Why Resilience—Not Prevention—Should Be Your Cybersecurity Goal
At some point soon, our organizations will be hacked. We won’t know exactly when, where, or how, but it will happen.
For all the hard work, dedication, long hours, and a substantial amount of money we all put into preventing cybersecurity threats from damaging our organizations, it simply doesn’t change the fact—yes, the fact—that successful cybersecurity attacks are inevitable. As important as strong preventative measures are, we can’t pretend that a strategy built solely or primarily around preventing attacks is enough.
What’s the alternative? Fortunately, we have a good Plan B, which I think should become almost every organization’s new Plan A. It’s cyber resilience, and it starts with the assumption that all organizations will be hacked at some point. A cyber resilience strategy ensures that when our defenses are penetrated, and our data is exfiltrated, we can recover quickly and completely, thus limiting damage. Most importantly, cyber resilience ensures that we continue to operate on a nearly continuous basis with little or no downtime and with minimal negative impact.
Let me anticipate your next question: No, I am not advocating a policy of digital appeasement, where we let the bad actors do their thing and focus entirely on damage control. Far, far from it, in fact. Prevention must remain an essential part of our cyber defenses; we can’t let the attackers run amok inside our systems. We must make life difficult for hackers, thieves, and digital miscreants. No one wants to be an easy target.
But a prevention-centric, or prevention-first, approach to cybersecurity almost guarantees that someone or something will get inside our walls and wreak havoc, impacting our ability to keep mission-critical systems up and running. That outcome carries serious financial, operational, reputational, legal, and regulatory impacts. In some industries, downtime or data exfiltration can carry life-or-death implications.
Why Cyber Resilience Is a Better Approach
I like cyber resilience as the cornerstone of a cybersecurity framework for several reasons. First, although much of the responsibility falls on the IT and SecOps teams, emphasizing sustained operations rather than threat prevention puts the onus across the entire organization. It becomes—in the case of manufacturing—a site-specific strategy for a managed recovery. It’s not an IT or security problem but an organizational imperative. Finance, operations, R&D, supply chain, customer service—every core part of our business is involved because the emphasis is on sustaining critical business operations.
Second, it shifts the need for continuous visibility from cyberthreats to how those threats may impact the business. C-suite executives, board members, and even our partners and customers should know that we are maniacally focused on minimizing risk to revenue, profits, and brand reputation rather than on blocking phishing attempts.
Third, resilience doesn’t mean you put aside the basic blocking and tackling of cybersecurity. It reinforces the need for intelligent cyber hygiene, regular testing, a competent backup and recovery strategy, and a focus on real-time communication inside and outside the organization. Resilience doesn’t replace traditional detection-and-response requirements; it augments and cements it.
Fourth, cyber resilience puts aside the often misplaced prioritization of compliance as a proxy for good cybersecurity. As crucial as regulatory compliance is as a byproduct of cybersecurity best practices, it is not an end. Cyber resilience makes compliance easier and more efficient to demonstrate. Going beyond the bare minimum of compliance, cyber resilience streamlines the demonstration of adherence by fostering repeatable and documented processes alongside a well-maintained, up-to-date, and tested incident response plan.
Momentum for Cyber Resilience Is Building
There’s good news for those reading this article and wondering how you can sell a mind-shift change like this to your management and colleagues. The concept of cyber resilience has rapidly gained ground in recent years. This idea took root in the past decade and has steadily gained acceptance and adoption.
Market research organizations—another important influencer group in promoting emerging industry trends and educating executives on language and processes—also have picked up the banner of cyber resilience. Enterprise Strategy Group (ESG), a leading market-watcher and publisher of important cybersecurity market data, noted that “better resiliency” was the number-two benefit achieved by organizations in building cloud-native applications.1 In another report, ESG said “improving cybersecurity and resiliency against cyberattacks” was the number-one consideration in justifying IT investments in the next 12 months—language matters.2
Manufacturing companies must pay obsessive attention to resilience because the cost of downtime or data loss can be massive to us—and not just the financial costs. It wasn’t quick or easy for us, and I won’t try to tell you it will be for your organization. What I will tell you is that the effort was well worth it for us, and it will be for you, too.
Next Steps Toward a Resilience-Based Cyber Strategy
Let me close with a few suggestions that may help you make this journey toward cyber resilience successful for you and your organization:
- Practice, practice, practice your incident response plan after you’ve built in resilience. Don’t assume everything will run according to plan.
- Take time to do a thorough analysis of how cybersecurity has impacted—and could further impact—your business operations. Measure everything, and don’t assume any part of your business operations is fully protected all the time.
- Educate the entire organization, from the C-suite and the board to the newest hire. Cyber resilience best practices should be communicated at every opportunity and followed with religious zeal.
- Keep asking yourselves: “How can we recover faster and more completely?” Your answers are likely to change over time.
- Help the line-of-business leaders (and their entire teams) understand how this benefits them. You need their buy-in, but then much more. You need their vision, creativity, innovation, and honesty. You won’t succeed without it.
It’s quite a journey to become a cyber-resilient organization. But every step is well worth it. As I said earlier, you can’t stop every incident. But cyber resilience will ensure that you will be better positioned to avoid potential disasters and get back into the game immediately.
1.Paul Nashawaty and Christian Perry, Research Report: Distributed Cloud Series: The Mainstreaming of Cloud-native Apps and Methodologies, ESG, July 21, 2023.
2. Christian Perry and Bill Lundell, “2024 Technology Spending Intentions Survey,” Enterprise Strategy Group, February 13, 2024.