The emergence of destructive cyberattacks has given rise to the increasing use of the term “cyber resilience” in place of cybersecurity. But what exactly does it mean? And how does an organisation become cyber resilient? In this three-part series, we will examine what cyber resilience is and how to achieve it.
What cyber resilience isn’t
Before we examine the definitions and components of cyber resilience, let’s get one thing out of the way—what cyber resilience isn’t.
Cyber resilience isn’t something you can buy. It isn’t a product, an employee, or an insurance policy. Cyber resilience is an emergent property that appears when the right governance, people, processes, and technology are in place to ensure that the organisation can withstand a cyber crisis to a degree deemed tolerable by the organisation.
Products from information security vendors can move you towards a state of cyber resilience, but they can’t deliver it on their own. Those products need to be integrated and operationalised to deliver operational outcomes that deliver cyber resilience. Likewise, having a large security operations team full of well-trained staff can significantly advance your path to cyber resilience. However, if the organisation’s threat modelling and asset management are poor, there’s a chance that what they’re monitoring on their consoles won’t detect a cyberattack.
This is why Cohesity invests a significant amount of resources in:
- Hosting workshops
- Employing experts in cybersecurity operations to advise customers, like our Field CISOs
- Creating the Cyber Event Response Team
- Authoring deployment, hardening, and solution guides that go beyond the product to describe how to achieve operational resilience outcomes
Cyber resilience is like a chain. The capability of the weakest link will drag down your overall level of cyber resilience. To achieve cyber resilience, efforts must be made to improve all aspects until the desired level of resilience is achieved in an interdependent and aligned manner Many cybersecurity projects myopically focus on the deployment of a single product or applying an individual control, all while other related aspects remain nascent and will drag down the overall level of resilience.
What cyber resilience is
There are various slightly differing definitions of cyber resilience from professional and standards bodies worldwide. Subtle details differ between them, but the essence of all of them is the ability of an entity to withstand a cyberattack with minimal disruption to its mission. Most of these definitions also align around three fundamental tenets that an organisation needs to have to achieve cyber resilience:
- Is prepared for a cyberattack that affects the organisation’s ability to deliver its mission
- Has the ability to respond to a cyberattack, including investigating root cause and remediating vulnerabilities, gaps in controls, and residual threats
- Can recover to a secure state from a cyberattack
A lot of discussion around backup and recovery is focused on the last bullet point, but as discussed previously, cyber resilience is like a chain. Not understanding the role a data management solution plays in preparing for and responding to cyberattacks, or the associated workflows, can leave organisations without the cyber resilience they seek.
Moving from cybersecurity to cyber resilience
A glance at the logos featured in news headlines about ransomware attacks shows that cybersecurity isn’t enough. Many of these organisations have substantial cybersecurity budgets and large security teams, yet they still experience data theft and encryption. Historically, cybersecurity budgets have primarily focused on preventing and detecting incidents. This made sense because if you could stop an attack from happening or break its attack chain before it reached exfiltration or encryption, it saved the organisation from a breach that impacted the confidentiality, integrity, or availability of its data. However, the financial motivation for ransomware gangs and the increasing geopolitical instability for nation-state actors using wipers is so great that prevention and detection are not enough.
The harsh reality is that in 2025, we cannot outspend or out staff the threats we face. With adversaries reverse-engineering patches and baking exploits into their ransomware-as-a-service (RaaS) platforms in a handful of days, far faster than even the most efficient organisation can patch, we are likely to get hit. Every time we built our walls higher and the moats wider, the adversary just builds taller ladders and better boats. Then adversaries are equipping their RaaS platforms with evasions for common security controls, rendering those significant investments in detection and prevention blind to ongoing attacks.
As a result, cyber insurers, regulators, and boards are demanding that organisations put in place the appropriate preparedness, response, and secure recovery steps to deliver cyber resilience. So, how does an organisation transition from a state that primarily focuses on detection and prevention to one that ensures that destructive cyberattacks can be handled with minimal disruption?
Cyber resilience is a chain
The first thing to remember is pragmatism. Cyber resilience is a chain. There is no point in myopically focusing on achieving perfection in one aspect of resilience if the rest of the supporting areas are a dumpster fire. This is why Cohesity introduced the Destructive Cyberattack Resilience Maturity Model, which defines five levels of progressive cyber resilience maturity (seen in the image below) that can be used to ensure all links in the cyber resilience chain are considered. The organization can transition from its current state to one of resilience against destructive cyberattacks.
For example, an organisation could have invested in a data management solution with vaulted capability to implement the 3-2-1 backup architecture, ensuring that it has a copy of its systems to recover from. However, it could still recover its vulnerable systems with the adversary’s persistence mechanisms back into production. This would allow them to reinfect the systems within minutes if the right response steps of investigation and remediation aren’t taken.
Alternatively, the organisation will not be resilient if the right shared responsibility model hasn’t been established between the security operations teams that will investigate the incident and the IT operations team that will need to remediate the threats by patching vulnerable systems or recovering older configurations without persistence mechanisms.
