Building a cybersecurity strategy that survives disruption
Cybersecurity isn’t what it used to be. Attackers are moving quicker, disruptions happen all the time, and many security plans built for more predictable times just can’t keep up. With everything from ransomware to geopolitical threats to cloud slip-ups hitting companies, there’s a shift happening: security needs to be ready for chaos, not just focused on keeping things safe.
That shift changes everything: how companies plan, how they invest, and how they recover.
From protection to resilience
Cybersecurity used to focus primarily on prevention. But in today’s environment, that’s not enough. That’s where cyber resilience comes in. Instead of just keeping attackers out, it focuses on keeping the business running during and after an attack. It combines security, crisis response, and recovery. It assumes something will go wrong and builds systems to adapt, bounce back quickly, and learn from the damage.
The best strategies treat resilience as a core part of business operations, not just a security add-on.
“The key to managing resilience is to approach it like an onion,” says James Morris, Chief Executive of The CSBR. “The best strategy is to be effective at managing the perimeter. This approach will allow you to get a level of control on internal and external forces which are key to long-term resilience.”
That layered thinking should be matched by clearly defined policies and procedures. “Ensure that your ‘resilience’ strategy and policies are documented in detail,” Morris advises. “This is critical for response planning, but also for any legal issues that may arise. If it’s not documented, it doesn’t happen.”
Documentation, however, is only part of the equation. Morris stresses the importance of creating and actively testing a resilience plan across the organisation. “Develop and test a resilience management and process plan in your organisation. Ensure that accountabilities are clear and identify information and communication gaps.”
Ensure that you follow the plan. “It is always tempting to become reactive when under pressure,” Morris notes, “but from an operational and legal point of view it is much better to stick to the plan and not get blown off course in the pressure of the moment.”
Know what matters most
Building a strategy that survives disruption starts with knowing what’s critical. That includes core apps, sensitive data, third-party services, and the systems that keep revenue flowing.
Gartner recommends mapping these assets to specific business outcomes. What happens to customer trust, operations, or revenue if a system goes offline?
Organizations should be modeling complex, real-world scenarios. For example, what happens if a ransomware attack hits during a cloud migration? Or if your supplier is taken offline in a cyberattack? Risk modeling has to go beyond standard threat lists.
Dennis Martin, Crisis Management and Businesses Resilience Specialist at Axians UK, outlines four strategic areas to focus on:
1. Form a resilience forum and understand critical pain points. Resilience is a whole-organisation challenge, requiring collaboration among the CISO, CIO, COO, and department heads. Clearly identify business-critical systems and assets (your crown jewels), define realistic recovery time objectives (RTOs), and determine pragmatic workarounds if these objectives cannot be met during a crisis. This ensures alignment of technical capabilities with business priorities, improving motivation and preparedness across all departments.
2. Strengthen threat detection through automation and orchestration. Move beyond traditional monitoring by implementing advanced, behaviour-based anomaly detection and AI-driven solutions to identify novel threats. Invest in automation to enhance the efficiency of detection, triage, and initial response tasks, while orchestration platforms enable coordinated workflows across security and IT tools, significantly boosting response agility.
3. Establish a structured cyber crisis response team. Clearly define your cyber crisis team, specifying how it interfaces with IT and strategic crisis management teams. Assign explicit roles and responsibilities, maintain real-time documentation during incidents, and adopt a structured decision-making model such as FORDEC to maintain clarity under pressure.
4. Prepare proactively for recovery. Develop and regularly test detailed recovery plans. Evaluating different scenarios in advance helps clarify which responses are effective, enabling preparations outside the stress of a crisis. Even seemingly minor preparations—such as setting up an emergency Microsoft tenant or acquiring a 5G Wi-Fi hotspot—can significantly improve your readiness. Investing time in creating thorough, system-specific recovery plans fosters engagement, ensures clarity during emergencies, and highlights additional steps or resources that should be addressed beforehand.
Make defenses more flexible
Disruption-ready defenses need to be adaptable. Static, rules-based controls don’t hold up well in crisis. Zero trust is one way forward. It grants access based on identity and behavior, not location. This limits damage when attackers break in.
Automation also plays a big role. Fast response depends on automatic isolation, rollback, and detection. When ransomware hits, every second counts.
In the cloud, flexibility is even more important. Organizations should embed security early in the development pipeline and using real-time checks for misconfigurations.
Design for failure
A good strategy starts with the idea that stuff will break. So you need things like segmentation, backups, and backup plans for your backup plans, along with alternate ways to get back up and running. Fast, reliable recovery is key. Just having backups isn’t enough anymore. They need to be tested regularly and protected, because attackers might try to take them out too when they strike.
Involve the whole business
Resilient strategies aren’t just for security teams. They need full executive support and must connect directly to business goals. CISOs are working more closely with leadership to align security with broader risk planning.
People matter as much as tools. Everyone—from IT to legal to comms—needs to know their role during an incident. Organizations should hold regular tabletop exercises and simulations to prepare teams for fast-moving crises.
“Forging strong partnerships with key stakeholders, including IT teams, executive leadership, and external cybersecurity experts, enhances the effectiveness of cybersecurity strategy. Such collaboration ensures that security measures are integrated seamlessly into business operations and receive buy-in,” Kory Daniels, CISO at Trustwave, told Help Net Security.
Resilience also extends beyond organisational walls. Understanding and managing supply chain vulnerabilities is a vital part of the process. “Work with critical vendors to identify where key points of risk may exist,” Morris says. “Develop joint plans with vendors as part of your crisis management planning process.”
Finally, none of it works without clear and constant communication. “Focus on communication, communication and communication,” Morris emphasizes. “Openness and transparency are key for managing internal and external stakeholders.”
Prepare for the next unknown
Disruption doesn’t always come from an attacker. It could be a supply chain collapse, a natural disaster, or a software failure. Strong strategies account for unknowns, not just known threats.
That requires agility. Systems and teams need to respond quickly and shift priorities as needed. Decentralized decision-making and flexible response playbooks are key.
Post-incident learning also plays a role. CISOs should treat each incident as a learning opportunity and update plans accordingly.
“A cybersecurity strategy is not a one-time initiative, but rather a dynamic process requiring regular review and adaptation,” said Daniels. As cyber threats evolve in both sophistication and scale, organizations must remain agile. That means not only staying ahead of attackers but also rethinking defenses on the fly.
According to Daniels, the role of the CISO reflects this reality. “The work of the CISO is ongoing, requiring constant vigilance, continuous learning, and the ability to quickly pivot strategies in response to emerging risks and technological advancements.” It’s a job defined by its fluidity, where yesterday’s playbook is often obsolete by tomorrow.
The bottom line
Cyber disruption isn’t a rare event. It’s something every business should expect. The organizations that will thrive aren’t just the ones with strong defenses. They’re the ones that can adapt fast, recover quickly, and keep the business running even when things go wrong.