Minimum Viable Operation and cyber-resilience

Trevor Dearing at Illumio argues that strengthening cyber-resilience starts with understanding your Minimum Viable Operation

 

Ever since the field of cyber-security first began taking shape decades ago, the focus has been on preventing security breaches. Today, it’s increasingly clear that breaches are inevitable and complete prevention is a myth.

 

While minimising the chances of a successful attack is still essential, breach containment is now a much more obtainable goal than outright prevention. In practice, this means ensuring that if your defences are broken or evaded, you can contain a breach and limit the disruption to critical services and systems. 

 

In industry, this is often referred to as the Minimum Viable Operation (MVO) concept: the most essential resources and processes needed to ensure the business can function. Identifying, protecting, and ensuring the resilience of the MVO must be the driving force behind all cyber-security strategies. 

 

Prevention is no longer enough 

Most businesses have steadily increased their security spending over the last few years, with Gartner estimating $182 billion spent on IT security in 2024 and predicting a rise to $292 billion by 2028. 

 

As a result, many organisations believe they are well protected from cyber-threats. Illumio’s Global Cost of Ransomware Study, conducted with The Ponemon Institute, found that over half of security decision-makers were confident in their ability to defend against ransomware, up significantly from 2024. 

 

Yet the findings on security incidents told a different story. We found that 88% of businesses have suffered at least one ransomware attack, and more importantly, 58% have been forced to halt their operations due to ransomware. 

 

Part of this disconnect lies in the fact that security investment, while rising, is being focused on the wrong areas. Many companies continue to focus on preventative tools like firewalls and Endpoint Detection and Response (EDR) as they strive to reduce the probability of successful attacks. 

 

But the truth is, you can’t stop everything. Attackers will find a way in. And while these solutions play an essential role in defending against the myriad of daily attacks, they are ineffective against more advanced attack tactics like zero-day and fileless malware.

 

Further, attackers rarely stop at breaching a single system, so each successful incursion comes with a heavier risk. Attackers leverage lateral movement to spread across networks and disrupt entire operations. Ransomware attacks, in particular, are built around their ability to propagate and infect as many key systems as possible before they can be detected.  

 

So, the challenge is no longer “how do we stop an attack?” but “how do we ensure the business continues running when it happens?”. 

 

This is where the Minimum Viable Operation comes in.

 

Defining and implementing MVO 

MVO represents your company’s beating heart, the core that must be protected at all costs. The concept is increasingly common across critical national infrastructure sectors like energy, healthcare, and telecoms to ensure essential services remain functional during attacks. 

 

However, the principle applies to every business. Any organisation with a set of core activities and outputs must maintain an MVO; the systems within will vary. Basically, what systems can the business not live or operate without?

 

For example, in banking and finance, protecting transaction processing is vital, while retailers are concerned about payment processing, logistics, and inventory management. For sectors heavily reliant on cyber-physical assets, such as energy and manufacturing, protecting industrial control systems (ICS) is critical. 

 

Once you have defined your MVO, the next step is to identify and map the essential systems and any dependencies that keep them operational. Today’s complexity of the average IT environment means this must be done thoroughly, as multiple systems, supplies, and third parties are likely to interact with MVO assets.

 

When these are known, you can conduct a full risk assessment. Where are the vulnerabilities in these critical operations? Which assets could disrupt the MVO? Which ones could be used as an attack path? 

 

Then, once the threats are established, a segmentation strategy will be defined to limit these risks and attack paths. Ultimately, visibility helps you understand risk, and segmentation enables you to mitigate and control it.

 

Protecting critical assets 

Most organisations today have some form of detection tool like EDR to flag a potential threat and quarantine a compromised machine. But that’s not enough against fast and evasive threats. The real challenge is stopping the attack from spreading beyond the initial breach - known as breach containment.

 

The most effective way to implement a breach containment strategy and to protect your MVO is through micro-segmentation. This divides the network environment into isolated zones, with strict identity and access controls governing movement between them.

 

Access should be managed using the Zero Trust principle of “never trust, always verify” so that every request requires full authorisation. The more critical the system, the greater the verification requirements. 

 

The best practice is to enforce a policy based on least privilege to limit connectivity to the bare minimum required. This means that even if attackers breach your network, they will have difficulty moving through the environment to reach critical systems. 

 

Breach containment: the future of security

Most organisations accept that breaches are inevitable; the problem is that cyber-security strategies and investments have not caught up. Yet, being caught unprepared for a breach is increasingly indefensible. 

 

It’s one thing to be the victim of an advanced cyber-attack, but quite another to have to explain to your customers, investors, and other stakeholders that operations ground to a halt for weeks because critical systems weren’t accounted for. 

 

True cyber-resilience is not just about stopping attacks - it’s about surviving them. By incorporating an MVO approach, supported by a robust breach containment strategy, you can ensure your business can weather the most severe cyber-threats. 

 

---

 

Trevor Dearing is Director of Critical Infrastructure at Illumio

 

Main image courtesy of iStockPhoto.com and Pakin Jarerndee