Meeting after meeting, keynote speech after keynote speech, I realise that the pursuit of 100% prevention has become an anachronism. The combination of systemic complexity, the exponential acceleration of AI-driven threats, and the sophistication of nation-state-level attacks make the total avoidance of incidents not only an impossibility but a dangerous concept.
For the modern Chief Information Security Officers (CISOs) and the executive leadership they serve, this is a sobering truth that necessitates a fundamental shift in strategy: the evolution from a singular focus on security to a comprehensive commitment to resilience.
Security, in its traditional sense, creates a false sense of protection—a fortress mentality designed to keep the adversary out. Resilience, by contrast, is about ensuring operational continuity when the walls have been, even slightly, breached. It carries a bit more modesty beyond the acknowledgment that the breach is inevitable, and the true measure of success lies in the speed and efficacy of the recovery.
More pragmatic, this new paradigm of resilience is defined by three core capabilities, which move the focus from the perimeter to the core mission:
1. Anticipatory response: This isn’t just about spotting bugs; it’s about learning from a live attack as it happens. The idea is to use the attacker’s own moves to understand and respond to their attack in real-time. By connecting the dots, this posture can predict where the system might fail next and have recovery tools ready to go before the damage spreads.
2. Managed degradation: This is the ability of an organisation to maintain a limited, well-defined set of critical services while assuming that other parts of the network might be compromised. It is the strategic decision to operate in a “degraded state,” ensuring that the most vital functions—be they financial transactions, power grid control, or patient care—remain operational, even if at reduced capacity.
3. Rapid restoration: The focus shifts from “if we are ever hit” to “how fast can we bounce back.” This capability is measured by the Recovery Time Objective (RTO) and is underpinned by immutable data backups and robust, tested recovery playbooks.
The critical infrastructure imperative: From choice to legal obligation
While the shift to resilience is a trend for most organisations, it is rapidly becoming a legal and regulatory obligation for those operating Critical Infrastructure (CI). Critical Infrastructure encompasses the assets, systems, and networks—whether physical or virtual—that are considered so vital to a government that their incapacitation or destruction would have a debilitating effect on security, national economic security, public health, or safety. (3)
Historically, governments have set security standards for CI. However, the new resilience mandate represents a profound shift in the social contract between government and private entities that manage these vital systems. Governments are now declaring that the ability to withstand and recover from disruption is a matter of national security, thereby assigning the obligation to be resilient to the private operators.
Cloud sovereignty and local control
The concept of resilience is now inextricably linked to technological independence and the definition of “Local Control”(5) To meet the stringent requirements of the DNA and CSA2, new infrastructure models are emerging:
Sovereign cloud partitions: Cloud providers are launching environments that are physically and logically isolated as well as having a governance structure shielded from foreign jurisdictions, such as the AWS European Sovereign Cloud (ESC), where the management console, Identity and Access Management (IAM), billing, and executive management team are guaranteed to be located 100% within the EU. This ensures that the control plane for critical data remains within the required legal and physical boundaries.
Sovereign edge computing: Telecommunications companies are integrating security and processing directly at the network edge. This model ensures that sensitive industrial data is processed locally before it ever reaches the public internet, thereby enforcing the principles of Managed Degradation and data sovereignty simultaneously5
Global drivers and the market response
The regulatory push is mirrored by a powerful economic consensus. At the WEF annual meeting in Davos, Fortinet executives discussed this new deal, and in the very WEF’s 2026 report, we read that 92% of CEOs now prioritise “cyber recovery capabilities” over traditional “perimeter defence spending”1. This recent shift in executive focus is about to translate into market changes:
- Insurance transformation: Major cyber-insurers have begun implementing “Resilience Audits.” Premiums are no longer calculated solely on the occurrence of a breach but are heavily weighted by a company’s RTO (Recovery Time Objective) and the immutability of their data. This financial incentive is forcing organisations to invest in recovery frameworks that can be quantitatively measured and validated both in terms of what they recover but also how fast.
- The OECD governance framework: The Organisation for Economic Co-operation and Development (OECD) has emphasised that ensuring CI resilience requires new governance models that limit service disruptions and promote cross-sector collaboration (4). This has the merit of defining national-level frameworks that incentivise redundancy, incident reporting, and infrastructure sharing.
The technological frontier: Autonomous resilience
The technological response to the resilience mandate is manifesting in the rise of Autonomous Resilience Agents and “Self-Healing Networks.” These tools move beyond simple blocking mechanisms. They are designed to allow a suspected attack to proceed in a sandbox environment to automatically generate and distribute immunity signatures across the entire infrastructure.
This AI-driven approach embodies the resilience philosophy: instead of failing to prevent the attack, the system uses the attack itself as a data point to rapidly learn, adapt, and restore. It is the ultimate expression of the Managed Degradation principle, turning a localised compromise into a global defence advantage.
Conclusion: The architect of continuity and control
The evolution from security to resilience, now compounded by the mandate for sovereignty, is a profound philosophical and operational pivot. For critical infrastructure operators, it is the new cost of doing business, enforced by government mandate and economic reality. Crucially, this shift cannot succeed through regulation alone; it relies on deep public-private partnerships.
By aligning the government’s security intelligence with the private sector’s operational expertise, these collaborations ensure that sovereignty mandates are both technically feasible and economically sustainable, turning a top-down requirement into a shared defence strategy.
The resilience approach can be understood through a medical analogy: immunisation. Just as an organism is exposed to a weakened virus to learn and build a controlled, informed immune response, the resilient enterprise uses the very essence of an attack to its advantage. Far from being a weakness, this approach turns an actual compromise into a learning event, allowing the system to understand the threat more deeply and trigger informed, controlled recovery scenarios.
The CISO’s mission is transforming from being the gatekeeper of the fortress to the architect of continuity. The focus is no longer on the impossible task of preventing every single attack, but on building systems that are inherently adaptive, capable of absorbing shocks, and designed for rapid, assured recovery within legally defined sovereign boundaries. In this new, “war-grade” environment, the resilient and sovereign organisation is the one that can take the hit, learn from the experience, maintain what matters most, and move forward with minimal disruption.
- World Economic Forum. (2026). Global Cybersecurity Outlook 2026.
2. Global Policy Watch. (2026, January 23). European Commission Proposes Cybersecurity Act 2: New EU Supply Chain Rules and Certification Reforms.
3. The White House. (2013, February 12). Presidential Policy Directive — Critical Infrastructure Security and Resilience.
4. Organisation for Economic Co-operation and Development (OECD). (2025, June 19). Ensuring the resilience of critical infrastructure. (Except from Government at a Glance 2025).
5. Sanchez, A. (2026, January 30). Summary of Sovereignty Posture for European Telcos. (Internal Memo).
Discussion about this post