Attacks targeting corporate IT infrastructure—particularly through ransomware—and various other cyber incidents are increasingly recognized as significant risks to business continuity. More critically, management is now inquiring not “Could we be attacked?” but rather “What will our response be when we are attacked?” Consequently, numerous companies are working towards enhancing their cyber-resilience.
The World Economic Forum (WEF) characterizes cyber-resilience as an organization’s capacity to lessen the effects of major cyber incidents on its core business goals and objectives. The U.S. National Institute of Standards and Technology (NIST) adds to this definition by stating that cyber-resilience is the ability to forecast, endure, recover from, and adapt to negative conditions, attacks, or compromises within cyber systems.
There is a consensus that modern companies must be cyber-resilient—but the actual execution of a cyber-resilience plan poses various challenges. A Cohesity survey involving 3,100 IT and cybersecurity leaders reveals that 98% of participating companies want to recover from a cyberattack within 24 hours, yet only 2% can truly achieve this target. In reality, approximately 80% of companies require between four days and… three weeks to recuperate.
The seven pillars of cyber-resilience
In its Cyber-Resilience Compass whitepaper, the WEF highlights the following essential components of a strategy:
- Leadership: incorporating cyber-resilience into the organization’s strategic objectives; effectively communicating its significance to teams; establishing company-wide tolerance levels for major cyber-risks; empowering individuals tasked with creating and (if necessary) executing swift response scenarios.
- Governance, risk, and compliance: defining a risk profile; clearly assigning responsibilities for particular risks; planning and implementing risk mitigation strategies; ensuring compliance with regulations.
- People and culture: enhancing cybersecurity expertise; customizing security awareness training based on each employee’s role; recruiting personnel with appropriate cybersecurity skills; fostering an environment where employees can report incidents and mistakes without fear.
- Business processes: prioritizing IT services according to their importance for business continuity; preparing for worst-case scenarios and encouraging adaptability. This includes thoroughly planning how critical processes will operate during significant IT failures.
- Technical systems: creating and consistently updating protection measures tailored to specific systems. For instance, secure configurations (hardening), redundancy, network micro-segmentation, multi-factor authentication (MFA), tamper-proof backups, and log management. The level of security and resources allocated must be commensurate with the system’s significance.
- To ensure timely and efficient threat response, it is vital to establish systems that merge detailed infrastructure monitoring with semi-automated responses, such as XDR, SIEM+SOAR, or comparable tools.
- Crisis management: forming incident response teams; refining recovery plans; identifying decision-makers during a crisis; preparing backup communication methods (like alternative channels in case corporate email and instant messaging systems fail); devising strategies for external communications.
- Ecosystem engagement: cooperating with suppliers, regulators, and even competitors to enhance collective resilience.
Stages of cyber-resilience implementation
The same Cohesity survey indicates that most organizations perceive themselves to be at a midway point on the journey to cyber-resilience, with many having enacted some of the essential foundational technical and organizational measures.
Most commonly implemented:
- Backup tools
- Regular recovery drills for backups
- MFA (though usually not at a company-wide scale or across all services)
- Role-based access control (RBAC, often partially adopted)
- Other basic cybersecurity hygiene practices
- Formalized response plans
- Annual or quarterly tabletop exercises testing crisis response protocols with personnel from various departments
Unfortunately, merely being “commonly implemented” does not equate to widespread adoption. Only 30–60% of the companies surveyed have implemented these measures even partially. Additionally, many organizations experience a lack of synergy between IT and cybersecurity teams, which results in insufficient collaboration in shared responsibilities.
According to the survey participants, the most difficult aspects to execute are:
- Metrics and analytics. Assessing progress in cyber-resilience or innovations in security is challenging. A limited number of organizations can effectively calculate MTTD/MTTR or express risks in monetary terms. These are usually companies whose main focus is on risk assessment, such as banks.
- Shifting company culture. Involving employees at all levels in cybersecurity initiatives poses difficulties. While fundamental awareness training is standard practice (as a hygiene habit), many companies struggle to customize it for individual departments or sustain regular engagement and updates due to workforce limitations.
- Integrating cyber-resilience into the supply chain. Tasks such as preventing reliance on a single supplier and managing contractor security procedures are extremely complex and, despite the joint efforts of cybersecurity and procurement, often prohibitively costly to address across all parties involved.
- Another significant concern is re-evaluating the organization of cybersecurity itself and moving towards zero trust frameworks. We’ve discussed the challenges associated with this change previously.
Experts stress that cyber-resilience is not simply a project with a definitive completion point — it is an ongoing process comprising several phases that eventually encompasses the entire organization.
Essential resources Implementing cyber-resilience starts with strong support from the board. Only after this can collaboration between the CIO and CISO facilitate real changes and prompt advancements in the implementation process.
In most organizations, roughly 20% of the cybersecurity budget is allocated to technologies and projects related to cyber-resilience — covering incident response, identity management, and training initiatives.
The central cyber-resilience team should be a small, cross-functional group empowered and supported to mobilize IT and cybersecurity resources for each phase of implementation, and to involve external specialists when necessary — for example, in areas such as training, tabletop exercises with management, and security evaluations. Having the appropriate skill set within this core team is crucial.
The process of implementing cyber-resilience is primarily organizational rather than merely technical — therefore, alongside a comprehensive asset inventory and security protocols, significant efforts are needed to prioritize risks and procedures, clarify roles and responsibilities in critical departments, document, test, and refine incident playbooks, and conduct thorough staff training.
Leave a Reply