Yes, you read it right.
There is a symbiotic relationship between the minimum material impact that boards and governing bodies consider acceptable and the extent of digital business that remains viable during unprecedented cyberattacks.
And the more I delve into the topic, the more you will realize that the balance between the two will help your CISO ensure that the CIO and the CDO can lead the organization to the promised land of digital and AI innovation.
Let me explain.
Is Material Risk Acceptable
Every board I talk to has a Business Continuity Plan. Every CISO I talk to has a recovery-time objective.
And yet, almost none of them can answer one simple question: how much material impact can this business actually absorb before it stops being the business the market thinks it is?
In the past 12 months, by the SEC’s own EDGAR record, somewhere between 15 and 20 public companies have filed a Form 8-K under the mandatory Item 1.05, reserved only for incidents a company has determined to be material, disclosing that a cyberattack moved the needle on their financial condition or results of operations.
That is not the full count of breaches. That is just the count of breaches a company’s own lawyers and CFO agreed, in writing, to the SEC, had crossed a material line.
Dozens more were disclosed voluntarily under Item 8.01 because companies, post the SEC’s May 2024 guidance, are understandably reluctant to invoke Item 1.05 unless the math truly forces them to.
Sit with that.
Fifteen to twenty boards, in twelve months, signed off on a sentence that says, this attack mattered enough to move our numbers. And SEC’s new Cyber and Emerging Technologies Unit is watching the ones who waited too long to say it.
Now ask the question that actually matters: how many of those boards had, before the breach, a quantified answer to “How much material impact is acceptable”?
My guess, from two decades of sitting across the table, almost none.
But as you would realize, taking that step is definitely the most significant step a board can take to help the CISO prepare the organization for the next breach and the next filing.
Why “We Have a BCP” Is Not an Answer
Yes, a BCP is essential.
But it is no longer enough.
Because the math does not add up.
If your acceptable Material Impact is at most 1% of the overall business, successfully recovering 15–20% of critical business after the fact does not make the business 99% operational.
It makes the business 80–85% broken, with a recovery plan stapled on top.
This is the gap between the amount of digital disruption that business leaders actually told their investors they could tolerate and the recovery-oriented list of “must restore” systems the business actually recovered after a frustrating period.
The gap is where reputational damage, regulatory fines, customer churn, and the next 8-K amendment all live.
And the objective of keeping critical business operations unaffected during unprecedented cyberattacks and breaches reverses this math.
Every CISO can plan to keep a Minimum Viable Digital Enterprise (MVDE) defined by the Maximum Acceptable Material Impact (MAMI) unaffected by building breach readiness as a strategic initiative.
This Is the Age of AI-Powered Attackers: MAMI Gives the CISO a Target, and MVDE Gives the CISO a Map
Investment in breach readiness is directly proportional to the acceptable level of material impact an organization can absorb. That is the first input a CISO must demand from the board, not the other way around.
Once MAMI is quantified, in revenue terms, in regulatory terms, in customer-trust terms, the second input flows naturally. Which portion of the digital enterprise must remain operational, unaffected, no matter what is happening three microsegments away?
And that is the Minimum Viable Digital Enterprise, the MVDE.
MVDE is not a list. It is an architecture. And in 2026, it has to be built for an adversary that does not sleep, does not hesitate, and does not need a human in the loop.
In June 2026, an autonomous AI-driven campaign breached over 600 FortiGate firewalls across 55 countries. Let that sink in. Six hundred firewalls. Fifty-five countries. No human attacker moves at that speed. No SOC, however well-staffed, triages at that speed either.
The only defense against a machine-speed adversary is to remove the path, not to outrun the attacker on detection. That is Zero Trust, and that is where MVDE stops being a planning exercise and becomes an enforcement architecture.
Data, AI, and Application Hardening Are Essential Too, but Microsegmentation Is Foundational
In every communication, the consumer experience begins and ends at the application layer, likely powered by the most modern AI capabilities and leveraging an underlying data layer. Most of these layers need to be carefully constructed and hardened to allow the right identities to access the right resources when authorized.
Advancements in AI will mean AI agents will soon run amok across our digital landscapes. And with the growth of frontier AI models in cybersecurity, the world will face faster, wider, more complex, and more layered attacks.
Every board meeting is replete with a question hanging like Damocles’ sword. What are we doing about AI? Executives are working overtime with the Chief AI Officer, the CIO, or the CDO to plan the next AI innovation. Each of these uses the underlying data and enables the AI value to be applied in the application.
However, beneath all these exciting layers is the digital infrastructure that allows one system to communicate with another. And that is what Applications, AI, and Data depend upon. And most attackers play in the configuration junctions in between all these.
So even if the application or AI or data are vulnerable, if the underlying digital infrastructure does not have a path for one system to reach to another, no attacker can attack.
Going Back to Basics: Architecting the Digital Enterprise Into Zones and Microsegments Which Must Not Be Breached
Zoning is not new. ISO 27001 has it. ISA 62443 has it. Most organizations have a Tier-0 asset list sitting in a spreadsheet somewhere. The problem is that the network underneath that spreadsheet is flat, and a workstation in a non-critical HR segment can become the on-ramp to the payment-processing core. The Tier-0 list is correct on paper and irrelevant in practice, because nothing in the architecture actually enforces it to disallow connections in between.
This is where MVDE changes the question entirely.
Instead of asking “what must we recover,” business leaders must ask, considering the MAMI guidance, which digital systems can we afford to architect to remain unaffected today, and which must we plan for tomorrow?
CISA put this quite bluntly. Plan for survivability. Prevention alone is not enough.
Map the digital enterprise into zones, not lists. Zone 1 and Zone 2 carry the bulk of the MVDE, the 24/7 OT and revenue-critical systems, and the critical-but-survivable systems that can be taken offline under pressure. Zones 3 and 4 carry user and behavioral risk, where EDR telemetry, fused with microsegmentation, can flag a privileged-access attempt in a zone where that access has no business being there. Zone 5 is everything else.
Every zone is built from microsegments that deny lateral movement by default, using allow-list policies rather than block-lists. Every microsegment connects through controlled conduits that can be severed the instant an attack is detected, isolating the blast radius to the segment where it began.
Research consistently shows up to 70% of breaches depend on lateral movement to reach a Tier-0 asset. Cut the path, and you cut the campaign, regardless of whether the attacker behind it is human or human commandeering an autonomous AI.
What This Means for the Next Board Meeting
Stop asking the CISO “Are we secure”? Start asking two quantified questions:
- Have we established and communicated our Maximum Acceptable Material Impact in dollars, regulatory exposure, and customer trust to every person on the leadership team, and the period for its review?
- How can we steadily increase the percentage of our digital enterprise that remains unaffected by a carefully engineered breach-readiness program from its current level, should that threshold ever be tested by an AI-speed adversary?
If the honest answer to the second question is “we have a BCP,” you already know what the SEC filing will say in twelve months.
Breach readiness is not a destination. It is a discipline — reviewed after every business change, tested before every quarter, and built on the assumption that the breach is not a question of if. The organizations writing 8-Ks under Item 1.05 this year did not lack security budgets. They lacked a quantified MAMI and an architected MVDE.
If you are unsure how to start your breach readiness journey, begin by assessing the impact of your breach readiness to determine your current MVDE. The next step is then to go back to your inventory of digital and AI assets and prepare to present your MVDE and seek the MAMI.
As you might have already realized by now, the secret to being breach ready is to just begin, and you will be on your way.
To understand where your organization stands today and how to begin building a breach ready MVDE, contact the ColorTokens team.
