuity plans and prioritizing what is critical to maintain business operations in the face of unexpected events.

"Leadership doesn’t need to see business impact analyses for 700 processes. They need to understand what’s critical to delivering the minimum viable version of the company in the event of a major disruption."

This proactive mindset helps move away from rigid, policy-driven approaches toward dynamic risk and resilience strategies.

"Risk management isn’t about assessing controls—it’s about informing leadership in a consistent and data-informed way about what they’re getting themselves into."

The Future: Where Risk & Resilience are Headed

As businesses continue navigating an ever-evolving, complex threat landscape, risk management and resilience functions must embrace a holistic, organization-wide
approach–a strategic necessity. 

By leveraging financial modeling, real-time risk assessments, and strategic resilience planning, organizations can better navigate the complex threats of the future. Those that fail to adapt risk relying on outdated, reactive strategies that could leave them vulnerable.

“Organizations are now recognizing CRQ’s value, driven by regulatory changes and the need for structured, data-driven decision-making. It is not just a tool; it's becoming an essential element of enterprise risk strategy, enabling informed, effective, and strategic cybersecurity decisions."

Conclusion 

Ultimately, risk and resilience are no longer optional add-ons—they are essential to a company’s long-term success, equipping them with the tools to not just protect their critical assets but also gain a competitive edge in an unpredictable world. 

We’d like to thank Linda for her time and insights. If you’d like to connect with her or learn more about these topics, feel free to reach out via LinkedIn.