Key Takeaways
- Regulatory pressure, board expectations, and real-world conflict are accelerating the shift from prevention-focused spending to resilience outcomes.
- The architecture of resilience has grown significantly more complex, especially as AI systems introduce new data lineage and recovery challenges.
- Cyber resilience must eclipse traditional disaster recovery and treat disruption as a continuous operating condition rather than an exceptional event.
- Resilience operations (ResOps™) provides an operating model for making resilience continuous, cross-functional, and demonstrable under actual conditions.
- The hardest part of the transition to ResOps is organizational. Fragmented ownership and misaligned priorities remain the most common failure modes.
Disruptions have become business as usual. Over the past year alone, we’ve seen:
- Drone strikes on data centers in the UAE and Bahrain caused cascading problems across the organizations storing data and workloads there.
- A DNS misconfiguration by a hyperscaler knocked out internet access for millions of US users.
- A fire at a data center caused intermittent failures for tens of thousands of a top social media platform’s users for an entire day.
When the operating environment is inherently uncertain, CISOs and CIOs need to rethink their approach to business continuity.
In a recent webinar, David Nowak, principal at Deloitte’s Cyber Risk Service; Kent Meyer, managing director at Deloitte; and Shilpi Handa, IDC’s associate research director for cybersecurity in the META region, joined me to discuss what operational resilience actually demands in strategy, in architecture, and in day-to-day operations.
Sneak Peek: It’s No Longer a Matter of If, but When
In this clip from the webinar, you’ll hear why outages are no longer just IT events – they are business events. Boards and regulators are now shifting focus from if an outage occurs to how quickly organizations can recover.
Why Disaster Recovery Isn’t Enough
Per NIST’s definition, cyber resilience goes beyond traditional security by assuming breaches will happen and focusing on survival and rapid recovery, not just prevention. This assume-breach framing has been part of zero trust for years, but how many organizations are actually putting its implications into practice?
Backup operations focus on whether data has been copied, and disaster recovery on whether systems can be restored, but true resilience demands that you answer a much harder question: Can these services be restored end to end, under stress, and continuously?
We’re seeing this mindset take hold across all sectors, driven by a combination of regulatory pressure and board-level expectations.
- In Europe, the EU’s Digital Operational Resilience Act (DORA) now mandates specific resilience outcomes and recovery timelines.
- The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection regulations are undergoing a resilience lens as well.
- Securities and Exchange Commission (SEC) breach reporting requirements have put a spotlight not just on disclosure but on what organizations are doing to recover.
Boards now treat any outage as a business harm event, and the expectation has shifted to demonstrating not just that recovery is possible, but that it can happen quickly, with high confidence.
IDC research by Handa illustrates the way traditional recovery operations can fall short. Following the outbreak of war in the Middle East, she found CIOs and CISOs struggling with the continuity not only of technology, but also of people and processes as staff relocate overnight and offices become inaccessible, leaving no one to run manual failover.
And this is just one of the countless unpredictable scenarios organizations need to account for.
Building the Architecture of Resilience
A resilience strategy encompasses both what you protect and whether you can recover it. On the former count, the scope of what needs to be protected has expanded steadily, including identity systems, communication platforms, workloads, productivity tools, CI/CD pipelines, and structured and unstructured data.
The latter point – “whether you can recover it” – creates the new requirements for that strategy. It’s not enough to capture point-in-time snapshots and define traditional recovery objectives. As adversaries target backup infrastructure, organizations must now examine recovered data and confirm that it’s free of compromise before bringing it back online. Isolated recovery environments, air-gap protection for critical services, and cleanroom capabilities have become essential components of resilience architecture.
AI introduces a new layer of difficulty. To recover an AI model, you’ll need not just a backup of the model file itself, but everything that went into creating it. This includes its datasets, hyperparameters, framework versions, feature engineering, and infrastructure configurations, as well as a complete dependency map showing how it all fits together.
Meyer frames cyber resilience solutions as a way to democratize disaster recovery. Whereas traditional disaster recovery was siloed inside IT and accessible only to specialists, newer platforms can give security operations teams, business owners, and operations staff the visibility they need to engage.
