Prevention is critical, but in an age of AI-driven threats, organisations must stop treating attacks as purely technical problems and start practising for the chaotic moment when systems go dark, writes Alex Spokoiny.
For years, cybersecurity has been framed primarily as a technology problem. Firewalls, endpoint protection, detection tools and incident response playbooks have dominated the conversation. Organisations invested heavily in preventing attacks and improving their ability to detect and respond.
Prevention cannot be overstated and should be considered the foundation of cybersecurity – it reduces risk, disruption, and cost, limits the blast radius, and ensures business continuity. In an environment where threats are constant and adversaries move fast, strong preventive controls remain the most effective way to reduce harm.
The reality is that it’s no longer a question of whether an attack will occur, but when; and any technical defence, even strong ones, can be tested by uncertainty, complexity, and time pressure. Such uncertainty has been exacerbated by the rapid adoption of artificial intelligence, which has aided adversaries as much as it has accelerated defence capabilities.
The organisations that emerge stronger are those that can operate effectively under failure, even when prevention has been challenged. When technology cannot immediately restore certainty, it is the organisation’s decision-making discipline and operational coordination that ultimately determine the outcome.
This is where cybersecurity evolves into cyber resilience.
More than cyber security
Cybersecurity focuses on protection and response: stopping attacks, reducing dwell time and restoring systems. Cyber resilience asks a broader question: how does the organisation continue to operate and make decisions when technology is disrupted, degraded or untrusted?
In that sense, cyber resilience mirrors other business continuity planning disciplines. For example, organisations routinely prepare for natural disasters, supply chain disruptions and operational outages, assuming that systems, people or processes may become unavailable and the business must still function.
Similarly, a severe cyber incident could delay or constrain IT recovery. Systems go down longer than expected and data integrity could become uncertain. External pressure from customers, regulators and the media can also mount. Therefore, the challenge no longer remains purely technical but also organisational.
Organisational nature of a cyber crisis
True cyber resilience requires the entire organisation to act in concert.
Legal teams must assess regulatory exposure and contractual obligations. Finance must evaluate operational impact and liabilities. Communications teams must manage messaging to employees, customers, partners and the public. Executives must make time-critical decisions with incomplete, sometimes conflicting information.
If these functions are not aligned, even a technically well-managed incident can escalate into a business crisis: delayed decisions, inconsistent messaging, unmanaged expectations and avoidable reputational damage.
Yet many organisations still “test” cyber readiness almost exclusively within IT. Incident response exercises focus on malware analysis, containment timelines and system restoration. While necessary, this doesn’t test whether the organisation can operate under sustained disruption or whether leadership can make confident decisions when the facts are unclear.
Cyber resilience demands a different approach: practice how the organisation behaves when prevention reduces risk but cannot eliminate it and when technology cannot instantly resolve uncertainty.
Why measuring cyber resilience is hard
One reason cyber resilience is often discussed but rarely measured is that you can’t measure it with just dashboards.
An agent can’t be deployed to tell you how quickly executives align under pressure, whether legal and communications can synchronise messaging in a fast-moving situation or how effectively teams share information across silos.
Cyber resilience is about decision-making, coordination and adaptability. To assess it, organisations need a structured methodology – a way to exercise, observe and measure how people and processes perform under extreme conditions. This is where tabletop exercises become invaluable.
Practising for the breaking point
Tabletop exercises are often treated as compliance requirements or basic incident response training. However, when well-designed, they are among the most practical ways to build and measure resilience.
Unlike technical simulations, tabletops focus on people and decisions, placing participants into realistic scenarios and forcing them to navigate uncertainty, trade-offs and competing priorities.
To do this effectively, the scenario should go beyond a “normal” cyber incident, with the goal of testing the organisation’s ability to operate when recovery is delayed, data trust is questionable, and external pressure is rising.
A strong resilience exercise escalates gradually:
- Early indicators suggest an attack affecting critical systems.
- Recovery timelines slip and dependencies complicate restoration.
- Data integrity concerns emerge, urging whether you can trust what’s in your systems.
- Customers and partners ask questions; regulators and deadlines loom.
- The organisation must make decisions before certainty is restored.
At a certain point, it becomes clear that technology alone will not resolve the situation quickly.
This is where the exercise becomes revealing.
Legal assesses notification obligations and risk exposure without complete facts. Finance evaluates business impact while systems remain unavailable. Internal communications manages employee uncertainty and rumour control. External communications balances transparency with legal and reputational risk. Executives make high-stakes calls under time pressure.
The value isn’t in finding the “perfect” answer; it’s about whether the organisation can work together quickly, coherently and decisively.
A well-designed cyber resilience tabletop exercise surfaces insights that purely technical tests won’t. It also creates measurable indicators you can track over time, such as:
- Time to executive engagement: How quickly leadership joins and stays engaged.
- Decision clarity: Whether ownership is clear or decisions stall in ambiguity.
- Information flow: Whether key facts move across teams or remain siloed.
- Operational continuity: Ability to run critical services in degraded mode.
- Crisis communications readiness: Internal and external messages aligned and timely.
- Recovery time objective and recovery point objective under stress: Whether recovery assumptions match reality.
- Conflict and delay points: Where friction emerges between functions.
These indicators allow organisations to move beyond “we think we’re ready” and toward concrete improvement plans.
Prevention first, resilience always
Prevention remains the core of any cybersecurity strategy to reduce the likelihood and impact of incidents, buy time and limit disruption. However, resilience ensures that when prevention is tested by speed, uncertainty and complexity, the organisation can still function.
Cyber resilience is not a one-time project. Like any business continuity planning discipline, it requires continuous practice, refinement and leadership engagement. Tabletop exercises should be repeated, adapted and expanded as the organisation evolves.
The most resilient organisations are not those with perfect defences but those that have practised failure and learned from it. If your cyber exercises stop when IT restores systems, you are testing security, not resilience. Build prevention as the foundation, then practice the moment it is not enough.
- Alex Spokoiny is Chief Information Officer at Check Point, where he leads the company’s global IT services, including business applications, datacenters, cloud, security, and IT business continuity areas. This article was originally published by the World Economic Forum.
