Skip to main content
Daniel J Glover
Back to Blog

Cyber resilience: why prevention fails

8 min read
CybersecurityCISOCyber ResilienceSecurity Strategy

This is Part 1 of a 7-part series on Cyber Resilience for CISOs. The series covers the threat landscape, zero trust architecture, supply chain security, incident response, board communication, and concludes with a practical roadmap.

The fundamental promise of cybersecurity has been prevention. Build higher walls. Deploy better detection. Stop the attackers before they get in. For decades, this model shaped how organisations thought about security - and how CISOs justified their budgets.

That model is now obsolete.

The evidence is overwhelming. According to IBM's Cost of a Data Breach Report, the average time to identify and contain a breach reached 277 days in 2024. Despite record security spending, breach frequency continues to rise. The most sophisticated organisations in the world - those with unlimited budgets and elite security teams - still get compromised.

This is not a failure of execution. It is a failure of philosophy.

The Prevention Paradox

The prevention-first approach rests on an impossible assumption: that defenders can anticipate and block every possible attack vector. This was always optimistic. In 2026, it is delusional.

The attack surface has exploded. Remote work, cloud adoption, IoT proliferation, and API-driven architectures have created complexity that no perimeter can contain. Every new SaaS application, every third-party integration, every employee device represents a potential entry point.

Attackers have industrialised. Ransomware-as-a-service, initial access brokers, and nation-state tooling have democratised sophisticated attacks. The barrier to launching a damaging campaign has never been lower.

AI is changing the game. As I discussed in my 2026 IT trends analysis, AI-powered attacks are becoming more adaptive, more convincing, and more difficult to detect with traditional tools.

The uncomfortable truth is that breaches are not merely possible - they are inevitable. Any security strategy that does not accept this reality is fundamentally flawed.

What Cyber Resilience Actually Means

Cyber resilience is not a rebranding of existing security practices. It represents a fundamental shift in how organisations approach risk.

Prevention-first mindset:

  • Success measured by attacks blocked
  • Failure defined as any breach
  • Investment focused on perimeter and detection
  • Incident response as an afterthought
  • Recovery plans gathering dust in a drawer

Resilience-first mindset:

  • Success measured by business continuity
  • Failure defined as inability to recover
  • Investment balanced across prevent, detect, respond, recover
  • Incident response as a core capability
  • Recovery tested and proven

The UK's National Cyber Security Centre (NCSC) has increasingly emphasised this shift. Their guidance recognises that organisations must assume compromise and build systems that can continue operating - or rapidly recover - when attacks succeed.

This is not defeatism. It is realism.

The Four Pillars of Cyber Resilience

Building genuine resilience requires capability across four domains. Most organisations over-invest in the first two and neglect the others.

1. Anticipate

Understanding your threat landscape before attacks materialise. This means:

  • Threat intelligence tailored to your industry and geography
  • Attack surface management that keeps pace with business change
  • Scenario planning for likely attack vectors
  • Regular assessment of emerging risks

Anticipation is not prediction. You cannot know exactly when or how an attack will come. But you can understand the most likely scenarios and prepare accordingly.

2. Withstand

The ability to continue essential operations during an attack. This requires:

  • Segmentation that contains blast radius
  • Redundancy in critical systems
  • Manual fallback procedures for automated processes
  • Communication channels that work when primary systems fail

Many organisations discover their dependencies only during a crisis. Resilient organisations map these dependencies in advance and build alternatives.

3. Recover

Returning to normal operations as quickly as possible. This demands:

  • Tested backup and restoration procedures
  • Clear prioritisation of business functions
  • Pre-established vendor relationships for incident support
  • Documented recovery runbooks that actually work

The difference between organisations that recover in days versus weeks often comes down to preparation done months or years earlier.

4. Adapt

Learning from incidents to improve future resilience. This includes:

  • Genuine post-incident reviews without blame
  • Process improvements based on lessons learned
  • Updated threat models reflecting new intelligence
  • Continuous testing of resilience capabilities

Adaptation closes the loop. Each incident - whether your own or observed elsewhere - should strengthen your resilience posture.

The Business Case for Resilience

CISOs often struggle to justify resilience investments because the benefits are counterfactual. You cannot easily prove the value of a capability you hope never to fully use.

But the business case is compelling when framed correctly.

Reduced downtime costs. The Ponemon Institute estimates average breach costs exceeding $4.45 million globally. A significant portion of this comes from business disruption. Organisations with tested incident response capabilities and backup procedures reduce this substantially.

Regulatory compliance. Frameworks like DORA (Digital Operational Resilience Act) explicitly require resilience capabilities. As I explored in my analysis of SOC 2 and secure controls, demonstrating resilience is increasingly a compliance requirement, not just best practice.

