Embracing the Inevitable: Why Cybersecurity Resilience Is the New Norm

Embracing the Inevitable: Why Cybersecurity Resilience Is the New Norm


3 min read


The notion that cybersecurity breaches can be wholly prevented is both outdated and impractical. Despite increasing budgets and staffing in the field of cybersecurity, attacks continue to occur, often with devastating consequences. According to prevailing wisdom, pouring more money into defensive measures should ideally reduce the likelihood of a breach. However, reality paints a different picture. In this blog post, we'll delve into why a shift from a purely defensive strategy to one focused on resilience is essential. We'll also explore actionable steps for security and risk management leaders to adopt in building a cyber-resilient organisation.

The Unwinnable Race

It's high time we confront the harsh truth: we're not winning the cybersecurity arms race. For every defensive measure put in place, hackers, sometimes backed by nation-states, find innovative ways to exploit vulnerabilities.

For example, despite being well-funded and having robust defensive measures, organisations like Maersk, Merck, and Colonial Pipeline still fell victim to significant cyberattacks. These incidents not only had cyber consequences but also extended the threat to operational and physical environments.

In simple terms, "unassailable lead" describes the advantage that hackers currently possess over existing cybersecurity practices. Organisations continue to invest heavily in defences, but these investments often yield poor returns.

A New Approach: Building Resilience Over Defence

Given that breaches are bound to occur, organisations need to adopt a new perspective—building resilience. Instead of a defensive strategy that aims to prevent all successful attacks, a resilience strategy prepares an organisation to absorb the shock of an attack, adapt, and recover.

Actionable Recommendations

Given the insights from recent findings, the following are recommended courses of action:

  1. Reallocate Resources to Resilience: Instead of pumping more money into ever-expanding defensive measures, redirect those funds toward building a resilient infrastructure and a resilient organisation.

  2. Apply Lessons from Normal Accident Theory (NAT): NAT posits that in complex systems, accidents are inevitable. By adopting "mindfulness" approaches seen in Highly Reliable Organisations (HROs), companies can prepare for and manage these inevitable incidents more effectively.

  3. Hire Experienced Leaders: Look for cybersecurity experts who have firsthand experience dealing with breaches. Their experience is invaluable in building a resilient organisation.

  4. Integrate with Business Continuity Plans: Cybersecurity should not exist in a vacuum. Integrate it with other organisational plans like disaster recovery and business continuity to create a comprehensive resilience strategy.


While the instinct to defend is natural, our current cyber landscape requires a more nuanced approach. Resilience doesn't mean giving up on defence; it means preparing for the inevitable and being equipped to recover and learn from it. It's about creating real business value by being prepared for what we can't prevent.

By making cybersecurity resilience the cornerstone of your organisation's strategy, you not only prepare for the inevitable but you're turning challenges into opportunities for strengthening your security posture.