The ABCs of cyber-resilience

Attacks on corporate IT infrastructure — especially using ransomware — and other cyber incidents are increasingly topping the lists of risks to business continuity. More importantly, they’ve caught the attention of management, who now ask not “Might we be attacked?” but “What will we do when we’re attacked?” As a result, many companies are striving to develop cyber-resilience.

The World Economic Forum (WEF) defines cyber-resilience as an organization’s ability to minimize the impact of significant cyber incidents on its primary business goals and objectives. The U.S. National Institute of Standards and Technology (NIST) refines this: cyber-resilience is the ability to anticipate, withstand, recover from, and adapt to adverse conditions, attacks, or compromises of cyber systems.

Everyone agrees today’s companies need cyber-resilience — but actually implementing a cyber-resilience strategy presents many challenges. According to a Cohesity survey of 3100 IT and cybersecurity leaders, 98% of surveyed companies aim to be able to recover from a cyberattack within 24 hours, while only 2% can actually meet that goal. In reality, 80% of businesses need between four days and… three weeks to recover.

The seven pillars of cyber-resilience

In its Cyber-Resilience Compass whitepaper, the WEF identifies the following key components of a strategy:

1. Leadership: embedding cyber-resilience into the company’s strategic goals; communicating clearly with teams about its importance; defining company-wide tolerance levels for major cyber-risks; empowering those responsible for designing and (if necessary) executing rapid response scenarios.
2. Governance, risk, and compliance: defining a risk profile; assigning clear responsibilities for specific risks; planning and implementing risk mitigation measures; ensuring regulatory compliance.
3. People and culture: developing cybersecurity skills; tailoring security awareness training to each employee’s role; hiring staff with the right cybersecurity skills; creating a safe environment where employees can report incidents and mistakes without fear.
4. Business processes: prioritizing IT services based on their importance to business continuity; preparing for worst-case scenarios and fostering adaptability. This includes planning in detail how critical processes will function in the event of large-scale IT failures.
5. Technical systems: developing and regularly updating system-specific protection measures. For example, secure configurations (hardening), redundancy, network micro-segmentation, multi-factor authentication (MFA), tamper-proof backups, log management. The level of protection and allocated resources must be proportionate to the system’s importance.
   For timely and effective threat response, it’s essential to implement systems that combine detailed infrastructure monitoring with semi-automated response: XDR, SIEM+SOAR, or similar tools.
6. Crisis management: building incident response teams; improving recovery plans; designating decision-makers in the event of a crisis; preparing backup communication channels (for example, if corporate email and instant messengers are unavailable); developing external communications strategies.
7. Ecosystem engagement: collaborating with supply-chain partners, regulators, and competitors to raise collective resilience.

Stages of cyber-resilience implementation

The same Cohesity survey reveals that most companies feel they are midway on the road to cyber-resilience, with many having implemented some of the necessary basic technical and organizational measures.

Most commonly implemented:

• Backup tools
• Regular backup recovery drills
• MFA (though rarely company-wide and across all services)
• Role-based access control (RBAC, also usually only partially implemented)
• Other cybersecurity hygiene measures
• Formal response plans
• Annual or quarterly tabletop exercises testing crisis response procedures with staff from various departments

Unfortunately, “commonly implemented” doesn’t mean widely adopted. Only 30–60% of the surveyed businesses have even partially implemented these. Moreover, in many organizations, IT and cybersecurity teams lack synergy, leading to poor collaboration in shared areas of responsibility.

According to the survey respondents, the most challenging elements to implement are:

• Metrics and analytics. Measuring progress in cyber-resilience or security innovation is difficult. Few organizations know how to calculate MTTD/MTTR or quantify risks in financial terms. Typically, these are companies whose core activity involves measuring risks, such as banks.
• Changing company culture. Engaging employees at all levels in cybersecurity processes is challenging. While basic awareness training is common (as a hygiene measure), few companies can adapt it to specific departments or maintain regular engagement and updates due to personnel shortages.
• Embedding cyber-resilience into the supply chain.  From avoiding dependence on a single supplier to actually controlling contractor security processes — these tasks are extremely difficult and, even with the combined efforts of cybersecurity and procurement, often prohibitively expensive to address for all counterparties.

Another key issue is rethinking the organization of cybersecurity itself and transitioning to zero trust systems. We’ve previously written about the challenges of this transition.

Experts emphasize that cyber-resilience is not a project with a clear end point — it’s an iterative process with multiple phases, which eventually spans the entire organization.

Required resources

Implementing cyber-resilience begins with strong board-level support. Only then can collaboration between the CIO and CISO drive real changes and rapid progress in implementation.

In most companies, up to 20% of the cybersecurity budget is allocated to technologies and projects tied to cyber-resilience — including incident response, identity management, and training programs.

The core cyber-resilience team should be a small cross-functional group with the authority and support required to mobilize IT and cybersecurity resources for each implementation phase, and bring in external experts when needed — for example, for training, tabletop exercises with management, and security assessments. Having the right skill set in this core group is critical.

Implementing cyber-resilience is a largely organizational process, not just technical — so, in addition to a detailed asset inventory and security measures, serious work is required to prioritize risks and processes, define roles and responsibilities in key departments, document, test, and improve incident playbooks, and conduct extensive staff training.