How resilience can be woven into security fabrics
As they try to keep up with the rapid pace of technological evolution, IT teams continue to face immense pressure to innovate and digitize. At the same time, internal conditions such as legacy architectures and hybrid workforces, plus external ones like growing industry regulations and soaring cybersecurity threats, make protecting their business a more complex task than ever before.
A realistic security team should be thinking that a significant security failure – whether a cyber-attack, brownout, blackout or worse – is now an inevitability. Accordingly, organizations must have a cyber resilience strategy on hand that allows them to bounce back and mitigate the damage of any incident as quickly and efficiently as possible.
Now is the time for IT teams to test current cyber resilience strategies and discover if they are fit-for-purpose in this new digital age. Where are the potential blind spots and how would a change in a security approach help to not only close them, but also gain more competitive advantage?
A misguided sense of confidence
In December 2024, Zscaler conducted a cross-industry survey in 12 global markets called ‘Unlock the Resilience Factor: Why Resilient by Design is the Next Cyber Security Imperative’, engaging 1,700 IT leaders to uncover the state of cyber resilience within today’s organizations. The report found that almost two-thirds (60%) of IT leaders expected a significant failure scenario within the next twelve months, and 45% had already experienced one in the past six months.
While these statistics show a depressing reality, the survey data suggests IT leaders feel confident in their resilience strategy to respond to such incidents. Almost half (49%) of respondents believe their IT infrastructure to be highly resilient and this rises significantly to 94% who believe their current cyber resilience measures are at least somewhat effective. Well, there you have it – crises averted, and organizations can sleep soundly knowing they are prepared for any eventuality. Unfortunately, when you scratch the surface, you may find that this confidence is built on shaky foundations.
The report findings actually uncovered worrying inconsistencies in these cyber resilience strategies, suggesting some of the IT leaders’ confidence in handling the new ‘when not if’ threat reality may be misplaced. Despite acknowledgement from the wider cyber community of the potential threat of AI-based cyber-attacks, for example, only 45% of IT leaders say that their cyber resilience strategy is up to date in response to the rise in this technology. Upon further scrutiny, two-fifths (40%) of respondents also admitted to not having reviewed their cyber resilience strategy in the last six months.
Resilience not a high enough prioritization for leadership
Examining the disconnect, the report highlights a lack of investment from organizational leadership as one of the chief reasons resilience might be falling behind. While respondents noted that leaders understood the growing importance of a robust cyber resilience approach, only 39% felt it was a top priority for their leadership. This was reflected by almost half (49%) agreeing that the level of financial investment doesn’t meet the escalating need – as well as the fact that only 44% of IT leaders said their CISO actively participated in any resilience planning, and only 36% said their cyber resilience strategy is included within their organization’s overall resilience strategy.
Without leadership understanding the potential impact of a weak cyber resilience strategy, IT teams are always going to be on the backfoot. Greater investment is needed to ensure that teams can threat hunt all the possible vulnerabilities within their organization and build a resilience strategy that aligns with the wider business strategy. Any cyber resilience strategy that operates in a silo isn’t going to be fit-for-purpose and may result in a failure scenario lasting for a longer period of time as business essential technology isn’t prioritized within the legacy resilience strategy.
Build a ‘Resilient By Design’ approach
To mitigate cyber resilience risk, organizations should embed visibility and control into their security solutions’ very fabric. This is enabled through an approach we call ‘Resilient by Design’. By planning for failure, teams are better equipped to take immediate action; understanding exactly what the failure scenario is and where it is, with supportive tech solutions in place to stop it in its tracks before it becomes a full-scale incident. This is what Zscaler’s Zero Trust Exchange Platform enables – ‘Resilient by Design’ is part of the DNA of the cloud security platform and its services, which help businesses better anticipate and mitigate risks instead of simply experiencing and reacting to them. For the traditional security audience, this translates into availability, confidentiality and integrity no matter what.
The following services support a ‘Resilient by Design’ approach to reduce risk, minimise the attack surface, prevent initial compromise, prevent lateral movement and stop data loss:
Zscaler Internet Access™ (ZIA™) with user risk scoring allows organizations to set dynamic access control policies based on various risk factors, accounting for the latest threat intelligence to restrict access to sensitive applications for users with a high risk score.
Zscaler Private Access™ (ZPA™) has been updated with Adaptive Access Policy to continuously assess a risky user’s behavior or device posture changes and provide user-specific and device-specific enforcement based on these security events.
Zscaler Data Protection provides consistent, unified security for data in motion and data at rest across SaaS and public cloud applications, reducing the likelihood of data exfiltration while mitigating the potential impact of ransomware attacks.
Unified Vulnerability Management leverages unified security findings and business context to prioritize risk, automate remediation workflows, and provide dynamic reports and dashboards.
Risk360™ supports insight into how Zscaler systems are configured and suggests changes to improve the risk posture of an organization. Telemetry data from the Zscaler security cloud and third-party sources help to quantify and visualize enterprise-wide risks, detect Active Directory misconfigurations, and identify security gaps in public-facing assets.
Zscaler Deception deploys realistic decoys across an environment to lure, detect, and intercept active attackers.
Conclusion
Today’s business landscape demands that organizations put more of a focus on cyber resilience to ensure it is funded properly and encompasses all elements of the organization. But these actions cannot take place in a silo. Instead, they must become part of security strategies from the start, equal in priority to prevention.
The ‘Resilient by Design’ architecture helps businesses move away from the traditional detect-and-respond approach to threats and empowers enterprises with the tools for swift containment, effective response, and minimal to no disruption when a failure scenario hits. This principle helps IT teams withstand adversity, adapt operations, and move forward with confidence, ready to thrive in the face of any challenge.
