Tech resiliency: Make the business—not just IT—resilient

In 2024, companies got the wake-up call about business resiliency that many of them didn’t realize they needed. A series of high-profile outages, most notably at CrowdStrike, as well as increased scrutiny from boards and regulators ratcheted up pressure on CIOs and their resiliency teams. As technology’s complexity puts more pressure on systems and outages increasingly hit the bottom line—downtime costs Global 2000 companies $400 billion annually⁴—the key challenge for the CIO in 2025 will be less about fortifying IT systems and more about making the business itself more resilient.

This is primarily a mindset shift. Check-the-box adherence to regulations won’t do. But a do-it-all approach won’t work either; there is simply too much for most large-scale enterprises to cover. If there were a resiliency term for CIOs in 2025, it might be “focus.” CIOs should consider pouring their energies into developing a detailed understanding of what matters most to their business and shifting resources to protect the most relevant systems. In effect, having the most important 30 percent of the business at 100 percent resiliency is better than having 100 percent of the business at 80 percent resiliency.

 
This focus requires CIOs to assess resiliency at the journey level, which means evaluating all the various steps and dependencies for any business-critical application (not just infrastructure but end-to-end processes and third parties). A framework for evaluating your vendors—and the vendors they use—will be crucial. Beyond the basics of upgrading monitoring, incident management, and testing (unit, integration, user acceptance, and performance), the business will rely on the CIO to move toward more-advanced processes adopted by tech leaders, such as chaos engineering (introducing failures into a system to test its resilience and identify potential failure points).