With the chances of falling victim to a cyber breach now a question of ‘when’ rather than ‘if’, cyber defensive strategies are changing to prioritise not just defence, but recovery and continuity.

According to Marcus Thompson, the inaugural head of information warfare for the Australian Defence Force and now non-executive director at Bank Australia, this change in perception is forcing a rethink in how the cyber defence challenge is discussed, and placing greater emphasis on resilience over security.

“There are too many people using the terms cyber resilience and cyber security interchangeably, and they are different words in the English language for good reason, because they mean different things,” said Thompson.

“Cyber resilience is the phrase we should all be using. Security is a binary construct – you are either secure or you’re not, and to be partially secure is to be insecure. Resilience is a far more useful construct, because resilience exists on a scale.”

The concept of resilience is one that is already well understood across other aspects of many organisations, such as financial resilience in the advent of an economic downturn, or physical resilience in the face of natural disasters.

According to Thompson, once an organisation decided how resilient it wanted to be, it could use a risk-based approach to assess contributing factors and the investments needed to ensure it meets these expectations. Cyber resilience therefor arose from the implementation of these numerous behaviours and controls.

“The organisations that have a robust, mature approach to cyber risk treat it as a business risk – not an IT risk,” Thompson said.

Harnessing existing capabilities

For many organisations, the starting point for defining a cyber resilience strategy was the organisation’s existing business continuity planning and disaster recovery frameworks, which were commonly developed to ensure continuity in the face of physical disasters such as fire and extreme weather events.

According to Abbas Kudrati, a former CISO at KPMG Australia and now a lecturer on cyber security at La Trobe University, the elements of cyber resilience went far beyond just technical controls.

“Cyber resilience is not about being 100 percent secure, it is about how quickly you are able to recover when you are being attacked or breached,” Kudrati said.

“It is about getting back to business in a faster manner with the least impact to your business environment. Your people, process, technology, and architecture must align in a balanced manner.”

For Sandeep Taileng, information security leader for technology and transformation at State Trustees, the key attributes of cyber resilience were constant vigilance, robust construction, rapid damage control, and the ability to learn from experiences.

“It emphasises the ability to withstand attacks, recover quickly, and learn from incidents to ensure business continuity,” Taileng said.

“Regulations like Australia's CPS 230 and global standards are promoting this adaptable approach, which focuses on recovery and continued operation rather than just prevention.”

But despite this straightforward presentation, adoption of these attributes was far from universal.

“Several obstacles hinder the adoption of cyber resilience, including a lack of executive engagement and accountability, insufficient resources and funding, cultural resistance from employees, the complexity of managing resilience across third parties, and the rapidly evolving threat landscape,” Taileng said.

“Other challenges include the complexity of mapping business functions to IT, fragmented accountability, the cost of testing recovery capabilities, limited visibility into vendor resilience, and resistance to shifting from a purely preventative mindset.

“Overcoming these requires leadership commitment, continuous education, and a holistic approach.”

Taileng observed that the cybersecurity community was increasingly focused on cyber resilience over pure prevention, as demonstrated by discussion of concepts such as "shifting left", zero trust, threat hunting, cybersecurity mesh architecture (CSMA), operational technology (TO) security, and supply chain security.

“When this shift is framed in business terms such as business continuity, financial impact, operational risk, reputational damage, and regulatory compliance, it becomes more accessible and impactful for non-technical executives compared to purely technical cybersecurity discussions,” he said.

“This helps leadership understand cyber resilience as a core business priority.”

Kudrati suggested that a good starting point for incorporating cyber resilience into business continuity was the ISO 31001 Risk Management framework which provided comprehensive principles and guidelines to help organisations with their risk assessments. Kudrati said this framework offered the additional benefit of translating cyber risk into language that other senior leaders and board directors would understand.

“If a CISO is not integrating their cyber security strategy and cyber risk management framework with an enterprise-wide framework, then that CISO is running solo,” Kudrati said.

“And the only way to create the visibility at the board level is to plug the cyber risk register into the enterprise risk register.”

Guidance on how to implement a resilience strategy could also be gleaned from version 2.0 of the NIST Cybersecurity Framework (NIST CSF 2.0), which identified six core functions – govern, identify, protect, detect, respond, and recover.

According to Kudrati, each of these could be implemented using existing processes and controls, many of which were enabled by adopting a zero-trust architecture framework, which itself was based on three principles.

“The first principle is having a least privileged model, which means not giving access to anyone who is not required,” Kudrati said.

Interest in cyber resilience is demonstrated through the rapid growth in sales of tools and processes that help bring it to life. According to research from Markets & Markets, the market for resilience solutions consists of various players offering specialised solutions in areas such as data backup, threat detection, and disaster recovery.

Rapid market growth

Kudrati said resilience could be enhanced by having multiple layers of defence, such as secure email gateways that strived to detect malicious emails as they attempted to enter the organisation, backed up by anti-malware software within the network. Should these lines of defence fail, a data loss prevention solution might then step in to prevent exfiltration of sensitive data.

Another common implementation of cyber resilience came in the form of network segmentation, to limit the impact of a successful attack by containing it within one part of the network.

“Because you have done the right network segmentation the impact is minimised, and you are able to recover out of that with the least disruption,” Kudrati said.

He added that the ultimate representation of an organisation’s cyber resilience came down to the level of interruption it could tolerate, and its willingness to spend on solutions to achieve this.

Hence, he said that while some organisations such as banks might be willing to mirror critical applications across multiple cloud environments to ensure continuity in the event that one environment became unavailable, few organisations would choose this option once they understood the cost.

Both Kudrati and Thompson agreed that a critical requirement for a strong resilience strategy was the ability to quickly know that you had been breached. Indeed, the overall market for intrusion detection and prevention systems was estimated by Global Market Insights to have been worth US$5.7 billion ($8.9 billion) in 2024.

“You need to know you are in a crisis – so that is detect,” Thompson said.

“And then there is contain and recover. But you have to know this is happening to you so you can actually respond.”

A human solution

Just as with the response to physical disasters, human beings also play a key role in delivering cyber resilience.

According to Thompson, this meant having a recovery plan in place where everyone in the organisation understood what their role was and were drilled in the execution of that plan.

“So, when the moment comes, everyone knows what their responsibilities are,” Thompson said.

“There are still too many organisations in this country that are wishing this problem away. The attacker always has the initiative, so it is going to happen, and you have to be ready when it does.”