Let’s face it: winning the battle against cyber incidents and intrusions is becoming elusive. Attackers are increasingly more successful and impactful, and organizations are resorting to “whack-a-mole” reactive strategies as a countermeasure. And while the velocity of attacks is increasing, many lack technical sophistication. The August 2023 Clorox ransomware attack wasn’t born of engineering brilliance, as attackers used simple social engineering to gain privileged access through a third-party service provider.
Unfortunately, in 2025, attackers don’t have to be technically capable to increase their chances of success. The attacker’s toolkit is overflowing due to the evolution of ransomware-as-a-service and access to sophisticated AI-driven malware. Complex attacks will require less investment, resulting in more extensive damage profiles and clean-up costs: a 2024 Sophos survey found that ransomware recovery averaged $2.73 million, excluding any ransom payments.
At the same time, organizations are falling further behind, pouring dollars into mostly preventative strategies that are no match for the attacker’s arsenal. According to Gartner, spending on cybersecurity is expected to grow 15% from $184 billion in 2024 to over $200 billion in 2025.
A Losing Game
It’s nearly impossible for organizations to defend against cyberattacks using preventative strategies alone. The increasing use of complex multi-cloud environments intertwined with legacy IT exponentially expands the threat environment and attack surface, and increases the chances that an attack vector will be successful. Even if an organization had unlimited budgets, sufficiently skilled professionals, and an array of cybersecurity tools, defending against all attacks is virtually impossible. But, organizations are not powerless here: recasting the organization’s approach to cybersecurity in a resilience mindset can be a force multiplier for dealing with cyberattacks—even when they are successful.
A Resilience-forward Approach
In an organizational or operational context, resilience defines the ability to withstand adversity, disruption, or impact while continuing to meet the mission. Cyber resilience is an emergent property that emanates from counterbalancing investments in both protective and sustaining strategies so that the organization benefits from maximum attack prevention while also minimizing potential loss—at the most efficient cost. In theory, such an approach would help an organization decide where to invest scarce resources and answer such questions as, “Should we invest in better intrusion detection capabilities or improve our incident response, or both?” By simply attempting to answer such questions, organizations are acknowledging that they cannot prevent all attacks and must be ready to minimize impact when necessary.
Making the Shift to Resilience
But, how does an organization shift its mindset from “cybersecurity = prevention” to “cybersecurity = resilience”? Here are four simple actions to jump-start this transition and improve cyber resilience:
- Don’t ignore the basics. It still makes good sense to ensure that fundamental cybersecurity practices and controls are in place and functioning effectively. Many organizations are over-exposed simply because they have failed to properly reduce cyber risk related to privileged and administrative access, third-party and supply chain exposure, vulnerability management, and inadequate incident response planning. A resilience-forward approach assumes you have mastered the fundamentals, so assessing your capabilities against a common framework is a great place to start.
- Figure out what attack scenarios you are most prone to. Scenario planning is essential to a resilience approach. Understanding the attack vectors to which your organization is most susceptible lays the groundwork for determining which preventative and sustaining strategies are best aligned to reduce the risk of a successful attack. These scenarios help to focus the organization’s cybersecurity priorities rather than taking a “defend-all” approach. Organizations with significant digital assets and intellectual property may prioritize data exfiltration scenarios, while those with large-scale operations and critical infrastructure may focus on damage or destruction scenarios.
- Quantify your scenarios. Cyber risk quantification (CRQ) is a fundamental tool for implementing a resilience-based approach. CRQ translates attack scenarios into potential losses. Using CRQ, attack scenarios can be cast in terms of financial impact, providing a data point against which investments in countermeasures can be analyzed and optimized.
- Evaluate countermeasures in a Return-on-Resilience (RoR) context. What is the best balance of countermeasures that provides optimal risk reduction at the lowest cost? By knowing the potential loss of a scenario, preventative and sustaining strategies can be evaluated and balanced relative to cost avoidance. For example, is it best to invest in a new IDS tool for $4 million, spend $2 million on improved data recovery capabilities, or spend $6 million on both to avoid a loss of $3 million? Or, is it best to just spend $2 million on sustainability and continue to use an existing IDS solution? And, is there a better combination of preventative and sustaining strategies that are more efficient at reducing risk?
Organizations need to maximize the efficiency of every cybersecurity dollar spent. Calculating a Return-on-Resilience can help. For example, a countermeasure strategy that costs $6 million to avoid $3 million in losses results in an RoR of .5—meaning that for every $1 spent the potential loss avoidance is $.50. But, a strategy that costs $2 million in total—whether focused on preventative or sustaining strategies or both, equates to an RoR of 1.5, a potentially much more efficient use of scarce cybersecurity budgets.