Cyber resiliency: What to stop, start, and lean into now
Ransomware volume is rising, AI-enabled attacks are accelerating breach velocity, and hybrid operating models are complicating recovery. Learn how to close the gap between strategy and execution, and watch the full FlexTalk webinar on demand.
A company falls victim to a ransomware attack every 11 seconds. Once an attacker is inside, lateral movement now happens in roughly 39 minutes, and ransomware is on pace to become a $12 trillion industry by 2026, which would make it the third largest economy in the world.
Prevention is still part of the job, but the real measure of resiliency is what happens after a breach. How quickly can you contain it, how cleanly can you recover, and can your business keep operating while you do?
Answering those questions honestly requires a hard look at what to stop doing, what to start doing, and where to lean in.
Stop assuming prevention is enough
NIST 2.0 lays out five phases: identify, protect, detect, respond, and recover. Most security investment still concentrates in the first three, even though attackers are getting through despite those controls.
"Unfortunately, they're still getting in. So now you have to look at the other two phases, and there's just not a lot of players in those other two phases, and that's respond and recover."
The other thing to stop doing is guessing at the cost of downtime. If you can't put a dollar figure on one hour offline by system and time of day, you can't prioritize controls, justify investment, or right-size recovery targets to what the business actually needs.
Picture an online retailer hit by ransomware during peak hours. The sales lost in that window are only the start, because shopping carts get abandoned and frequent customers walk over to Amazon or Walmart and may never come back at all. Downtime can add up and be very, very costly depending on the industry.
Stop equating "tier 0" labels with reality, too. Plenty of organizations have identified their tier 0 systems and built recovery plans around them, only to discover during testing that 35 tier 3 systems were quietly feeding those tier 0s the whole time. The interface comes up, but there's no data behind it to run on.
Start defining your minimum viable company
The shift is from tiering everything to identifying the smallest set of systems, data, identities, and dependencies your business needs to operate safely and generate cash flow during a disruption.
For a hospital, that's the electronic health record system and anything else that keeps patients alive. For a manufacturer, it might be payroll so people show up, the key card system so they can get in the building, and the machinery controls so they can build product. The specifics vary by industry, but the discipline is the same.
Once you know what has to come back first, you can map dependencies, build runbooks, and quantify what recovery actually requires.
Start testing with intent, as well. Chaos testing, originally developed by Netflix, builds curveballs into the rehearsal: the decision-maker is in a car accident and unreachable, the conferencing platform is down so the team can't get into a Zoom or Webex bridge, and a dependency nobody documented isn't there when you need it.
"When you start testing your plan to go see, can you operate from it, it's eye-opening in both ways of how confident you are and how much of a moment you're going to have at these organizations."
The point isn't to embarrass anyone. It's to refine the process so the team moves faster and cleaner the next time, because the bad actors coming after you are constantly refining theirs. That's their business, and they want to get paid.
Frequency varies by appetite and exposure. One large financial institution rehearses a full minimum viable company standup every 35 days, while others run quarterly or monthly targeted exercises. The right cadence is whatever the business can sustain and what the cost of downtime justifies.
Start designing for clean, fast recovery
Build resiliency on four pillars: immutable backups, an isolated recovery environment, a tested cyber recovery plan, and chaos-driven exercises that stress every assumption in the plan.
Immutability protects the data, but it doesn't guarantee the data is clean. A clean room environment with separate identity, networks, and tooling gives you a place to validate backups, scan for reinfection, and rehydrate critical services before reconnecting anything to production.
Runbooks deserve the same rigor as code, with version control, named owners, documented RTO and RPO per service, and enough rehearsal that escalation paths and decision rights become muscle memory.
That work also lowers your "willingness to pay" quotient. Attackers research targets before they breach, calibrate the ransom to what they think the victim will pay, and choose organizations that look both breachable and likely to settle. Proving you can recover quickly and cleanly makes you a less attractive mark.
Lean in on cloud-based isolation and capacity on demand
A traditional isolated recovery environment is a stack of hardware sitting there, waiting for an event that may never come. That model worked for the largest enterprises that could absorb the cost of a duplicate environment, but it doesn't fit budgets that keep getting tighter rather than looser.
A cloud-based isolation room shifts the spend pattern from fixed capital to consumption. Data flows into immutable, indelible copies, and the compute and storage required to stand it up only get billed when you actually need them, whether that's for a planned test or a live event. Customers still get vCenter access, and capacity scales as the workload demands.
That approach also opens the door to rebalancing across hybrid estates, optimizing licensing, and freeing capital that used to sit tied up in idle duplicate infrastructure.
Lean in on vendor resiliency and trusted MSPs
The minimum viable company conversation usually starts with internal systems, but it can't end there, because most enterprises now depend on third-party providers for parts of their critical operations, and that dependency is exposure.
Ask vendors what their resiliency story is, what controls they have in place, and what their recovery SLAs actually commit to. Bring critical providers into tabletop exercises before an incident so integration, access, and roles are settled in advance.
Managed service providers can extend internal teams when the economics work. When mandatory work like a hypervisor migration is consuming tens of thousands of hours of staff time, an experienced partner can hold the line on recovery targets and enforce playbooks under pressure.
"Integrating with one of these managed service providers early, when this event happens to you, you can really help you spread your wings. So it's not, hey, we have one or two admins that are going to help us get you stood back up."
That relationship has to exist before the event, not get assembled during it.
Watch the on-demand webinar
If you're recalibrating where to invest, how often to test, and how to talk about resiliency at the board level, this on-demand FlexTalk goes deeper into the operational priorities that matter most right now.
Watch the on-demand webinar: Stop, Start, Lean In: Recalibrating cost, risk tolerance, and recovery expectations in cyber resiliency
In this FlexTalk session, Flexential and Commvault experts share practical insight on:
- Why cyber incidents must be planned for, not treated as preventable anomalies
- How to define downtime cost, risk tolerance, and minimum viable operations with operational precision
- Where traditional backup strategies break under modern attack conditions
- Why testing cadence has become a board-level measure of resiliency
- How governance, isolated recovery, and external expertise materially strengthen enterprise cyber resiliency
Start now if you don't have a cyber resiliency plan in place today.
"You can't stop the attacks from happening, but you can make sure that you are prepared going forward."