Cyber Resilience vs Cybersecurity: Why Recovery Matters as Much as Prevention
Traditional cybersecurity focuses on prevention — stopping attacks before they succeed. Cyber resilience takes a broader view, accepting that some attacks will inevitably succeed and focusing equally on the organisation's ability to detect, respond, recover, and adapt. For mature security programmes, resilience thinking represents a fundamental shift in how security value is measured and communicated.
Why Prevention Alone Is Insufficient
No security programme achieves 100% prevention. The question is not whether a breach will occur, but when, and how the organisation responds. IBM's 2025 data shows that the average breach takes 204 days to identify and 73 days to contain. Organisations that can compress these timelines dramatically reduce breach costs.
The financial difference between resilient and non-resilient organisations is stark. Those with incident response plans, tested backups, and business continuity processes experience breach costs that are $1.49 million lower than organisations without these capabilities. Resilience investments deliver some of the highest ROI in the security portfolio.
The Four Pillars of Cyber Resilience
1. Anticipate: Understand your threat landscape and identify likely attack scenarios. Threat modelling, red team exercises, and threat intelligence programmes help organisations prepare for realistic attack scenarios rather than generic threats.
2. Withstand: Implement controls that limit the impact of successful attacks. Network segmentation, least-privilege access, and data encryption ensure that compromising one system does not grant access to the entire environment.
3. Recover: Build and test the ability to restore critical business functions quickly. This includes immutable backups, documented recovery procedures, and pre-negotiated incident response retainers. The difference between a tested and untested recovery plan can be weeks of downtime.
4. Adapt: Learn from incidents and near-misses to continuously improve defences. Post-incident reviews, updated threat models, and adjusted security controls ensure that the organisation becomes stronger after each event.
Resilience Metrics for the Board
- Recovery Time Objective (RTO): How quickly can critical systems be restored? Track actual recovery times from exercises against targets.
- Recovery Point Objective (RPO): How much data could be lost in a worst-case scenario? This determines backup frequency and replication requirements.
- Incident containment time: How quickly can the organisation isolate a compromised system? Faster containment means smaller blast radius and lower costs.
- Business continuity test results: Regular exercises validate that recovery plans work in practice, not just on paper.
Balancing Prevention and Resilience
The optimal security budget allocates resources to both prevention and resilience. For most organisations, a ratio of 70% prevention to 30% resilience is a reasonable starting point. As maturity increases and prevention controls reach diminishing returns, the resilience allocation should increase. The most advanced organisations may spend 40-50% of their security budget on detection, response, and recovery capabilities.