Looking back on my years in national defense, one lesson stands out above the rest: speed and coordination are everything. Waiting until the dust settles to act after an attack can mean major setbacks at best, or dire consequences at worst. The same rings true in enterprise cybersecurity. Reactive decisions post-breach are often too late to prevent financial losses or business disruptions. The stakes are especially high when the target is critical infrastructure — think hospitals, regional power grids or major transportation systems.
This philosophy should be how we approach cyber risk as an industry. Rather than focusing only on defense after the fact, we at Resilience encourage organizations to rethink how they address their cyber risk. Part of that rethinking means taking a hard look at the status quo — specifically how enterprises have historically managed security monitoring and incident response.
Traditional SOC in a nontraditional world
For decades, the security operations center (SOC) has been the industry standard, serving as the nerve center for tracking alerts and triaging incidents. The typical SOC playbook is designed to contain or remediate issues after the fact by applying a patch or restoring a backup, but they don’t anticipate or prevent the next hit. That structure leaves executives without the proper context or language they need to make financially sound decisions about their risk exposure.
We’ve seen too many real-world consequences of this disconnect. A traditional SOC culture can train organizations to view security as a back-office technical issue. Alerts come in, analysts respond, tickets get closed, end of story. But the broader business context rarely enters the picture, which makes it difficult for technical teams to secure swift leadership buy-in when tough trade-offs arise.
In our portfolio alone, we’ve witnessed a ransomware attack force a regional hospital network to divert patients for hours because IT teams couldn’t get immediate executive approval to shut down affected systems. In another instance, a global manufacturer delayed patching a critical vulnerability because leadership wasn’t convinced the downtime cost was worth it — that was, until attackers exploited the vulnerability weeks later. There is clearly a high cost associated with siloing cyber risk and treating it as a purely technical problem rather than a business one.
I felt there had to be a better solution. Enter: the ROC.
What is a ROC?
At its core, the Resilience Risk Operations Center (ROC) is a proactive intelligence hub. Think of it as a fusion center in which cyber, business and financial risk come together to form one clear picture.
While the idea of a ROC isn’t entirely new — versions of it have existed across government and private sectors — the latest iterations emphasize collaboration between technical and financial teams to anticipate, rather than react to, threats.
With this approach, the ROC continuously consolidates real-world attack, claims and business intelligence data into a single operating environment. Then we bring experts from across disciplines — including threat hunters, claims experts, underwriters, data scientists and risk engineers — into the same room, both literally and figuratively, to assess the situations at hand. That collaboration allows us to spot vulnerabilities faster, understand their potential financial impact and take action before attackers can exploit them.
What sets this approach apart is the integration of technical and financial perspectives. A SOC might issue an alert on a high-severity vulnerability, but a ROC layers in actuarial data and breach costs to show what that risk means in dollars and cents. It’s amazing how quickly decisions get made when a critical vulnerability is framed in real-world financial terms that anyone can understand.
Inspired by the US Air Force
The principles behind the ROC didn’t emerge out of thin air. They were very much inspired by my time in the US Air Force working with the air operations center (AOC). An AOC serves as the central command hub for coordinating air, space and cyber missions. This approach is not just about monitoring radar screens or weather patterns. It’s about fusing together intelligence from every domain — satellite imagery, troop movements, communications intercepts and more — into a single operating picture that everyone can act on.
What struck me most was how the AOC broke down silos. Pilots, intelligence analysts, logistics officers and cyber operators all sat side by side, working from the same shared intelligence. That diversity of expertise meant we were going beyond reacting to events to anticipating them, planning contingencies and making decisions that balanced immediate threats with long-term objectives.
This approach offers a useful comparison for enterprises handling cyber risk today. In the corporate world, threat intelligence usually lives in the SOC, insurance data sits with the finance team, and business risk assessments gather dust in board reports. Rarely do those streams converge into one centralized decision-making hub. The ROC framework aims to change that by promoting collaboration and shared understanding.
Change doesn’t come easy
Of course, building the ROC wasn’t all smooth sailing. Just like military adversaries, cyber criminals are constantly evolving and improving. Scarier yet, just a single keystroke by a criminal actor can set off a chain reaction of significant disruptions. That makes trying to anticipate their next move feel like playing chess against an opponent who is changing the rules mid-game.
There was also the challenge of breaking down the existing silos between cyber, risk and financial teams. Bridging those disciplines was essential to driving positive material change.
The solution was twofold, starting with designing a ROC that leveraged advanced models to identify the most financially damaging threats. That lets the ROC prioritize based on true impact rather than overblown FUD generated by media hype or vendor marketing. These insights are then mapped against each client’s unique infrastructure in order to pinpoint the vulnerabilities most likely to be exploited, calculate their financial cost and recommend tailored strategies to reduce risk.
The second key was building in positive feedback loops that continuously improve performance. Threat intelligence, claims data and client activity inform each other in near real time, sharpening the models’ output and accelerating response.
Real-world success
The first few months of the ROC’s operations showed clear signs that the model could work at scale. In April 2024, Palo Alto Networks disclosed a zero-day vulnerability in a global VPN product. Within hours, the ROC was synthesizing data across our clients’ environments to identify who was at risk. The vulnerability hunting team sent immediate alerts and recommended actions, enabling clients to disable vulnerable systems before attackers could strike. Those who didn’t receive alerts or make the suggested changes faced weeks of remediation and higher losses. That contrast underscored how combining operational vigilance with financial insight can materially reduce risk in real time.
Looking ahead
For me, resilience has always meant more than trying to protect against all possible threats. It’s about aligning cyber defenses with financial outcomes, so that when — not if — a breach occurs, companies can absorb the hit and continue to operate.
The ROC concept represents the first real step in that journey towards cyber resilience. It’s not as a single product or platform, but as a strategic shift toward integrated, financially informed cyber defense. By fusing intelligence across technical and financial domains, this model can shift cybersecurity from a reactive function into a proactive discipline that helps leaders make faster, smarter decisions under pressure.
This article is published as part of the Foundry Expert Contributor Network.
Want to join?
No Responses