The New Face of Cyber Resilience: Why Prevention is No Longer Enough

Cybersecurity has shifted from protection to survival—and most organizations are still preparing for the wrong battle.

Rachel Dawson Reading Time: 9-min 

Topics

  • News

    1. Oman to Scale AI Ecosystem With New Special Economic Zone

    2. UAE Bets Big on AI to Boost Labor Market Productivity

    3. MIT & IBM Expand Partnership with Quantum-AI Research Hub

    4. AI Drives Alphabet Past Expectations, Powered by Cloud

    5. AI Dispatch | 24–30 April 2026

    6. AI and Talent Anchor UAE’s Digital Transformation Push

    • [Image source: Krishna Prasad/MITSMR Middle East]

    For years, cybersecurity has been treated as a back-office concern for IT to handle, while executives focused on growth, margins, and market share. 

    But today, cybersecurity is no longer a technical concern. In the age of artificial intelligence, digital threats have evolved from technical nuisances into existential risks, and the old approach no longer applies: the approach of preventing attacks.

    Preventing attacks is no longer enough in cybersecurity. 

    For organizations to build real resilience, they need to accept the possibility that breaches can happen, test recovery plans often, and share responsibility with vendors and teams. If attackers get in, can your business keep running? 

    Today, leaders across industries are placing cyber risk at the very center of strategic planning. 

    “The question is never whether a sufficiently determined attacker could get in; it’s what happens when they do,” says Eliad Kimhy, Senior Security Researcher at Acronis.

    The conceptual shift required is significant” resilience is not the absence of breach. It is a business capability, a competitive lever, and in the modern enterprise, a matter of survival. 

    Three Dimensions of Genuine Resilience

    Kimhy defines real resilience as ‘an operational capability.’ “It is the ability to absorb a significant incident and continue functioning at some meaningful level while responding.” It requires organizations to go beyond the idea of cracking the perfect defense to prepare for the moment of defenses failing.

    Citing an example of 2012’s Shamoon wiping out 35,000 workstations and 2017’s Triton/Trisis targeting a petrochemical plant with intent to cause physical harm, he notes, “These weren’t ransomware campaigns. They were designed to destroy. Resilience in that context means something more demanding than recovering encrypted files.” 

    He outlines three dimensions of genuine resilience. 

    1. Architectural resilience means systems fail partially, not completely: critical functions have redundancy, networks are segmented, and operational technology and information technology are meaningfully separated rather than merely nominal. 
    2. Process resilience means the organization can still function when technical systems fail: manual fallbacks are in place and have been tested, and decision authority is clear under crisis conditions. 
    3. Human resilience means people at every level know what to do when something goes wrong–not just the security team.  

    Kimhy warns that in places where organizational hierarchy is pronounced and decisions flow from the top, that last dimension is a specific gap. “If an incident takes out communications or senior decision-makers are unprepared, organizations freeze,” he says. “Freezing during an active attack is itself a form of failure.” 

    In sectors where downtime is not an option — energy, finance, healthcare — this logic extends further.

    According to Mortada Ayad, VP of Sales – META at Delinea, resilience in these environments begins with accepting compromise and designing for recovery from day one. “Prevention is about having the right controls in place. But this is not a true measure of resilience. You only really understand resilience through real-world outcomes.”

    The real-world outcomes Ayad speaks of include-

    • How quickly you can detect an issue
    • How fast you can contain it
    • Whether you can continue operating safely while the incident unfolds

    From a physical security aspect— such as cameras, sensors, and surveillance networks— which are now more connected and more at risk, Steven Kenny, Manager of the Architect & Engineering Program – EMEA at Axis Communications, recommends that organizations use end-to-end strategies, manage systems throughout their lifecycles, keep systems up to date, and follow best practices. “Not all technologies are developed or supported in the same way,” Kenny says. “These decisions have a direct impact on risk exposure.” He also stresses the need for effective system maintenance, close collaboration with vendors, and adherence to industry standards. 

