Preventing attacks is no longer enough in cybersecurity. Real resilience comes when organizations accept that breaches can happen, test recovery plans often, and share responsibility with vendors and teams. If attackers get in, can your business keep running?

For years, cybersecurity was treated as a back-office concern, something for IT to handle while executives focused on growth, margins, and market share. But as digital threats have evolved from technical nuisances into existential risks, that old approach no longer works.

Today, leaders across industries are placing cyber risk at the very center of strategic planning. 

“The question is never whether a sufficiently determined attacker could get in; it’s what happens when they do,” says Eliad Kimhy, Senior Security Researcher at Acronis.

There is a fundamental shift: resilience is no longer an IT afterthought; it is a business capability, a competitive lever, and in the modern enterprise, a matter of survival.

THE CHANGING FACE OF RESILIENCE

For Kimhy, the shift in mindset begins with accepting a hard truth. Real resilience, he explains, is “an operational capability: the ability to absorb a significant incident and continue functioning at some meaningful level while responding.” That means moving beyond the fantasy of perfect defense and preparing for the moment when defenses fail.

Kimhy cites an example that raises the bar for what resilience demands. In 2012, Shamoon wiped 35,000 workstations at a major energy firm. In 2017, Triton/Trisis targeted safety systems at a petrochemical plant with apparent intent to cause physical harm. “These weren’t ransomware campaigns,” Kimhy says. “They were designed to destroy. Resilience in that context means something more demanding than recovering encrypted files.”

He outlines three dimensions of genuine resilience. Architectural resilience means systems fail partially, not completely: critical functions have redundancy, networks are segmented, and operational technology and information technology are meaningfully separated rather than merely nominal. Process resilience means the organization can still function when technical systems fail: manual fallbacks are in place and have been tested, and decision authority is clear under crisis conditions. Human resilience means people at every level know what to do when something goes wrong–not just the security team. 

Kimhy warns that in places where organizational hierarchy is pronounced and decisions flow from the top, that last dimension is a specific gap. “If an incident takes out communications or senior decision-makers are unprepared, organizations freeze,” he says. “Freezing during an active attack is itself a form of failure.”

According to Mortada Ayad, VP of Sales – META at Delinea, in sectors like energy, finance, and healthcare—environments that simply cannot afford to stop—resilience begins with accepting compromise and designing for recovery from day one. “Prevention is about having the right controls in place. But this is not a true measure of resilience. You only really understand resilience through real-world outcomes.”

Those outcomes include how quickly you can detect an issue, how fast you can contain it, and whether you can continue operating safely while the incident unfolds.

Looking at the issue from the angle of physical security—like cameras, sensors, and surveillance networks—which are now more connected and more at risk, Steven Kenny, Manager of the Architect & Engineering Program – EMEA at Axis Communications, recommends that organizations use end-to-end strategies, manage systems throughout their lifecycles, keep systems up to date, and follow best practices. “Not all technologies are developed or supported in the same way,” Kenny says, “so these decisions have a direct impact on risk exposure.” He also stresses the need for effective system maintenance, close collaboration with vendors, and adherence to industry standards.

MEASURING WHAT MATTERS

One of the biggest problems Kimhy sees is that most organizations are measuring the wrong things. “Patch rates, training completion percentages, and so on,” he says. “These are activity metrics. They tell you what the security team is doing, not how the organization would perform under real pressure.” Instead, he argues for outcome-based metrics, with Mean-Time-To-Recover—not detect or contain, but restore full operational capability—as the single most important number. 

He notes that most organizations genuinely cannot answer that number because they have never had to find out. “When realistic recovery exercises are run,” Kimhy says, “the gap between documented Recovery Time Objectives and actual performance is typically measured in multiples. A system nominally recoverable in four hours takes eighteen.”

Kimhy also points to other critical indicators that most organizations cannot honestly answer: blast radius under adversarial conditions (how much capability degrades if an attacker achieves a defined level of access, assessed through genuine red team exercises rather than vulnerability scans), supply chain failure tolerance (what happens when a key third-party vendor or managed service provider is compromised), and regulatory recovery thresholds (how close to breach notification and recovery obligations the organization operates under stress). “Knowing your actual performance against those thresholds before an incident is basic risk management,” he says. “Most organizations don’t.”

Ayad agrees, emphasizing that resilience only reveals itself through real-world outcomes. “How quickly can you detect an issue? How fast can you contain it? How long does it take to restore privileged access or bring critical services back online?” Those are the metrics that matter, he says. “It also comes down to knowing what truly matters in your environment–your critical identities, systems, and third-party dependencies–and being able to reduce access instantly when risk increases.” 

He points to recent incidents involving physical data center infrastructure in which services were disrupted, but organizations recovered without data loss or prolonged operational damage. “That’s what resilience looks like in practice,” he says. “It’s about taking the hit, limiting lateral movement, protecting privileged access, and recovering without major business disruption.”

Measurement is tied to vendor accountability and supply chain transparency, says  Kenny, adding that not all technologies are developed or supported equally, and that organizations must scrutinize long-term support commitments and adherence to industry standards. “Building a future-ready surveillance system requires a strategic, security-first approach that combines resilience, strong cyber hygiene, and trusted technology choices,” he says.

