Series: From the Books, Updated for Now Source anchor: The Book on Cybersecurity

Published date: 2026-04-03 Word count: ~850 words Category: Cyber Resilience Tags: Cyber resilience, Business continuity, Crisis management, Disaster recovery, Board governance

> "The best time to plant a tree was 20 years ago. The second best time is now." > — Chinese proverb

In March 2024, a major cloud provider experienced a four-hour outage that cascaded through thousands of businesses worldwide. E-commerce sites went dark. Manufacturing lines stopped. Healthcare systems reverted to paper records. The total cost exceeded $500 million in lost productivity and revenue.

None of these organizations had been breached. Their security controls worked exactly as designed. Their problem was not prevention failure but resilience failure.

The Shift from Prevention to Resilience

For years, cybersecurity was framed primarily as a prevention problem. Build enough controls, buy enough tools, hire enough specialists, and perhaps the worst outcomes could be avoided.

Prevention still matters. But resilience is now the more honest leadership frame.

Modern organizations do not operate in stable, closed environments. They depend on external software, cloud infrastructure, distributed teams, identity systems, connected vendors, and increasingly automated decision layers. In that world, the serious question is not whether something will ever go wrong. It is whether the organization can continue, recover, and make sound decisions under pressure.

That is what cyber resilience means today.

What Resilience Actually Looks Like

It means the board understands what matters most. It means executives know who decides what in the first hour of a crisis. It means communications, legal, operational, and technical teams are not meeting each other for the first time during the incident itself.

It also means being honest about backups. Many leaders still talk about backups as if their existence proves resilience. It does not.

Backups only matter if they are:

  • Protected from the same threats that hit production
  • Usable when needed
  • Current enough to restore meaningful operations
  • Regularly tested in a way that reflects operational reality

The Backup Problem

In my work with organizations recovering from ransomware attacks, the pattern is predictable. The backup system was configured. The backups ran nightly. The logs showed green checks.

But when recovery became necessary, reality intruded. The backups were encrypted because they were on the same network segment. The restoration process took 48 hours instead of the planned 4 because no one had tested it at scale. The critical database turned out to have a corrupted snapshot from three weeks prior.

Preparation without validation is just hope dressed up as planning.

Practical Resilience Checklist

What organizations need is practical resilience:

Clearly defined business priorities — Which systems must come back first? What is the minimum viable operation?

Tested recovery assumptions — Not once, but continuously. Tabletop exercises, chaos engineering, actual restoration drills.

Decision rights under pressure — Who can declare a disaster? Who authorizes ransom payments (my advice: almost never)? Who speaks to the media?

Realistic external dependency planning — What happens when your cloud provider, your payment processor, your identity vendor goes down?

Disciplined communication during ambiguity — Stakeholders need updates even when you do not have answers.

The Real Lesson

One of the enduring lessons from crisis management is that confusion compounds damage. Poor visibility, delayed escalation, weak ownership, and untested assumptions often do more harm than the initial event.

This is why "when disaster strikes" remains such an important leadership lens. Not because leaders should become fatalistic, but because resilience improves when organizations prepare for disruption as a management problem, not merely a technical one.

After the Hype

Cyber resilience after the hype is not glamorous. It is not a product category. It is not a slogan.

It is a discipline.

And in practice, it is often the difference between a serious incident and a lasting business crisis.

Questions for your next board meeting:

  • What is our maximum tolerable downtime for critical systems?
  • When did we last test our disaster recovery plan?
  • Who has authority to make decisions during a crisis?

Originally appeared in "The Book on Cybersecurity" (2023)