If modern cyber security doctrines assume breaches are inevitable, organisations must be prepared to respond and recover immediately.

This need has elevated cyber resilience as a core priority, as organisations build capabilities that go beyond detection and response to enable rapid recovery. This represents a clear shift from prevention-focused strategies in favour of managing the impact of incidents.

Cyber resilience describes an organisation’s ability to anticipate, withstand, respond to, and recover from cyber incidents, while still maintaining continuity of critical business operations. In this model, success is measured by how quickly operations are restored and how effectively damage is contained.

The growing importance of cyber resilience was highlighted by Gartner in a December 2025 report (Predicts 2026: Cybersecurity Program Rebrands to Cyber Resilience), which forecast that by 2028 half of all CISOs would formally rebrand their cybersecurity programs as cyber resilience programs. This reflected a broader mandate to ‘minimise business impact and ensure operational continuity in the face of increasingly complex and evolving cyberthreats’.

Writing in the report, Gartner’s senior director for cybersecurity and resilience Arthur Sivanathan said security programs would increasingly prioritise resilience over prevention, focusing on rapid recovery and continuity of essential operations.

“Cybersecurity leaders will increasingly concentrate resources on protecting critical business services, reducing or altogether eliminating resilience investment in nonessential assets to optimise risk management and operational impact,” he said.

“Organisations with mature cyber resilience programs will differentiate themselves in the market by demonstrating a better ability to recover from disruptions than their peers in a world where everyone understands that disruption is inevitable.”

Gartner also predicted that by 2028, 50 per cent of CISOs would be asked to ‘own’ disaster recovery in addition to incident response, reflecting a broader shift in organisational focus.

As a market, cyber resilience spans a range of technologies and practices, from detection and response through to containment and recovery.

Detection capabilities, including endpoint detection and response (EDR) and extended detection and response (XDR) continued to grow, with MarketsandMarkets estimating the XDR market to be worth US$30.8 billion ($43.22 billion) by 2030.

Another essential component in cyber resilience is also one of the oldest strategies in cyber defence – backup and recovery. Mordor Intelligence estimated this market to be worth US$10.68 billion ($14.99 billion) in 2025, growing to US$16.86 billion ($23.66 billion) by 2030, while the broader disaster recovery market was expected to be worth US$81.15 billion ($113.88 billion) over the same period, according to  Grand View Research.

However, tools alone form only part of the cyber resilience playbook, with Gartner emphasising that achieving resilience required organisations to embed recovery as a core mandate, prioritise critical operations, and adopt sovereignty-aware technology strategies.

This last requirement meant that by 2027, 30 percent of organisations would require comprehensive sovereignty of their cloud security controls to address continued geopolitical turmoil.

Skills shortages would further shape this transition, with Gartner predicting that by 2028, 40 per cent of cybersecurity leaders would streamline resilience efforts to focus primarily on critical business services.

Furthermore, the emphasis on resilience would also bring the need to track appropriate metrics, such as containment times, service availability targets, and recovery objectives.

As cyber threats continue to evolve, the focus for security leaders is shifting from protection to continuity. Organisations that embed resilience into their core operations will be better positioned to safeguard value, maintain trust, and sustain performance in the face of constant disruption.

Case Study – The University of Queensland

The University of Queensland has bolstered its resilience to a range of incident types and threats with a coordinated and documented approach, supported by tooling and tested via tabletop exercises. 

Director of Cyber Security (CISO) within the Information Technology Services, Dr David Stockdale, highlighted crucial and comprehensive preparatory work the university has undertaken to “prepare for the worst”, should that manifest as a cyber incident, data breach or other incident type. 

“There is a consistency in how it's approached at the university level and how we communicate,” Stockdale said. 

The work is also intended to assist with the coordination of more complex incident responses, such as where there may be cyber and non-cyber aspects to investigate and deal with simultaneously. 

“Rather than just thinking about the cyber incident in terms of how do we deal with that, it's how do we deal with the components that are cyber, but how do we then tie that into the university's process and ensure the university has a really good process for dealing with [that],” Stockdale said. 

“We want consistency. So resilience is about how do we deal with the incident, and let the cyber people get on with the cyber element and the university people get on with the other elements of that, whether that be communications, whether that be legal, whether that
be any of the other components that need to be dealt with in a big incident.” 

Stockdale said that resilience and coordination had been further bolstered by planning related to the Security of Critical Infrastructure (SOCI) Act, which universities must comply with. 

The university had taken principles around SOCI compliance, adapting and factoring them into its broader incident response approach to further improve its resilience. 

“And then, of course, we're moving into tabletop exercising around our method, our processes, ensuring that people really understand them and what their role is in different types of incidents,” Stockdale said. 

“So, we have tested it, but we need to do more testing and exercising of that in the near future.” 

The university is also honing its security stack to complement its incident response capabilities and resilience to threats, both cyber and beyond. 

Stockdale said that the university is “quite openly a Palo Alto Networks shop” and that it is continuing to consolidate some of its existing tooling and capabilities into that single-vendor stack. 

He said this kind of platform thinking approach had been made possible over the years by continued expansion of what the technology could do. 

Stockdale added that certain capabilities enabled by the tooling had also found use outside of the specific cyber security domain. 

Notably, he said investigation forensics capabilities initiated in the cyber security division had proven attractive to the university’s legal unit and other parts of the institution that had investigative requirements. 

“So, building this, the university has actually leveraged that service very effectively for many of the different types of use cases,” he said.