WHAT SEPARATES FAST RECOVERY FROM PROLONGED DISRUPTION 

Kimhy has observed a pattern: The organizations that recover quickly from serious incidents share characteristics that are less technical than most people expect. “The single biggest differentiator is tested versus assumed recovery procedures,” he explains. Organizations that run full-scale simulations–restoring from backups, rebuilding compromised systems, and switching to manual operations–find gaps before they cause damage. Those with documented but untested procedures find them during the incident. He notes that “a persistent cultural challenge in many companies is that simulating failure feels like admitting vulnerability,” but the organizations that overcome that resistance recover faster and more consistently.

Having clean, separate, and verified backups is a key technical advantage, says Kimhy. “Ransomware operators specifically target backup systems before triggering encryption,” he warns, noting that several major incidents have extended dramatically because backup assumptions turned out to be wrong.

Ayad points to identity and access as the hidden fault line. “Attackers are often most successful when organizations don’t fully understand where their critical assets sit or how access to them is structured,” he says. 

Fast recovery, he argues, comes down to preparedness: clear, tested playbooks, the ability to isolate compromised identities without shutting down the business, and confidence in recovery processes because they’ve been exercised before. “The breach itself is often just the starting point,” Ayad adds. “It’s everything that follows that determines how disruptive it becomes.”

Ayad notes that prolonged disruption is usually driven by uncertainty: too much standing privilege, unclear dependencies, and teams making critical decisions without full visibility. “Ultimately,” he says, “recovery is less about reacting in the moment and more about the groundwork that’s been laid beforehand. The organizations that recover well are the ones that have already thought through these scenarios in detail.”

Testing from a technology lifecycle perspective is important. Kenny advocates for “Security by Design”—embedding software security throughout the entire lifecycle, from production to decommissioning. While vendors play a critical role in identifying vulnerabilities and delivering updates, he stresses that not all approaches are equal, and that coordination among vendors, system integrators, and end users is essential for a rapid recovery.

BALANCING PREVENTION, DETECTION, AND RECOVERY

Many executives worry that investing in resilience will slow their business down. Kimhy disagrees. “Growth should not be constrained by security,” he says. “Rather than treating them as opposing forces, security should be understood as a safeguard against disruptions to growth.” He suggests that security leaders explain cyber risk in terms of business impact—such as lost revenue from outages, regulatory risks, and reputational damage—rather than focusing on technical details. He notes that this business-focused approach is more common in finance and large companies, but less so in mid-sized firms and other industries.

Balance looks different for every organization. “It must therefore start with a clear understanding of business risk, identity exposure, and operational priorities,” Ayad says. He points out that balance doesn’t mean spending equally on prevention, detection, and recovery. Prevention is always important, but it can’t be the only focus. Detection should target what matters most, especially identities and privileged access. Recovery needs to be part of the core business plan, not an afterthought.

Ayad recommends controls such as least privilege, just-in-time access, and strong monitoring of identity activity as smart investments that support prevention, detection, and recovery all at once. “That’s where the real efficiency comes in,” he says. “Done well, resilience supports growth because it gives leadership the confidence to innovate faster.”

Technology choices matter here as well. By adopting end-to-end solutions with robust lifecycle management and vendor accountability, organizations can reduce the friction that often accompanies bolt-on security measures, says Kenny.  

THE BIGGEST MISCONCEPTIONS

Why do organizations that check every regulatory box still crumble under pressure? For Kimhy, the most consequential misconception is that compliance equals resilience. He acknowledges that regulatory frameworks have done real work in raising the baseline, but warns that “compliance frameworks are baseline-setting exercises by design. They describe a floor.” 

Regulators are increasingly moving toward outcomes-based supervision, asking not just whether controls are documented but whether organizations can demonstrate they work. “That shift will expose the organizations that have been treating compliance as an endpoint,” Kimhy says, adding that the largest resilience gaps are not technological; they are process and governance gaps.

Ayad frames the issue not as a misconception but as a case of false confidence. “To their credit, organizations across the board have made real progress in strengthening preventive controls,” he says. “But resilience really begins where prevention ends. Even in the most hardened environments, breaches can and do happen. There will always be scenarios that bypass controls, and the real test is what happens next. That’s where gaps tend to appear.” He adds that resilience comes down to whether an organization can contain the threat quickly, maintain operations under pressure, and recover access and services without introducing further risk.

In addition, Ayad also notes that many leaders underestimate the role of identity in resilience. “Today, attackers often do not need to break in the traditional way. They log in, escalate privileges, and move through trusted pathways.” 

That is why, he says, resilience must include strong control over human, machine, and privileged identities. 

Another common misconception Ayad identifies is that resilience is a technology issue owned only by the security team. “In reality,” he says, “resilience is a business capability. It depends on executive alignment, operational discipline, identity governance, third-party risk management, and the ability to make fast decisions during disruption.” Ayad’s advice is simple: “Resilience is not just about preventing the incident. It is about ensuring the business can withstand it and recover with speed and trust.”

The gap between compliance and actual readiness is a persistent challenge. “When it comes to cyber readiness, a ‘Security by Design’ approach is key,” Kenny says. While vendors play a critical role, he warns that not all approaches are equal, and that cybersecurity remains a shared responsibility. Organizations that treat compliance as a checklist rather than embedding security throughout the technology lifecycle, he suggests, are the ones most likely to be caught off guard when an incident occurs.

Experts agree that prevention remains important and that compliance still matters. But today, attackers are not just after ransom—they want to disrupt operations, cause harm, and destroy trust. Real cyber resilience means expecting breaches, planning for recovery, testing every process, and understanding that cybersecurity is now a business issue, not just an IT concern. It’s a key business strength and, for modern companies, essential for survival.