Why Most Organizations Are Missing The True Meaning Of Cyber Resilience

Kevin Bocek Chief Innovation Officer at Venafi, a CyberArk Company.

As we begin a new year, it’s always a good time to reflect on the past while thinking about changes for the year ahead. Cyber resilience is top of mind for many leaders today, yet we often miss its true meaning.

Despite global information security spending projected to reach $215 billion in 2024, according to Gartner, organizations are losing ground in the security arms race against threat actors. Over half of security and IT leaders claim to be strongly prepared to identify threats across their infrastructure but continue failing to detect breaches. With this in mind, how can we become truly resilient?

Three types of challenges reveal whether we are truly resilient and prepared for what lies ahead—both in our personal lives and at work:

1. Known Knowns: Predictable events we are aware of and can anticipate.

2. Known Unknowns: Situations we recognize but don’t fully understand, often resembling past experiences we can learn from.

3. Unknown Unknowns: Completely unexpected events with no prior indicators or patterns to guide our response.

Below, I’ll dive into the ways business leaders can prepare for success amid rising threats despite a formidable landscape.

Prepping For The "Known"

Security teams will never know for certain when the next phishing attack that steals an identity is coming, but they know the signs of this type of incident well and can prepare. Knowing the risks and signs of a breach like this can prepare security teams to respond seamlessly when an incident does happen.

During major holiday seasons, for example, it’s common for engineering teams to introduce some "knowns" into their systems to see what the potential impacts could be so they can better prepare. These chaos engineering techniques continue to gain popularity with platform and operations teams.

Security leaders need to classify these types of known risks, use real-life examples when educating both employees and the C-suite about them, and share simple solutions. When we think about resilience, there will always be some level we can’t control. However, great cyber leaders (in addition to great research) have gotten us to where we are today, and we understand risk well.

Learning From The Past And Preparing For Something Similar

A certificate-related outage refers to a service disruption that occurs when a digital certificate is no longer trusted or verified—I know many organizations will be familiar with similar types of outages. In the past 12 months alone, 83% of organizations have been affected by certificate-related outages. Three-quarters (73%) say that Google’s plans to adjust to a 90-day TLS certificate lifespan will cause chaos, 77% think more outages are inevitable and 81% say it will amplify existing challenges they have around managing certificates.

Apple plans to reduce the lifespan of TLS certificates to 45 days by 2027, with a key interim milestone of 200 days set for 2025. This mirrors past transitions, such as Google’s shift to 90-day certificate lifespans, which prompted many organizations to adopt automation tools to manage the change effectively.

I expect we'll see a rise in outages in 2025 as shorter certificate lifespans lead to an increase in expired certificates. This serves as a critical reminder: manual processes are no longer sufficient. Automation and agility are essential to maintaining security and avoiding disruptions. These changes in TLS certificate management will reshape security practices, but by taking proactive steps and learning from past challenges, organizations can better prepare for the future.

Embracing Chaos Engineering For The Unknowns: The Best Path To Resilience

As business leaders, we have more than a few uncertainties ahead to prepare for. A successful chaos engineering strategy can help provide a path to deal with all sorts of unknowns. For example, while GenAI is an incredible tool, it is also easy to trick with the right prompts and is prone to hallucinations. In the year ahead, companies that do not take these issues seriously may find themselves in hot water. Seventy-eight percent of security leaders believe AI-developed code will lead to a security reckoning. Rather than sticking to tabletop exercises or practice scenarios, I recommend embracing chaos engineering to prepare for situations your organization hasn’t dealt with before.

The 2024 CrowdStrike outage highlighted how rapidly code can transition from development to disaster. As code increasingly originates from diverse sources, ensuring its integrity and authenticity becomes critical. Authenticating code, applications and workloads based on their identity is essential. With code signing poised to become the primary line of defense in the coming year, businesses can verify that code originates from a trusted source, remains unchanged and is authorized for use.

Security leaders can introduce chaos engineering into systems to learn what the problem is and what the response mechanisms can be. This approach has helped developers effectively discover performance and errors before they happen. Security teams can do the same to uncover vulnerabilities and prevent outages before they impact their customers, ultimately increasing their organization’s cyber resilience.

Many companies have demonstrated the importance of preparing for disasters and learning from recent events to improve their readiness for the future. Take AWS, for example—they stream Thursday Night Football seamlessly every week. How did they achieve that level of reliability, and what lessons can other providers take from their approach?

Building cyber and business resilience is an ongoing journey, but framing the effort around three key areas—addressing known risks, learning from past incidents and preparing for the unknown—can help organizations become more prepared and resilient for the challenges ahead.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?