Triangle Director of Cyber Recovery Michelle Harris recently spoke with the Business Post about a question that is now moving from the security function into the boardroom: if a cyber attack succeeds, can the organisation continue to function?
For many enterprise teams, cyber strategy has historically centred on prevention. That work remains essential. Organisations still need strong controls, monitoring, patching, threat detection and security governance. But prevention alone cannot be the full answer.
The more difficult question is what happens when an attacker gets through. At that point, resilience is no longer theoretical. The organisation needs to understand how to maintain and, in some cases, recover operations. To do this they need to understand what has been compromised, contain and clean environments, co-ordinate teams under pressure and maintain confidence across leadership, regulators, clients and employees. That is why cyber recovery has become a front-line issue for operational resilience.
The focus is shifting from prevention to recovery
In the Business Post article, Michelle makes the case for a wider view of cyber resilience. The assumption cannot be that every incident will be prevented. The assumption has to be that an event will happen, and that the organisation needs a tested way to continue operating when it does.
This is a shift many organisations are still working through. Cyber security teams, chief information security officers, risk officers and IT leaders may all understand the threat. But awareness does not always translate into actual operational resilience and recovery capabilities. In many cases, businesses are still weighted heavily towards preventing the breach rather than proving and practising what happens after one.
That proof is where the conversation becomes more demanding. A board may ask whether the organisation can recover. But the better question is whether that recovery capability can be evidenced. Can the organisation show when recovery of critical business services was last tested? Can it prove that critical data is clean? Can it demonstrate that recovery runbooks are current? Can the people involved explain their roles under pressure? Is there a communication plan? Is there a plan for rostering and backup personnel, given that a serious incident is measured in days and weeks, not minutes?
As Michelle puts it: “proof is everything.”
Operational resilience needs more than an annual test
Traditional disaster recovery planning often works to an annual rhythm. A plan is reviewed, a test may be completed, the documentation is updated and the organisation moves on. That is not enough for cyber recovery.
Cyber recovery has to keep pace with the constant evolution of enterprise environments, where new systems are introduced, applications are updated, data sets expand, access paths shift, suppliers connect into the ecosystem, and risk moves in step with the business itself.
A recovery plan that was accurate 12 months ago may no longer reflect the reality of the production estate.
Recovery cannot be something an organisation revisits once a year. It needs to be exercised regularly. Running recovery testing every 12 weeks keeps it grounded in reality. Teams know what works, what doesn't, and where the gaps are. It also means recovery isn't something the organisation is working out under pressure for the first time in the event of an attack, it's something the team has already worked through.
The human pressure of a live attack
The emotional stress of a live attack is significant and often underestimated. The pressure on people during an active attack is severe, and it is not well understood outside the teams who have lived through one. A serious attack does not unfold neatly. Teams are trying to understand what has happened while the business is still under pressure. Systems may be unavailable. Data may be suspect. The organisation may have to make decisions with incomplete information. At the same time, it may need to communicate with clients, suppliers and internal stakeholders. It is an act of war and brings an emotional toll to everyone involved.
If recovery takes days or weeks, organisations need to plan for fatigue. They need backup personnel, clear decision paths, rest rotations and defined responsibilities. They need technical teams, risk teams, communications teams and senior leadership to understand how they will work together before the incident happens.
In other words, resilience depends on rehearsal. The organisations that respond best are usually not the ones trying to invent a process in the middle of the attack. They are the ones that have tested the process, found the weak points and improved it before it was needed.
Why the board needs to ask for evidence
Cyber resilience has become a leadership issue because the consequences of a breach extend far beyond IT. A failed recovery can affect revenue, regulatory obligations, client confidence, brand reputation and the wellbeing of the teams responding to the incident. In regulated sectors, including financial services, frameworks such as DORA are increasing the pressure on organisations to demonstrate resilience in a more structured way.
But the principle applies more widely. Every organisation that depends on digital systems needs to understand what it must recover first, how recovery will happen and how it knows the recovered environment can be trusted.
That starts with defining the business services, systems and data sets that matter most. It means identifying what is required to bring a minimum viable company back into operation. It also means isolating and protecting critical data away from production attack surfaces and using clean recovery environments where data and workloads can be validated before being reintroduced.
And recovery does not end when systems come back. Restoring systems is not the end of the incident. Once the immediate technical response is under control, a different set of demands begins. There are regulators to answer to, media to manage and legal obligations to meet, and these continue well after services are back online. A recovery plan that stops at the point of technical restoration underestimates what recovery actually involves.
Cyber recovery as an operating discipline
The Business Post article reinforces a point Triangle has been making across its operational resilience work: recovery cannot be treated as a last-minute technical fallback. It has to be designed, managed and tested as part of how the organisation operates.
That includes the technology foundations, such as isolated cyber vaults, clean room recovery environments and data integrity checks. But it also includes the governance around them: separation of duties, clear ownership, tested runbooks, reporting, communication plans, evidence and continual improvement.
Cyber recovery is strongest when it becomes part of the operating discipline of the business. Not a plan that sits on a shelf, or an exercise revisited once a year, but a capability that is actively maintained and tested. If a cyber attack landed today, would you be recovering from a tested position, or starting from uncertainty?
-----------------
Read Michelle Harris’s full interview in the Business Post
Explore further:
