Cyber Resilience
This is the Way
Early this month, I ran across a staff article from CybersecurityNews explaining some new thinking around the idea of cyber resilience. This peaked my interest since I wrote an entire chapter about the topic in my Cybersecurity First Principles book.
In the book, I highlight the notion that since the beginning of the cybersecurity era (late 1980s), the primary strategies we all adopted had to do with prevention. We were trying to stop the cyber bad guys from being successful. Security leaders have tried all kinds of strategies over the years: Perimeter Defense, Defense-in-Depth, Zero Trust, and Intrusion Kill Chain Prevention.
Prevention might be the Wrong Strategy for Most of Us
My career has roughly paralleled the evolution of all those strategies. Here I am, at the end of my 30 year cybersecurity career, a career where I have spent gazillions of dollars myself pursuing these prevention strategies in multiple organizations, and, I have to say, I think I got it wrong.
For one thing, none of these strategies, if implemented fully, are cheap in terms of the people-process-technology resources you have to spend to get the full benefit. Most of us couldn’t afford it back then and still can’t afford it today. Instead, we implement as much as we can and hope it will be good enough. For the most part, it was.
It’s true that recent studies, like the Cyentia Information Risk Insight Study 2025, have shown a rising probability that hackers will materially impact any organization. The Cyentia study shows a growth from 2.5% to 9.3% over the last 15 years. Still, the probability is relatively low.
Let me restate that. According to Cyentia, the probability of material impact due to a cyber event for any organization in a given year is just 9.3%. Most business leaders would accept that risk as being equal to or much smaller than other business risks they are already dealing with.
Black Swan Events
The problem is that even though the risk is small, if your organization is unlucky, the impact could be a company killer. If the unlikely happens and Wicked Spider takes your company offline for more than a few days, you are now in the middle of a Black Swan event, a phrase made popular by Nicholas Taleb in his 2007 book, “The Black Swan: The Impact of the Highly Improbable.” It is a metaphor for an extremely rare, unpredictable incident that has a significant, wide-ranging impact.
For example, according to Bloomberg Law’s Alex Wolf, the Stoli Group (the maker of Stolichnaya vodka) filed for Chapter 11 relief because of an August 2024 ransomware attack that caused severe operational disruption. Wolf also says that hackers forced National Public Data (a background check provider) into bankruptcy in late 2023 with loss of business, multiple class actions, regulatory investigations, and recovery costs. And, he cites the Hiscox Group in 2022 (a specialty insurer) who said that one in five businesses surveyed across eight countries said a cyberattack almost rendered them insolvent. The chances that any of these organizations would be impacted by a material cyber event were small. But when they did happen, they became Black Swan events.
Strategies to Reduce Black Swan Risk
The question then is what is the right strategy to mitigate black swan risks? Do you pursue an expensive prevention strategy like the infosec community has done for the past 30 years or do you do something else? Wait, don’t answer that yet. Let me illustrate with an example from another existential problem: a civilization-ending asteroid impact.
According to perplexity.ai, NASA calculates the probability of a civilization-ending asteroid impact within the next 50 years at 0.000001% (about 1 in a 100 million). It’s highly unlikely that something like this will happen (I didn’t fact check this. I’m just using it as an example). But, we are talking about the human race here. Do we do nothing?
Well, yes, depending on the risk tolerance of our current government leaders. Doing nothing makes sense. Spending resources to reduce the risk of something that is likely never going to happen is kind of dumb. But, for the worriers out there (the people with a low risk tolerance), shouldn’t we do something? We’re talking about the human race here.
If our goal is to ensure the survivability of the human race, do we pursue a prevention strategy like the writers of two 1998 movies (“Deep Impact” and “Armageddon”) did? They used nuclear bombs to blow the planet killers off course: prevention. Well yes, that would give us peace of mind. But, in “Deep Impact,” the solution only partially worked. In “Armageddon”, they got lucky. Developing the tech to increase our odds of success would be highly expensive. Maybe that money could be better spent on other risks that are more likely to happen.
What if we just tried to survive the event instead? What if we did something radical like establishing a space colony on a giant O’Neill cylinder in cis-lunar space? Yes, that would be way more expensive than the nuclear bomb prevention strategy, but O’Neill cylinders in cis-lunar space tackle all kinds of existential problems in one solution: earth overpopulation, climate change, and clean energy just to name three. It might be worth it. And, if a planet killer asteroid hit the earth, the human race would still exist on the O’Neill cylinder.