Competitive advantage. Customers and partners increasingly scrutinise security postures. Organisations that can demonstrate resilience - not just prevention - build trust that translates to business advantage.

Insurance optimisation. Cyber insurers are becoming more sophisticated. Demonstrable resilience capabilities can improve coverage terms and reduce premiums.

Board confidence. Directors are asking harder questions about cyber risk. A resilience-focused strategy provides answers that prevention-only approaches cannot.

Why Prevention Still Matters

Embracing resilience does not mean abandoning prevention. It means placing prevention in its proper context.

Prevention remains the first line of defence. Every attack you stop is an incident you need not recover from. Investments in access control, vulnerability management, security awareness, and threat detection remain essential.

But prevention has limits. Resilience begins where prevention ends.

The optimal security posture balances both. Prevent what you can. Prepare for what you cannot prevent. This is not either/or - it is both/and.

The CISO's Shifting Role

This philosophical shift has profound implications for security leadership. As I discussed in The Modern CISO as Business Partner, security leaders must increasingly operate at the strategic level.

Resilience thinking accelerates this evolution. When the conversation shifts from "how do we prevent all breaches" to "how do we ensure business continuity regardless of what happens", the CISO becomes central to business strategy.

This requires new skills:

  • Business acumen to understand which functions are truly critical
  • Communication skills to explain resilience to non-technical stakeholders
  • Relationship building across the organisation, not just IT
  • Crisis leadership that remains calm under pressure

The CISO who can lead an organisation through a major incident and out the other side with minimal damage has demonstrated value no amount of blocked attacks can match.

Quick Reference: Resilience Readiness Assessment

Use these questions to assess your organisation's current resilience posture:

Anticipation:

  • [ ] Do we have threat intelligence relevant to our industry?
  • [ ] Can we enumerate our attack surface within 24 hours?
  • [ ] Have we conducted tabletop exercises for likely scenarios?
  • [ ] Do we track emerging threats systematically?

Withstanding:

  • [ ] Can critical business functions continue if our network is compromised?
  • [ ] Is our architecture segmented to limit lateral movement?
  • [ ] Do we have out-of-band communication channels?
  • [ ] Are manual fallback procedures documented and trained?

Recovery:

  • [ ] Have we tested backup restoration within the last quarter?
  • [ ] Is there clear prioritisation of which systems to restore first?
  • [ ] Do we have pre-negotiated retainers with incident response firms?
  • [ ] Can we restore critical systems within our recovery time objectives?

Adaptation:

  • [ ] Do we conduct blameless post-incident reviews?
  • [ ] Are lessons learned systematically incorporated into procedures?
  • [ ] Do we learn from incidents affecting our industry peers?
  • [ ] Is our threat model updated based on new intelligence?

If you answered "no" to more than half of these questions, your organisation is likely over-indexed on prevention at the expense of resilience.

What Comes Next

This article establishes why resilience matters. The remainder of this series provides the practical framework for achieving it.

In Part 2, we examine the threat landscape CISOs will face in 2026 - from AI-powered attacks to evolving ransomware tactics. Understanding what you are defending against is the foundation of effective resilience.

Part 3 explores zero trust architecture as a resilience enabler, moving beyond the buzzword to practical implementation.

Part 4 addresses third-party and supply chain resilience - often the weakest link in organisational security.

Part 5 provides a reality check on incident response, covering what actually works when things go wrong.

Part 6 tackles crisis communication to the board, turning incidents into leadership moments.

Finally, Part 7 synthesises the series into a practical roadmap you can take into 2026.

The journey from prevention-first to resilience-first is not easy. But for CISOs who make this transition, it represents the difference between fighting a losing battle and building an organisation that can thrive despite inevitable attacks.

Building Organisational Resilience

Transforming your security posture from prevention-focused to resilience-focused requires experienced guidance and a clear framework. My IT management services help organisations develop comprehensive resilience strategies - from capability assessment to implementation planning.

Get in touch to discuss how to build cyber resilience that protects your organisation when prevention fails.

Next in the series: Part 2 - The 2026 Threat Landscape

Share this post

DG

Daniel J Glover

IT Leader with experience spanning IT management, compliance, development, automation, AI, and project management. I write about technology, leadership, and building better systems.

Related Posts

2 January 2026

The CISO's Resilience Roadmap for 2026

Part 7 of 7: A practical framework for 2026. Prioritise your actions, measure progress, and build genuine organisational resilience step by step.

26 December 2025

The Modern CISO as Business Partner

Explore how the CISO role is evolving from technical guardian to strategic business partner, with essential skills and frameworks for success in 2026.

8 February 2026

AI autonomous ransomware in 2026

AI is enabling fully autonomous ransomware pipelines. 73% of security professionals say AI-powered threats already have significant impact on defences.

Let's Work Together

Need expert IT consulting? Let's discuss how I can help your organisation.

Get in Touch