Forget Perfect Prevention — Build Cyber Resilience Instead

Still think you can dodge the torrent of cyberattacks targeting organizations today? It’s time to accept reality and recognize that chasing perfect prevention is no longer possible.

As AI-driven attack strategies become even more sophisticated, automated, and massively scaled, it’s just a matter of time before your infrastructure is in the crosshairs. That’s why investing in operational resilience is the smart move.

With the passage of the Cyber Resilience Act (CRA) in 2024, technology providers in the European Union are now responsible for the security of their products. But that’s not enough. Every organization must take responsibility for building their own cyber resilience by creating a culture of security that pervades their security operations.

One way to view the issue of operational resilience is to focus on the traditional elements of people, process, and technology.

In many organizations, there is a divide between the people on the front lines in the security operations center (SOC) and the corporate leadership. At every breach table I have attended, it’s been clear that the SOC is aware of the fire before leadership smells smoke.

Those same SOC teams also experience a high level of stress and high turnover rates. When security teams are overworked, it raises the risk of errors and inattention that can reduce resilience.

A critical step to maintaining resilience is to ensure that the SOC has the support to operate efficiently and effectively. That starts by benchmarking current operations to gain insight on where improvements are needed. Is staffing adequate? If additional staff is not an option: Could new technology tools help SOC teams operate more efficiently?

Crucially, information on SOC operational effectiveness must be shared with business leaders. Given the organizational risk posed by cyberthreats, bridging the divide between the corner office and security operations is critical to inform broader business resilience strategies.

Some of the key processes involved in operational resilience include:

• Evaluating current security processes and procedures
• Performing regular purple team exercises
• Understanding what to expect from managed security service providers

Evaluating security processes and procedures is another critical factor in resilience:

• Are security teams making time to regularly practice threat response? 
• Do they know how to use the available tools in the heat of an attack? 
• Are new team members trained fully on proper procedures? 
• Are there up-to-date playbooks for responding to potential threats? 

All these factors are important for optimizing resilience. 

Performing regular purple team exercises to identify potential shortfalls and sharpen skills is extremely valuable. One financial services client I worked with achieved a significant improvement in threat containment after just two quarterly purple team exercises.

Following these exercises, teams should make time for an in-depth postmortem analysis to identify weaknesses and share the results with front-line personnel to facilitate learning. Establishing performance metrics — such as time to threat containment — and measuring against them helps drive continuous improvement.

Busy security teams don’t always make time to practice these critical activities to help ensure cyber resilience. Yet, focusing on “combat readiness” is as crucial to a SOC as it is to a military rapid response force.

Another area of potential process risk involves communication and integration with managed security service providers (MSSPs). It’s essential to understand the inputs and outputs from both sides of the fence, and to know what to expect from your provider partner.

Misunderstanding SLAs or improperly offloading accountability to MSSPs is a silent killer of resilience. Any disconnect among the parties regarding where services begin and end can lead to a gap in response.

Robust technology is a crucial factor for the success of cyber resilience. But it’s important to take a thoughtful approach to deploying new technologies and make sure they are aligned with real-world needs.

With the emergence of AI-powered tools, many organizations have rushed to put the “AI inside” label on their security infrastructure. A few questions to consider:

• Are those tools delivering the intended benefits? 
• Do you truly understand what each tool is designed to do?
• Are they performing to those expectations? 

Are they generating more false positives or negatives than was promised?

Not every AI tool represents a resilient solution; some just shift the noise.

Unless AI technology is properly aligned with the task at hand, it can actually add more risk — and more work for overworked SOC teams.

Moreover, while the right AI technology can improve resilience — by sifting through thousands of records or automating certain threat responses, for example — it’s important to recognize that it merely augments the human factor. 

AI doesn’t replace the need for human analysts. Implemented correctly, it elevates analysts’ judgment, freeing them to focus on tasks that require their knowledge and skills, such as analyzing attack strategies and fine-tuning policies.

Making certain that you clearly understand the technologies you are considering deploying, including their limitations as well as their capabilities, is essential to ensure you’re not simply creating new vulnerabilities. 

The attacks are not going to stop — they will only continue to increase in frequency and sophistication. That’s not a solvable problem. So, let’s focus on what we can solve: increasing resilience and reducing operational risk within our people, processes, and technology.

Combining best practices in these key areas with infrastructure modernization (implementing microsegmentation to minimize the “blast radius” of a breach, for example) will yield the greatest risk management returns.

Resilience won’t stop the attacks. But a comprehensive cyber resilience strategy can stop attacks from stopping your business.

Reading published security research and analysis of past cyberattacks can help guide your business’s operational resilience strategy. Learn more in our webcast about fighting distributed denial of service (DDoS) on the front lines.