June 5, 2025
Previously in our series on cyber resilience, we defined what it is and why it matters, as well as the role of high-quality penetration testing in your cyber resilience strategy.
After nearly 30 years in the business, we’ve seen a wide range of security programs, postures and maturity. In this next post in our series, we’ll share the qualities we’ve seen that the most resilient organizations have in common. We’ll dig into each one and provide practical examples that can help you identify opportunities to improve your cyber resilience.
Most companies, regardless of their size or industry, have a plan for how to deal with a natural disaster: From evacuating staff during an emergency, to setting up a temporary workspace if the building is damaged or destroyed, to recovery. They know who should play what role in order to keep core business functions going as smoothly as possible while they try to get back to normal.
The companies we work with who also plan for cyber attacks, massive network outages and more have a greater level of cyber resilience as well. They understand at the executive and board level that these events should be approached with the same seriousness and forethought as other kinds of disasters. They write security-focused policies and procedures, just like they would with Business Continuity and Disaster Recovery (BCDR) planning, practicing them on a regular basis through activities like tabletop exercises.
There’s more than one way to train and empower employees, and it's important to understand what will work best for your company. But the most resilient organizations have built a culture that allows for mistakes; it’s not adversarial between management and employees. They understand that this collaboration and input from all levels of the organization are key elements of security.
From an incident perspective, we’ve had customers whose employees won’t report things that come up because they’re afraid of getting in trouble. Employees of our more resilient customers don’t hesitate to speak up, even if it’s to say that they clicked on a link in an email and they’re worried about it.
To foster this kind of culture, companies should express to their employees that security is not a task that can be crossed off the to-do list; it’s an ongoing strategy and way of thinking. Mistakes are inevitable, and when they happen, people should feel comfortable speaking up. When everyone is confident that, instead of being shamed or punished, they’ll be supported, they become more involved in the security interests of the company.
Resilient companies have dedicated the time to build a defensible environment. They understand that this doesn’t just mean having a solid perimeter; it means being able to defend against, monitor, and respond to threats effectively.
But putting foundational cybersecurity practices in place shouldn’t be “one-and-done.” As less resilient companies expand, they often add to their network as needed without considering security-focused best practices like proper segmentation. Resilient companies take a thoughtful approach to growth, constantly evaluating their strategy, testing their environment and planning for different scenarios. They understand that even if they rushed into cloud deployments, they need to step back and define their cloud strategy with security fundamentals in mind.
At a basic level, this involves:
There are many detection tools that companies can invest in, but resilient companies have a structured approach to handling the output of these tools. They have a clear understanding of what the detected threat means for their organization, and they have set procedures for responding to those detections and communicating with the proper channels.
Alerts can be overwhelming, so resilient companies balance automated tools with human expertise. The tools collect information, and the experts are there to fully understand what that information means within their unique environment and help tune alerting as needed. They also understand that because the threat landscape changes every day, it’s crucial to test detection capabilities regularly.
Purple team exercises are a great way to test your detection capabilities and identify blind spots. As you collaborate with our penetration testers to see how a threat actor would interact with your environment in real time, you can ensure your alerts are accurate and actionable, train your team on the latest adversarial tools and tactics and promote security buy-in from your broader IT team and executives.
When an incident is suspected or occurs, resilient companies are able to take action immediately. They are calm because they have a written and tested plan, they know exactly who to involve, how to communicate and what steps to take when.
The consequences of not having these policies and procedures in place can be devastating. Without a clear, comprehensive strategy, an incident that might otherwise take hours to address can take days or even weeks. This kind of delay can result in significant losses of data, dollars, and consumer trust. Resilient companies have thought about these procedures in advance, rather than waiting until they have to react in a moment of crisis.
Resilient companies understand that there isn’t one set cadence for testing security; it should be based on the unique environment of the organization, the threat landscape and current world events. Whenever resilient companies make major architecture or environment changes, they conduct a high-quality penetration test to understand the impact and risk of those changes. Relying on a single test each year with massive changes in between tests leads to countless unseen risks and vulnerabilities. Resilient organizations focus on all these things and test accordingly as part of their security strategy, rather than treating it as a yearly checkbox.
As we’ve discussed, resilient companies test often and are always thinking about their security strategy in the context of the evolving threat landscape. When they test, they emphasize reporting on that testing and take steps to improve policies and procedures based on those findings.
It’s tempting to think that once you’ve fixed everything that came out of a pentest, you’re secure. But as you were making those fixes, new threats and vulnerabilities emerged. Constant and consistent evaluation, reporting and improvement is crucial.
Our favorite customers over the years, and the ones that make the biggest strides in improving their security posture, are the ones who continually look at security from the perspective of “How can we improve?” vs. “What are we doing wrong?”
Those companies typically have a much better grasp on their strategy, and their CISOs or CIOs have much better alignment with executives. They can tell a story about why security is important, and why they need to continually adjust and improve. Even companies without a dedicated team or budget have been successful as long as they prioritized security-focused strategies. They have security meetings and not just IT meetings. They have a proactive security strategy, rather than solely focusing on the day-to-day of what’s breaking.
Everyone starts their resilience journey from a different place. Building and improving upon these qualities takes time, but even changes that seem small add up and contribute to your overall resilience.
Not sure where to begin? Let us help! We have the experts to guide you along your path to cyber resilience. Reach out today.
Published By: Scott Smith, Vice President of Security Architecture, NetWorks Group
Publish Date: June 5, 2025
Security news, tips, webinars, and more straight to your inbox.
