Cyber: Why resilience trumps prevention

Most of us don’t typically climb into a car expecting to crash in the upcoming journey. But most of us still make sure to buckle our seatbelts, even on short journeys. Not because it prevents accidents, but because it protects us if today’s the day something happens. That small action is second nature, so much so that we hardly think about it.

 

In a recent conversation, cyber-psychologist Dr. Erik Huffman told me he believes we should think about cyber-security the same way we do seatbelts. Like road accidents, it’s impossible to eliminate cyber-incidents altogether – there are too many variables outside of our control for that. But what’s in our control is limiting the impact of them when they do occur.

 

So why do we instinctively accept this logic on the road, but see it resisted in cyber-security?

 

 

The myth of 100% prevention

One of the hardest truths for business leaders to accept is that no amount of spending can guarantee complete protection. Almost every week, we see breaches in the news that prove even the most well-funded organisations with mature security programmes are still compromised. Attackers only need to succeed once; defenders must succeed every time.

 

This imbalance is clear in the growing impact of ransomware. A deflected attack costs the attackers little more than time, but a successful strike can be extremely costly to their victims. Research by Ponemon shows that 62% of UK organisations were forced to shut down operations after a ransomware attack, demonstrating that disruption is now the priority for cyber-criminals.

 

Just look at Jaguar Land Rover, the company’s production shutdown is costing between £5 million and £10 million per day, and could end up bankrupting some suppliers. Cyber-attacks are not just a minor inconvenience, they are a threat to the entire existence of a business.

 

In these cases, it wasn’t the initial compromise that proved most damaging – it was the attacker’s ability to move laterally through the organisation to reach critical systems and data.

 

Believing that every attack can be blocked sets businesses up for disappointment, and security teams know there is no such thing as 100% secure. The more realistic measure of maturity is not how many incidents are prevented, but how well the organisation can withstand and recover from them.

 

 

From blame to resilience

When a breach occurs, the instinctive question in many boardrooms is “who slipped up?” In the short-term of incident response, that focus on individual fault wastes valuable time and energy.

 

Long-term, this approach erodes morale and damages the relationship between security and business leadership. Security professionals working with this kind of negativity are likely to look for greener pastures before long.

 

Mature organisations take a different approach. They accept that incidents will happen, and they concentrate on containing the impact and learning from the event. Blame can be assigned later if negligence is clear, but the immediate priority should be to minimise disruption and restore critical services.

 

This cultural shift is vital. Pointing fingers doesn’t build resilience, preparing for the next event does.

 

 

Preparedness over awareness

The average workforce has never been more cyber-aware. But awareness is not the same as preparedness. Awareness alone doesn’t stop mistakes from happening, especially when people are tired, stressed, or under pressure. In those moments, the likelihood of clicking a malicious link or handing over credentials rises sharply.

 

Bringing back the road safety parallel, road safety campaigns remind us of the risks of speeding or drink-driving, but we put motorists through some fairly rigorous learning and testing to prepare them for driving solo. Just imagine the results if new drivers were only ‘made aware’ of the risks of the road.

 

And when an incident occurs, what ultimately saves lives are the safety features baked into the vehicle: seatbelts, airbags, and crumple zones.

 

In cyber-security, preparedness has an individual level, for example, educating and training high-risk people and departments on targeted threats coming at them. And then it also extends to systemic level, rehearsing response plans and building systems that assume compromise.

 

It’s not about individual failings - it’s about ensuring the wider organisation can withstand the impact. Structural safeguards like segmentation, Zero Trust, and well-practised incident playbooks are the cyber-equivalent of vehicle safety features,

 

 

Resilience needs a C-suite mindset shift

While cyber-security is increasingly accepted as a core business risk, it is still not typically a prominent boardroom discussion. Business leaders need to recognise that cyber-security is different from most other business risks that have a more direct correlation to spending. Security investment is not a guarantee of safety, but an enabler of resilience.

 

The right question for leaders to ask is not “why weren’t we fully protected?” but “how quickly did we recover?” and “how limited was the impact?” A mature approach means understanding which threats can be tolerated, which must be mitigated, and how much impact the business can withstand.

 

Just as no CEO would question the need for seatbelts in a company car fleet, no executive should treat cyber-security safeguards as optional. They are fundamental to keeping the business running when incidents strike.

 

 

Building the cyber-security seatbelt

So, what does “buckling up” look like in practice? It starts with knowing what matters most.

Organisations need to identify their most critical assets and the top threats to those assets.

 

Tools like security graphs help organisations see how the elements of their IT environment connect and interact with each other. With the addition of AI, security graphs take on even more importance by providing security teams with the essential context to map malicious behaviour and identify attacker connections.

 

Organisations can prioritise what matters most, enabling faster, more informed decisions, and allowing security teams to proactively close security gaps and address weaknesses rather than reacting to them after they’ve been exploited.

 

From there, the goal is to design security with the assumption that compromise will happen, and to contain the blast zone when it does. Strategies like Zero Trust provide the structural equivalent of airbags and crumple zones. By segmenting networks and limiting lateral movement, it ensures that even if one area is breached, the damage is contained.

 

Preparations need to account for the human element too, from training and awareness campaigns about the most common threats, to regular incident response exercises that will help teams develop the muscle memory to act quickly under pressure. People will always be vulnerable, but systems can be built to catch mistakes before they escalate. With layered protections in place, security becomes less about prevention at all costs and more about ensuring business continuity.

 

The real measure of cyber-maturity is not whether incidents occur, but how little they disrupt the organisation. Every executive should ask themselves a simple question: would you drive without a seatbelt? If not, why run a business without cyber-security built in?

 

---

 

Raghu Nandakumara is Head of Industry Solutions at Illumio

 

Main image courtesy of iStockPhoto and Milko