Follow the example of the Scouts: Be prepared
The first tenet common to all definitions of cyber resilience is preparedness.
This starts by understanding the adversary. Numerous open-source and commercial resources are available to detail the various ransomware and nation-state actors launching destructive cyberattacks. By understanding the vulnerabilities they target and their tradecraft, we can prioritise patching and ensure that those controls have the appropriate rules within them to detect and prevent. We also need to understand the later stages of their attack, assuming that our preventative and detective controls will fail. By examining the actions taken during the exfiltration and impact stages of the MITRE ATT&CK framework, we can ensure that we have taken the necessary steps to protect our ability to respond and recover. We’ve built alternative detection capabilities that can’t be evaded, and we have the appropriate measures in place to comply with regulatory compliance obligations. The Cohesity Clean Room solution and DataHawk help deliver these elements of preparedness.
Then we need to understand our infrastructure and data, and how these support our organisation’s mission. This provides the context for what we’re protecting, our regulatory obligations for regulator and impacted data subject notification, and the prioritisation of response and recovery efforts. Identification and classification of our data using Cohesity DataHawk and Data Security Alliance integrations with standard Data Security Posture Management (DSPM) solutions can help in this regard.
Part of understanding your infrastructure is taking a realistic view of how much of it would be impacted in a destructive cyberattack, such as ransomware or a wiper attack, conducted by a skilled nation-state adversary. I often find that traditional Business Impact Analysis, conducted for conventional business continuity and disaster recovery purposes, woefully underestimates the impacts of such attacks.
Understanding the Minimum Viable Response Capability
In a cyberattack, the building and data centre may be standing. But, critical aspects like door access control systems may not be available. Voice-over-IP and email system unavailability will hamper communications with stakeholders, including senior executives, law enforcement, cyber insurers, third-party incident responders, regulators, impacted data subjects, and the press. Do you trust your switch and router firmware and configurations that you’re reliant on to get access to your SaaS-based IT operations management or cloud-based security tooling?
Getting these systems needed to even handle the response and secure recovery back to a functional, trusted state is one of the first stages of any attack. Cohesity calls this capability the Minimum Viable Response Capability. And it is rapidly restored using the Digital Jump Bag.
The final part of the preparation is ensuring that the right expectations regarding the time required to secure recovery have been set with senior executives. In traditional business continuity and disaster recovery scenarios, the root cause of outages is often attributed to one of the following: fire, weather, misconfiguration, equipment failure, or power loss. These root causes were obvious. Therefore, investigation time was minimal, and recovery was a straightforward process to the last snapshot. A definitive RTO could be given, as it was a simple calculation based on the speed of the backup solution, the speed of the disk, and the size of the pipe.
Disaster recovery response vs. cyberattack response
In a cyberattack, you’re not in charge of how long the response will take. The adversary is. They can pick from any number of hundreds of ATT&CK tactics and techniques and could have pivoted through a handful of systems, or hundreds. Having an effective and efficient response and recovery capability will shorten the achievable time to secure recovery. Still, it will always be longer than dealing with traditional business continuity and disaster recovery scenarios due to the need to investigate and remediate the threats and attack surface found. Organisations that have not set the right expectations with senior executives will be under pressure to shorten the investigation and remediation steps, rushing to recovery.
Inevitably, this leads to reinfection or reattack. Persistence mechanisms, gaps in controls, and the same vulnerabilities the attacker used to get in are all recovered. In destructive cyberattacks, the time spent on response tasks, including investigation and remediation, is an investment in cyber resilience, preventing further downtime and disruption to the organisation’s mission. The key is to minimise the time for these tasks by creating an integrated shared responsibility workflow and systems for IT and Security operations to work together on response and recovery, such as the Cohesity Clean Room Solution.
Continually improving your people, process, and technology
The final part of preparedness is ensuring that the first time you have a destructive cyberattack isn’t the first time your team has experienced one. What I mean by this is that your processes, people, and technology should be continually refined to drive continuous improvement. Identify areas where automation and orchestration would have the greatest impact. And ensure your staff can rely on muscle memory rather than referring to a written SOP when a real incident occurs. Everyone knows their role, and you’re confident that technology will work as expected. The Cohesity Clean Room Solution enables an organisation to conduct a full end-to-end response and recovery drill without touching production systems, minimising disruption and driving continuous improvement.
Coming soon
Now you know what cyber resilience is and isn’t. And how preparedness plays a key role in all of it. In the next part of this series, I will examine the response elements of cyber resilience, including how to overcome the challenges of control evasion by threat actors and conducting a response after your organisation has contained the incident by disconnecting systems and networks.
Learn more
- Register for a clean room webinar
- Get the clean room infographic
- Get the white paper: Your roadmap to ransomware resilience
- Get the eBook: The 5 critical steps to improve your organization’s cyber resilience
- Watch my Clean Room video below:
