Designing for cyber-resilience

Rob Sloan at Zscaler describes how IT infrastructure complexity is hindering cyber-resilience

 

The complexity of IT and security infrastructure was highlighted as the greatest obstacle to achieving cyber-resilience according to new research, Unlock the Resilience Factor from Zscaler. Forty-three per cent of 1,700 IT and security leaders worldwide ranked the challenge as a major barrier to an improved ability to recover from serious cyber-events, nine percentage points above the second-placed issue: legacy security and IT issues.

 

The survey results underscore the pressing need for organisations to rethink their approach and shift towards resilience by design.

 

Resilience red flag

Despite the obstacles, nearly half of IT leaders (49%) believe their infrastructure is highly resilient, and a further substantial portion (43%) consider it somewhat resilient. However, this perception of resilience must be backed up by robust, tested strategies that can withstand real-world threats.

 

One major gap in the findings is that four in ten respondents admitted their organisation has not reviewed its cyber-resilience strategy in the last six months. Given the rapid evolution of cyber threats and continuous changes in corporate IT environments, failing to update and test resilience plans can leave businesses exposed when attacks or major outages occur. 

 

The importance of integrating cyber-resilience into a broader organisational resilience strategy cannot be overstated. With cyber-security now fundamental to business operations, it must be considered alongside financial, operational, and reputational risk planning to ensure continuity in the face of disruptions.

 

Expectation of disruption

Limited investment in cyber-resilience remains a challenge, despite rising security budgets overall: nearly 49% of U.S.-based IT leaders globally believe their budget for cyber-resilience is inadequate. India (67%) expressed the greatest concern. 

 

A lack of budget cannot be put down to a lack of evidence of need. Over the past six months, 45% of respondents worldwide said their organisation experienced a cyber-incident, with the highest rates reported in Sweden (71%) and Germany (53%). 

 

Leaders also expect to face adversity in the near future with 60% anticipating a significant cyber-security failure within the next six months, which reflects the sheer volume of cyber-attacks as well as a growing recognition that cloud services are not immune to disruptions and outages. Expectations vary by region—ranging from 68% in Sweden to 33% in France and the UK & Ireland—but the overall consensus is clear: resilience is no longer optional, but essential.

 

Resilience by design: a path forward

Improving an organisation’s ability to rebound after an incident starts with moving to a modern zero trust architecture, which achieves several key outcomes. First and most importantly, it removes IT and cyber-security complexity–the key impediment to enhancing cyber-resilience. Eliminating traditional security dependencies such as firewalls and VPNs not only reduces the organisation’s attack surface, but also streamlines operations, cuts infrastructure costs, and improves IT agility. Zero trust allows security teams to focus on strategic initiatives rather than maintaining outdated security controls.

 

The second big win is the inability of attackers to move laterally should a compromise at an endpoint occur. Users are verified and given the lowest privileges necessary each time they access a corporate resource, meaning ransomware and other data-stealing threats are far less of a concern.

 

The potential for a cloud outage due to natural or human-made disruptions, including cyber-attacks and sabotage, persists, and cloud service purchasing decisions are often driven by feature sets rather than resilience. A nuanced approach is needed: while a four-hour outage of an internal HR platform may be tolerable, the same disruption to core communication systems could be catastrophic.

 

Identify shortcomings through testing

Organisations should seek out vendors that allow them to host their own private failover cloud instances should their vendor’s services become unreachable, allowing for continued access and policy enforcement, even if the vendor experiences an outage.

 

Regardless of safeguards, regular disaster recovery exercises—conducted twice yearly—should define roles, responsibilities, and communication protocols to prepare teams for potential crises. Exercises identify shortcomings that can be addressed ahead of a real incident.

 

Organisations must move beyond a reactive mindset. By embedding resilience into their cyber-security DNA—through Zero Trust, vendor scrutiny, and continuous testing—businesses can safeguard operations against inevitable disruptions.

 

---

 

Rob Sloan is VP Cybersecurity Advocacy at Zscaler

 

Main image courtesy of iStockPhoto.com and JuSun