    Measuring What Matters

    A central issue Kimhy sees is that most organizations measure wrong things, such as patch rates, training completion percentages, and so on. “These are activity metrics. They tell you what the security team is doing, not how the organization would perform under real pressure.” Instead, he argues for outcome-based metrics, with Mean-Time-To-Recover—not detect or contain, but restore full operational capability—as the single most important number.  

    Most organizations fail at answering the number—because they never investigate. “When realistic recovery exercises are run,” Kimhy says, “the gap between documented Recovery Time Objectives and actual performance is typically measured in multiples. A system nominally recoverable in four hours takes eighteen.” 

    Other critical indicators which most organizations cannot answer with reasoning include-

    1. Blast radius under adversarial conditions (how much capability degrades if an attacker achieves a defined level of access, assessed through genuine red team exercises rather than vulnerability scans)
    2. Supply chain failure tolerance (what happens when a key third-party vendor or managed service provider is compromised)
    3. Regulatory recovery thresholds (how close to breach notification and recovery obligations the organization operates under stress).  

    “Knowing your actual performance against those thresholds before an incident is basic risk management,” he says. “Most organizations don’t.” 

    Ayad echoes the theory, emphasizing that resilience only reveals itself through real-world outcomes. “How quickly can you detect an issue? How fast can you contain it? How long does it take to restore privileged access or bring critical services back online?” Those are the metrics that matter, he says. “It also comes down to knowing what truly matters in your environment–your critical identities, systems, and third-party dependencies–and being able to reduce access instantly when risk increases.”  

    He points to recent incidents involving physical data center infrastructure in which services were disrupted, but organizations recovered without data loss or prolonged operational damage. “That’s what resilience looks like in practice,” he says. “It’s about taking the hit, limiting lateral movement, protecting privileged access, and recovering without major business disruption.”

    For Kenny, measurement is tied to vendor accountability and supply chain transparency, and says that not all technologies are developed or supported equally, and that organizations must scrutinize long-term support commitments and adherence to industry standards. “Building a future-ready surveillance system requires a strategic, security-first approach that combines resilience, strong cyber hygiene, and trusted technology choices,” he says.

    What Separates Fast Recovery from Prolonged Disruption

    Observing a pattern of organizations that recover quickly from serious incidents share characteristics that are less technical than most people expect, Kimhy explains, “The single biggest differentiator is tested versus assumed recovery procedures.”  

    Organizations that run full-scale simulations–restoring from backups, rebuilding compromised systems, and switching to manual operations–find gaps before they cause damage. Those with documented but untested procedures find them during the incident. He notes that “a persistent cultural challenge in many companies is that simulating failure feels like admitting vulnerability,” but the organizations that overcome that resistance recover faster and more consistently. 

    Clean, separate, and verified backups emerge as a key technical advantage. “Ransomware operators specifically target backup systems before triggering encryption,” Kimhy warns, noting that several major incidents have extended dramatically because backup assumptions turned out to be wrong. 

    Ayad points to identity and access as the hidden fault line. “Attackers are often most successful when organizations don’t fully understand where their critical assets sit or how access to them is structured,” he says. 

    Fast recovery, he argues, comes down to preparedness: clear, tested playbooks, the ability to isolate compromised identities without shutting down the business, and confidence in recovery processes because they’ve been exercised before. “The breach itself is often just the starting point,” Ayad adds. “It’s everything that follows that determines how disruptive it becomes.”

    Ayad notes that prolonged disruption is usually driven by uncertainty: too much standing privilege, unclear dependencies, and teams making critical decisions without full visibility. “Ultimately,” he says, “recovery is less about reacting in the moment and more about the groundwork that’s been laid beforehand. The organizations that recover well are the ones that have already thought through these scenarios in detail.”

    Testing from a technology lifecycle perspective is important. Kenny advocates for “Security by Design”—embedding software security throughout the entire lifecycle, from production to decommissioning. While vendors play a critical role in identifying vulnerabilities and delivering updates, he stresses that not all approaches are equal, and that coordination among vendors, system integrators, and end users is essential for a rapid recovery.

