Moving Beyond Defense: A Resilient CISO’s Guide to What Cyber Resilience Should Be
As security leaders, we have spent decades building defenses. We invest in prevention, hoping to stop the inevitable. Yet, attacks persist, and organizations continue to face significant disruptions. It's time to shift our focus. We must move from a mindset of prevent and react to one centered on the ability to withstand and adapt. This is the core of cyber resilience.
Cyber resilience cannot remain just another industry buzzword; it needs to become a strategic imperative for modern enterprises. In this post, I will define what cyber resilience should mean, explore the foundational goals that drive it, and share practical steps from our own journey at Absolute to help you build a more resilient organization.
What Is Cyber Resilience - Really?
The term "resilience" is seen everywhere, but a shared understanding is critical for progress. The National Institute of Standards and Technology (NIST) provides an excellent definition in its publication, NIST SP 800-160, Volume 2: Developing Cyber Resilient Systems.
NIST defines cyber resilience as "the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises."
This definition gives us a powerful framework built on four key goals:
- Anticipate: Prepare for potential threats.
- Withstand: Endure an attack without operational collapse.
- Recover: Restore normal operations rapidly after an incident.
- Adapt: Learn from every event to become stronger.
Let's explore what each of these goals means in practical terms.
1. Anticipate: Preparing for Adversary Actions
Anticipation requires us to think like our adversaries. We must conduct thorough threat assessments to understand which threat actors are most likely to target our organization based on industry, region, and size. This is not about predicting the future but about preparing for likely scenarios.
Proactive risk evaluations and threat intelligence programs are essential here. By understanding the campaigns an adversary might launch, you are better positioned not only to withstand an attack but also to recover from it more effectively. Anticipation provides the foresight needed to build a relevant and robust defense.
2. Withstand: Designing for Durability
Withstanding an attack means absorbing its impact without business disruption. This goal is achieved through robust architectural design and defense-in-depth strategies. We must engineer systems and controls with the assumption that individual components will fail.
When one control is bypassed, another must be ready to take its place. This layered approach ensures that a single point of failure does not lead to a complete collapse. The ability to withstand is a direct measure of your organization's operational durability in the face of an active threat.
3. Recover: Ensuring Rapid Restoration
Recovery is a critical component of resilience that deserves far more energy than it often receives. The objective is to minimize downtime and restore business operations as quickly as possible following an incident.
Effective recovery depends on well-defined incident response playbooks and the ability to deploy them rapidly. For example, having immutable backups is fundamental to recovering from a ransomware attack. Fast recovery is not just about technology; it is about processes and preparation that enable your organization to get back to business with minimal impact on revenue and mission-critical functions.
4. Adapt: Learning and Improving from Every Incident
The final goal, adaptation, is arguably the most powerful. It is the ability to learn from every incident and emerge stronger. I am a great admirer of Nassim Nicholas Taleb’s book, Antifragile, which explores how systems can gain from disorder. This concept is directly applicable here.
Every incident, whether it's a successful EDR bypass or a sophisticated phishing campaign, is an opportunity to improve. Ask yourself:
- What does this attack tell me about my adversary?
- Where did my existing controls fall short?
- How can I enhance my security posture to prevent this from happening again?
By treating every incident as a lesson, you create a feedback loop that continually strengthens your organization. This is the essence of becoming antifragile—you don't just survive attacks; you benefit from them.
The Journey to Cyber Resilience: A Practical Blueprint
At Absolute, I serve as both CISO and CIO, giving me a unique perspective on implementing these concepts. Building our cyber resilience program required a strategic focus on four key pillars.
Pillar 1: Maximum Endpoint Visibility and Control
Our program began with our most vulnerable assets: our endpoints. We leveraged our unique firmware-level connection to gain unparalleled visibility and control. Operating below the OS, we ensure our security capabilities remain active even if an endpoint's primary defenses, like an EDR solution, are compromised or disabled. This unbreakable connection is the foundation of our resilient posture.
Pillar 2: Maintaining Control Hygiene
Confidence in your controls is non-negotiable. Configuration drift is a constant challenge, where desired security tools become disabled or misconfigured over time. Our research shows that up to 25% of security controls are not in their desired state at any given moment. We use our technology to persist our critical applications, ensuring they are always present and functional.
Pillar 3: Implementing a Zero Trust Architecture (ZTNA)
Zero Trust principles are fundamentally aligned with cyber resilience. ZTNA is not a single tool but a strategic approach that shifts security from a network-centric to a resource-centric model. It gives us the granular control needed to take specific actions on a device or user based on changing conditions. Implementing ZTNA was an essential step to enable the rapid recovery and adaptive control our resilience program required.
Pillar 4: Engineering for Fast Recovery and Adaptation
Finally, we focused on our ability to recover quickly. This involves more than just technology; it means working closely with DevOps and SRE teams to understand what keeps the organization running. We drew inspiration from concepts like chaos engineering, pioneered by Netflix, to test our systems against failure scenarios. By proactively simulating outages and attacks, we build the muscle memory required for rapid and effective recovery.
Bringing Resilience to the Boardroom
To succeed, cyber resilience must be a shared objective across the entire organization, starting at the top. Conversations with your board should not focus on specific security controls but on the protection of business operations and revenue.
Frame the discussion around strategic questions. Turn to your CFO and ask, "If I see early indicators of ransomware on your device, do I have your permission to disable it immediately to protect the company?" Gaining alignment on proactive measures from senior leadership creates a culture that empowers security teams to act decisively. You cannot do this alone. Resilience is a team sport.
By engineering for failure and creating alignment from the board down, CISOs can lead their organizations toward a future where cyber events are manageable incidents, not catastrophic crises.
We have laid the foundation. In our next The Resilient CISO LinkedIn Live episode, we will outline a blueprint for leading your teams and organization toward greater cyber resilience. I hope you will join me.
For more about how CISOs are shifting their roles from protection driven to resilience driven, take a look at the Gartner Maverick Research report.
