Time to Face the Music on Cyber Risk: Why Recovery, Not More Tools, Defines Resilience

If there has been one constant in the cyber threat landscape, it’s that attackers often appear at least a half-step ahead of defenders. Resiliency feels like a carrot on a stick, dangled in front of security teams.

In recent years, the industry has taken commendable steps toward building a holistic approach to cybersecurity, aiming to foster enterprise-wide security cultures that encompass everything from Secure-by-Design software development and integrated network visibility to user education and advanced threat detection. But attackers continue to find ways around defenses.

The latest weapon in attackers’ arsenals is artificial intelligence (AI), which has democratized attacks; for example, a bad actor without coding skills can trick a large language model (LLM) into writing ransomware. AI is increasing the speed, frequency, and sophistication of attacks. Not only are attackers using AI, but its presence in computing environments (whether sanctioned by a company or used individually by employees as shadow AI) increases risk.

SaaS vendors, for instance, routinely include AI capabilities, such as the LLMs from Anthropic, OpenAI, and others. Vendor services always introduce a level of third-party risk, but AI models incorporated into the vendor's product or service offering bring fourth-party risk to the equation. Companies need to understand where their data is going, how it's being used, and what protection is in place.

Organizations will undoubtedly continue to add improved defenses, including AI, which can be an effective tool for accelerating detection, response and remediation. But they must also ensure they plan for the inevitable: how will they recover systems and data, and resume operations, after a successful attack?

There are signs that companies are thinking that way. IBM’s 2025 Cost of a Data Breach report showed that fewer organizations that suffer a breach are investing in more detection and response technologies, data protection tools, or other fortifications. In 2024, 63% of breached organizations reported increasing their security investments; this year, only 49% have made the same claim.

Why? From my experience, most companies have the right security tools in place to detect and respond; some even have duplicative tooling for data protection. They’ve already invested to the point of overkill.

It seems more organizations are realizing that they have the front-end tools, processes and resources in place. Despite this, breaches still occur. The critical question for me is: how prepared are you to recover and resume operations after a breach? Resiliency and recovery capabilities need to come to the forefront or at least be on par with detection and response from a planning and investment perspective.

Resilience Should Be on the Board’s Agenda

Every company has data that is critical to its business, whether in financial services, medical technology, or aluminum siding. Having appropriate resilience and recovery capabilities in place should be a board-level priority, but they can take a back seat when discussing cyber threats and defenses. Discussions tend to focus on protecting the front of house rather than the back, but both should carry equal weight. Data resilience and recovery are security 101, but they are often overlooked.

CISOs need to paint the board a realistic picture of the organization's risk footprint, the controls in place to protect and respond, and the resilience capabilities, such as backup and recovery. You want to deliver a clear, fact-based perspective on the organization's risk posture (this isn’t a Chicken Little moment to increase budget), and it’s essential to be transparent and realistic while informing the board on the full range of cybersecurity risk, protection, and resilience. Hence, they have the awareness to make the right decisions and provide the support needed to protect the organization and maintain resiliency. Highlight what's working well and where improvements are required. For example, talk through the current cyber-risk posture and what capabilities and gaps exist to identify, protect, detect, respond and recover. Talk through how you are managing and reducing risk and what support or decisions are needed from the Board.

AI can also be part of the data resiliency discussion, as it can be used to create and maintain a more secure, resilient posture. Still, it is essential to involve human knowledge workers in the ultimate outcomes. Depending on the tool, today AI can get you 70-80% of the way there, but you still need human expertise in the decision-making process. (AI also helps on the front end. IBM’s report noted that the average data breach cost actually declined for the first time in five years, thanks to faster detection and containment defenses powered by AI.)

Transparency about data resiliency can also help with compliance, ensuring that backup and recovery plans meet regulatory requirements, as well as helping the board determine whether backup and recovery capabilities are in alignment with the organization's risk tolerance, which could go beyond regulatory requirements - e.g., business need for data retention and availability for systems critical to operational continuity or high-value IP.

Recovery Is Critical to Risk Management

A holistic approach to security and resilience relies on inter-departmental collaboration within an organization, such as between DevOps and AppSec teams, or among business execs, board members, and security leaders. Effective communication is paramount. It can help organizations prioritize risks and clearly see the importance of resiliency and gaps in defense posture.

Not all risks are equal and you certainly cannot address them all equally. But understanding your most critical data and applications, where they reside and what protections, including recovery, are in place can help organizations manage and mitigate known risks moving forward and position the organization for a stronger resilience posture. Having that foundational underpinning could enable an organization to take on more risk, helping the business grow.

In an era when AI accelerates both attacks and defenses and most organizations already have layers of front-line cybersecurity tools, the true competitive advantage lies in the confidence to recover and resume operations in the face of an incident or data breach.  Data breaches happen to organizations, even when they have the right tools, processes and staffing in place. Cyber resilience isn’t just a backup plan; it’s a business imperative that provides confidence and peace of mind. Boards, CISOs, and security teams must broaden their focus beyond perimeter defense to include recovery, continuity, and real risk management.

If you understand what matters most, protect it effectively, and plan realistically for recovery, your organization can turn cybersecurity from a reactive cost center into a strategic asset. Ultimately, it’s not just about staying safe; it’s about always being prepared.