Building O’Neill cylinders in cis-lunar space is a different strategy; a resilience strategy. We wouldn’t be trying to prevent the event from happening. We would be trying to survive it.
What Is Resilience?
There are a lot of definitions of resilience out there:
2009: ASIS International: They actually coined the phrase cyber resilience, but it was really describing what turned out to be business continuity.
2010: The US Department of Homeland Security: “[the] ability to adapt to changing conditions and prepare for, withstand, and rapidly recover from disruption.
2012: The World Economic Forum: “… the ability of systems and organizations to withstand cyber events….”
2017: the International Standards Organization (ISO): “... the ability of an organization to absorb and adapt in a changing environment to enable it to deliver its objectives and to survive and prosper.”
2019: National Institute of Standards and Technology: “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.”
But the definition I like best comes from two Stockholm University researchers in 2015. Janis Stirna and Jelena Zdravkovic define it this way:
“…the ability to continuously deliver the intended outcome despite adverse cyber events.”
Assume that the bad guys will successfully negotiate the intrusion kill chain, or find a weak spot in my zero-trust armor, or, that there will be a massive IT failure at some point in the future. Then, devise a strategy to ensure that your organization's essential services will still function. That’s resilience.
Take Away
What I’m advocating here is that a cyber defense resilience strategy is likely the superior strategy for most organizations. This is especially true if you are a startup to medium size company in terms of revenue or you are a government or academic entity with no cyber budget. You don’t have the resources to fully deploy and manage any of the common prevention strategies like intrusion kill chain prevention or zero trust. But even if you’re a Fortune 500 company, resilience might be a more compelling strategy in terms of resource spend and how much risk you are able to buy down with that spend.
The impact is that the people-process-technology resources you deploy to achieve it are completely different from the prevention strategy that you are pursuing now. Instead of tactically deploying firewalls, EDR, network monitoring, and all the rest, you would be
Deploying a robust backup and restore capability. And I mean robust; a push button operation where at the first sign of trouble, you have moved everything to a new compute stack in another part of the world without your customers even noticing.
Encrypting all material business data. And I mean all.
Raising your crisis planning and incident response game from pretty good to world class.
Pursuing Chaos Engineering as your north star.
Transforming your on-paper business continuity plan into a living and breathing operational plan.
Any one of these resilience tactics would likely buy down more cyber risk then what you are getting now with your current prevention strategy. Combining two or more could have a major impact.
Something to think about.
Source
Staff, 2025. Building a Cyber-Resilient Organization CISOs Roadmap [Explainer]. CybersecurityNews. URL https://cybersecuritynews.com/cyber-resilient-organization-2/
References
Alex Wolf, 2025. Cybersecurity Breaches Are Increasing Business Insolvency Risks [Analysis]. Bloomberg Law. URL https://news.bloomberglaw.com/business-and-practice/cybersecurity-breaches-are-increasing-business-insolvency-risks
Nassim Nicholas Taleb, 2007. The Black Swan: The Impact of the Highly Improbable [Book]. Goodreads. URL https://www.goodreads.com/book/show/242472.The_Black_Swan
Richard A. Caralli, David White, Julia Allen, 2010. CERT Resilience Management Model: A Maturity Model for Managing Operational Resilience [Book]. Goodreads. URL https://www.goodreads.com/book/show/9767619-cert-resilience-management-model
Rick Howard, 2023. Cybersecurity First Principles: A Reboot of Strategy and Tactics [Book]. Amazon. URL https://www.amazon.com/Cybersecurity-First-Principles-Strategy-Tactics-ebook/dp/B0C35HQFC3/ref=sr_1_1
Rick Howard, 2025. Cyber Reports to Forecast Risk [Analysis]. Rick’s First Principles Newsletter. URL https://diffuser.substack.com/p/cyber-reports-to-forecast-risk
Staff, 2025. Information Risk Insight Study 2025 [Cyber Risk Study]. Cyentia Institute. URL https://www.cyentia.com/iris2025/
Resilience is absolutely a first principle, mostly because it matters to revenue and materiality. Overall, great article.
However, I'd dig deeper on examples. I researched the myth of companies going out of business because of cyber attacks...and Stoli is a great example of what's behind most of these myths. Stoli was on the ropes financially before the cyber attack. Instead of cyber being the cause of them going bankrupt and nearly closing, it was the straw that broke what was already a near thing.
With the exception of about 10 companies in the last 30-40 years, companies that go out of business because of a cyber attack are almost always on the ropes financially. If that's the case there's a dozen things that could push them over the edge.