Cyber Resilience Must Become The Third Pillar Of Security Strategy

The rapid migration of organizations to the cloud has led to a significant shift in the way security leaders approach cybersecurity. As threats become increasingly sophisticated, it’s clear that traditional methods of prevention and detection are no longer sufficient. The notion that “cloud insecurity is inevitable” has become a harsh reality, making cyber resilience an essential component of a robust defense strategy.

The Limits of Prevention and Detection

For years, enterprise security has relied on two primary pillars: prevention and detection. Firewalls, endpoint protection, and intrusion detection systems have been the cornerstone of security measures, aiming to prevent attacks and detect potential threats. However, as attacks grow more complex, it’s evident that this approach is no longer enough. Kavitha Mariappan, chief transformation officer at Rubrik, emphasizes that breaches will happen, and organizations must prepare to recover as quickly and completely as possible.

This shift in mindset reflects a growing understanding that cyber resilience must be elevated to stand alongside prevention and detection as an equal pillar of security strategy. Mariappan, who has spent years in the prevention-and-detection world, acknowledges its limitations. “We’ve built entire strategies around stopping attacks, with the belief that all attacks are preventable. They’re not,” she says. Richard Stiennon, chief research analyst at IT-Harvest, describes this approach as hyper-layers of defense, where prevention provides immediate benefits, detection adds to workloads, and resilience ensures that the impact of a successful breach is minimized.

The Importance of Resilience

Today’s attackers exploit complex environments that span on-premises systems, multiple clouds, and hundreds of SaaS apps. Even the best defenses can’t block every breach, whether it’s from ransomware, insider threats, or supply chain compromises. Resilience – the ability to minimize damage, restore operations quickly, and maintain business continuity – is what keeps an incident from becoming a crisis. It’s essential for organizations to prioritize resilience, ensuring that they can recover from a breach without catastrophic losses.

The shift to cloud computing has created a dangerous assumption that moving workloads to cloud providers like AWS, Azure, or Google Cloud means that the provider “takes care of security.” While hyperscalers secure their infrastructure, customers are responsible for protecting their own data, configurations, and access. This responsibility gap can lead to a false sense of security, leaving organizations vulnerable to attacks. Native cloud backup and recovery tools, designed for operational mishaps, often lack the immutability, isolation, and advanced threat detection needed to withstand modern cyberattacks.

Building Resilience by Design

Effective resilience starts with rethinking backup as more than a compliance checkbox. Immutable, air-gapped copies prevent attackers from tampering with recovery points, while built-in threat detection can spot ransomware or other malicious activity before it spreads. However, technology alone is not enough. Leaders must identify the “minimum viable business” – the essential applications, accounts, and configurations required to function after an incident – and build recovery strategies around restoring these first to reduce downtime and financial impact.

Limiting the blast radius is also crucial. In a cloud context, this might mean segmenting workloads, isolating credentials, or designing architectures that prevent a single compromised account from jeopardizing an entire environment. Moreover, organizations must consider the “harvest now, decrypt later” risk posed by quantum computing, where attackers can steal encrypted data today and wait until quantum capabilities make decryption trivial. This makes encryption hygiene and proactive re-encryption critical, not just after an incident, but as an ongoing practice.

Breaking Down Silos and Assuming Breach

Resilience planning often stalls because it lives in the wrong place, with backup and recovery budgets sitting in IT infrastructure, while security teams focus on preventing attacks. Risk officers may own the broader business continuity mandate, but lack direct control over technical safeguards. Mariappan believes that resilience should be a shared responsibility across IT, security, risk, and compliance, with executive and board-level engagement. “This is no longer just an infrastructure problem,” she says. “It’s critical to the viability of the organization and the management of reputational risk.”

The new playbook, Mariappan argues, is simple: assume breach. This means designing systems, processes, and teams to respond as if an attack has already succeeded. The goal is not to eliminate risk entirely – an impossible task – but to ensure the organization can recover without catastrophic losses. While there’s a cost to building resilience, competing for budget with other security priorities, the cost of not investing – weeks or months of downtime, regulatory penalties, damaged customer trust – is far higher. As Mariappan puts it, “More detection and prevention tools are not going to keep you 100% safe. Cyber resilience must be a first-class citizen in your security and risk strategy.”