[#item_full_content] [[{“value”:”How resilience can be woven into security fabrics
As they try to keep up with the rapid pace of technological evolution, IT teams continue to face immense pressure to innovate and digitize. At the same time, internal conditions such as legacy architectures and hybrid workforces, plus external ones like growing industry regulations and soaring cybersecurity threats, make protecting their business a more complex task than ever before.
A realistic security team should be thinking that a significant security failure – whether a cyber-attack, brownout, blackout or worse – is now an inevitability. Accordingly, organizations must have a cyber resilience strategy on hand that allows them to bounce back and mitigate the damage of any incident as quickly and efficiently as possible.
Now is the time for IT teams to test current cyber resilience strategies and discover if they are fit-for-purpose in this new digital age. Where are the potential blind spots and how would a change in a security approach help to not only close them, but also gain more competitive advantage?
A misguided sense of confidence
In December 2024, Zscaler conducted a cross-industry survey in 12 global markets called ‘Unlock the Resilience Factor: Why Resilient by Design is the Next Cyber Security Imperative’, engaging 1,700 IT leaders to uncover the state of cyber resilience within today’s organizations. The report found that almost two-thirds (60%) of IT leaders expected a significant failure scenario within the next twelve months, and 45% had already experienced one in the past six months.
While these statistics show a depressing reality, the survey data suggests IT leaders feel confident in their resilience strategy to respond to such incidents. Almost half (49%) of respondents believe their IT infrastructure to be highly resilient and this rises significantly to 94% who believe their current cyber resilience measures are at least somewhat effective. Well, there you have it – crises averted, and organizations can sleep soundly knowing they are prepared for any eventuality. Unfortunately, when you scratch the surface, you may find that this confidence is built on shaky foundations.
The report findings actually uncovered worrying inconsistencies in these cyber resilience strategies, suggesting some of the IT leaders’ confidence in handling the new ‘when not if’ threat reality may be misplaced. Despite acknowledgement from the wider cyber community of the potential threat of AI-based cyber-attacks, for example, only 45% of IT leaders say that their cyber resilience strategy is up to date in response to the rise in this technology. Upon further scrutiny, two-fifths (40%) of respondents also admitted to not having reviewed their cyber resilience strategy in the last six months.
Resilience not a high enough prioritization for leadership
Examining the disconnect, the report highlights a lack of investment from organizational leadership as one of the chief reasons resilience might be falling behind. While respondents noted that leaders understood the growing importance of a robust cyber resilience approach, only 39% felt it was a top priority for their leadership. This was reflected by almost half (49%) agreeing that the level of financial investment doesn’t meet the escalating need – as well as the fact that only 44% of IT leaders said their CISO actively participated in any resilience planning, and only 36% said their cyber resilience strategy is included within their organization’s overall resilience strategy.
Without leadership understanding the potential impact of a weak cyber resilience strategy, IT teams are always going to be on the backfoot. Greater investment is needed to ensure that teams can threat hunt all the possible vulnerabilities within their organization and build a resilience strategy that aligns with the wider business strategy. Any cyber resilience strategy that operates in a silo isn’t going to be fit-for-purpose and may result in a failure scenario lasting for a longer period of time as business essential technology isn’t prioritized within the legacy resilience strategy.
Build a ‘Resilient By Design’ approach
To mitigate cyber resilience risk, organizations should embed visibility and control into their security solutions’ very fabric. This is enabled through an approach we call ‘Resilient by Design’. By planning for failure, teams are better equipped to take immediate action; understanding exactly what the failure scenario is and where it is, with supportive tech solutions in place to stop it in its tracks before it becomes a full-scale incident. This is what Zscaler’s Zero Trust Exchange Platform enables – ‘Resilient by Design’ is part of the DNA of the cloud security platform and its services, which help businesses better anticipate and mitigate risks instead of simply experiencing and reacting to them. For the traditional security audience, this translates into availability, confidentiality and integrity no matter what.
The following services support a ‘Resilient by Design’ approach to reduce risk, minimise the attack surface, prevent initial compromise, prevent lateral movement and stop data loss:
Zscaler Internet Access™ (ZIA™) with user risk scoring allows organizations to set dynamic access control policies based on various risk factors, accounting for the latest threat intelligence to restrict access to sensitive applications for users with a high risk score.
Zscaler Private Access™ (ZPA™) has been updated with Adaptive Access Policy to continuously assess a risky user’s behavior or device posture changes and provide user-specific and device-specific enforcement based on these security events.
Zscaler Data Protection provides consistent, unified security for data in motion and data at rest across SaaS and public cloud applications, reducing the likelihood of data exfiltration while mitigating the potential impact of ransomware attacks.
Unified Vulnerability Management leverages unified security findings and business context to prioritize risk, automate remediation workflows, and provide dynamic reports and dashboards.
Risk360™ supports insight into how Zscaler systems are configured and suggests changes to improve the risk posture of an organization. Telemetry data from the Zscaler security cloud and third-party sources help to quantify and visualize enterprise-wide risks, detect Active Directory misconfigurations, and identify security gaps in public-facing assets.
Zscaler Deception deploys realistic decoys across an environment to lure, detect, and intercept active attackers.
Conclusion
Today’s business landscape demands that organizations put more of a focus on cyber resilience to ensure it is funded properly and encompasses all elements of the organization. But these actions cannot take place in a silo. Instead, they must become part of security strategies from the start, equal in priority to prevention.
The ‘Resilient by Design’ architecture helps businesses move away from the traditional detect-and-respond approach to threats and empowers enterprises with the tools for swift containment, effective response, and minimal to no disruption when a failure scenario hits. This principle helps IT teams withstand adversity, adapt operations, and move forward with confidence, ready to thrive in the face of any challenge.”}]]