    Balancing Prevention, Detection, and Recovery

    A common executive concern is that investing heavily in resilience will constrain growth. Kimhy disagrees. “Growth should not be constrained by security,” he says. “Rather than treating them as opposing forces, security should be understood as a safeguard against disruptions to growth.” He suggests that security leaders explain cyber risk in terms of business impact—such as lost revenue from outages, regulatory risks, and reputational damage—rather than focusing on technical details. He notes that this business-focused approach is more common in finance and large companies, but less so in mid-sized firms and other industries. 

    The balance between prevention, detection, and recovery looks different depending on the organization’s risk profile and operational priorities. “It must therefore start with a clear understanding of business risk, identity exposure, and operational priorities,” Ayad says. He points out that balance doesn’t mean spending equally on prevention, detection, and recovery. Prevention is always important, but it can’t be the only focus. Detection should target what matters most, especially identities and privileged access. Recovery needs to be part of the core business plan, not an afterthought. 

    Ayad recommends controls such as least privilege, just-in-time access, and strong monitoring of identity activity as smart investments that support prevention, detection, and recovery all at once. “That’s where the real efficiency comes in,” he says. “Done well, resilience supports growth because it gives leadership the confidence to innovate faster.”

    Technology choices matter here as well. By adopting end-to-end solutions with robust lifecycle management and vendor accountability, organizations can reduce the friction that often accompanies bolt-on security measures, says Kenny. 

    The Biggest Misconceptions

    Despite checking every regulatory box, organizations still crumble under pressure. For Kimhy, the most consequential misconception is that compliance equals resilience. He acknowledges that regulatory frameworks have done real work in raising the baseline, but warns that “compliance frameworks are baseline-setting exercises by design. They describe a floor.” 

    Regulators are increasingly moving toward outcomes-based supervision, asking not just whether controls are documented but whether organizations can demonstrate they work. “That shift will expose the organizations that have been treating compliance as an endpoint,” Kimhy says, adding that the largest resilience gaps are not technological; they are process and governance gaps.

    Ayad frames the issue not as a misconception but as a case of false confidence. “To their credit, organizations across the board have made real progress in strengthening preventive controls,” he says. “But resilience really begins where prevention ends. Even in the most hardened environments, breaches can and do happen. There will always be scenarios that bypass controls, and the real test is what happens next. That’s where gaps tend to appear.” He adds that resilience comes down to whether an organization can contain the threat quickly, maintain operations under pressure, and recover access and services without introducing further risk.

    In addition, Ayad also notes that many leaders underestimate the role of identity in resilience. “Today, attackers often do not need to break in the traditional way. They log in, escalate privileges, and move through trusted pathways.” 

    That is why, he says, resilience must include strong control over human, machine, and privileged identities. 

    Another common misconception Ayad identifies is that resilience is a technology issue owned only by the security team. “In reality,” he says, “resilience is a business capability. It depends on executive alignment, operational discipline, identity governance, third-party risk management, and the ability to make fast decisions during disruption.” Ayad’s advice is simple: “Resilience is not just about preventing the incident. It is about ensuring the business can withstand it and recover with speed and trust.”

    The gap between compliance and actual readiness is a persistent challenge. “When it comes to cyber readiness, a ‘Security by Design’ approach is key,” Kenny says. While vendors play a critical role, he warns that not all approaches are equal, and that cybersecurity remains a shared responsibility. Organizations that treat compliance as a checklist rather than embedding security throughout the technology lifecycle, he suggests, are the ones most likely to be caught off guard when an incident occurs.

    Prevention and compliance remain foundational, experts agree, yet they are no longer sufficient. Today’s attackers pursue objectives beyond financial gain — targeting operational continuity, systemic harm, and institutional trust. Real cyber resilience demands that organizations anticipate breaches rather than merely attempt to prevent them, engineer robust recovery capabilities, subject every process to rigorous stress-testing, and reconceptualize cybersecurity as a business issue, not just an IT concern.  It’s a key business strength and, for modern companies, essential for survival.

    Topics

    About the Author


    View More

    Tags:

    More Like This

    You must to post a comment.

    First time here? : Comment on articles and get access to many more articles.