That matters for organizations with constrained resources, and it changes what’s possible in terms of moving from tabletop exercises to real, demonstrable restores.
ResOps: The Operating Model for Sustainable Resilience
ResOps treats resilience as a continuous function, not just something that happens in response to an incident.
In simple terms, it’s about operationalizing resilience when normal operating assumptions no longer hold. Instead of taking for granted that your backups will be available, clean, and restorable when disaster strikes, with ResOps you’re continually discovering where data lives, protecting and capturing it across on-premises and cloud environments, detecting anomalies, recovering to a trusted state, and restoring workloads that have been fully validated. That way, you’re increasingly ready for a disruption, and more confident that you’ll be able to get through it successfully.
Nowak offers a phrase that captures the essence of ResOps: resilient by design. It’s the successor to the secure-by-design principle that shaped the last generation of security architecture. Beyond building systems that resist compromise, we’re now building systems that can continue functioning when compromise occurs.
The Human Side of ResOps
Adopting ResOps is at least as much about people and process as it is about technology. As Handa notes, organizations don’t typically fail because they lack the right tools; they fail because ownership is fragmented across too many roles, with no shared operating rhythm and no clear decision rights when things go wrong.
ResOps forces organizations to answer questions many haven’t yet worked through, such as:
- Who has the authority to restore services if the primary team is unavailable?
- How should remote execution playbooks be structured?
- How will cross-regional failover work when it can’t depend on a single location?
In that sense, ResOps is less about restoring systems and more about enabling the continuity of decision-making, execution, and accountability under disruption.
To this end, many organizations have created a chief resilience officer title, particularly in state and local government. Whether filled by the CISO, the CIO, or someone new, the emergence of this role reflects broad accountability beyond IT. It requires an owner with the cross-functional authority and communication skills to bring business leaders, security teams, and operations staff into a shared operating rhythm.
The role also includes translating the case for resilience into terms that resonate across stakeholders, including monetary impact for the board, operational continuity for practitioners, and regulatory compliance for GRC teams. The goal is a decision-rights framework that’s been tested in simulations before it’s needed in an incident.
Putting It All Into Practice
Commvault helps organizations put ResOps into practice, from discovering and protecting data across on-premises and cloud environments, to detecting anomalies, recovering to a clean state, and restoring validated workloads. For organizations working to move from tabletop exercises to demonstrable restores, these are the capabilities that help make resilience operational in uncertain times.
Resources from the session, including IDC research on CIO readiness and Deloitte materials on evidence-based recovery, are available through the on-demand page.
FAQs
Q: What is cyber resilience and how is it different from disaster recovery?
A: Disaster recovery focuses on restoring systems and data after an incident. Cyber resilience is a broader, more active posture: It assumes disruptions will occur and asks whether services can be restored end to end, under stress, on a regular basis. Many organizations have strong disaster recovery plans that nevertheless leave them exposed when a real incident unfolds under unexpected conditions.
Q: What’s driving organizations to prioritize resilience over prevention?
A: Regulatory frameworks like DORA and evolving NERC standards now mandate specific resilience outcomes, not just security controls. As a result, boards are focusing on recovery timelines as a business metric.
Q: What makes AI systems harder to back up and recover than traditional data?
A: Backing up an AI model means capturing more than the model file itself. A model is the product of a specific training process involving datasets, hyperparameters, framework versions, and infrastructure configurations. Without that full context, recovery may produce something that can’t be trusted or reproduced.
Q: What is ResOps, and how does it differ from a traditional resilience program?
A: ResOps is an operating model that treats resilience as a continuous, cross-functional discipline rather than a contingency plan. Where traditional programs tend to be siloed in IT and activated after an incident, ResOps brings together security, operations, business owners, and leadership around shared playbooks, clear decision rights, and ongoing validation of recovery readiness.
Q: What are the biggest obstacles to adopting ResOps at scale?
A: The challenges are organizational, including fragmented ownership, misaligned priorities, and the absence of a shared operating rhythm. ResOps requires agreement – before an incident occurs – between security operations teams, business owners, and operations staff on what’s critical, who’s responsible, and how recovery will be validated.
Michael Thelander is Senior Director, Product Marketing at Commvault.
