COMMENTARY: Cyber resilience strategies are often built on a flawed premise: that recovery means restoring everything as quickly as possible. It’s an understandable instinct. When systems fail, the pressure to return to “normal” becomes immediate. However, in a destructive cyberattack, teams can’t trust “normal.”Modern ransomware and wiper campaigns are not opportunistic. They are deliberate, pre-positioned attacks designed to compromise identity, embed persistence and weaken recovery paths before impact. In that context, restoring everything does not represent not resilience, it’s risk.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]Organizations must rethink recovery through the lens of the Minimum Viable Company (MVC). We should no longer ask how we can recover. Rather, we need to ask: What must survive for the organization to remain viable?We can’t create resilience by focusing on completeness. Today, it’s about survivability.The problem with restoring everythingTraditional disaster recovery assumes speed equals success. Restore the estate, bring systems back online and resume operations. In practice, this approach often makes security issues worse.If identity systems are compromised, configurations altered, or persistence mechanisms remain, restoration simply reintroduces the attack. Organizations return to production with the same vulnerabilities, or worse, an adversary foothold. It’s like fixing a house while it’s still flooding, causing longer outages, repeated damage and lost confidence.The MVC approach takes a different view: instead of restoring everything, it focuses on restoring the minimum set of services required to sustain operations at an acceptable level.Defining viability under pressureMost organizations believe they understand their critical services, but few have tested that assumption under the conditions of a destructive cyberattack.In steady state operations and in typical business impact analyses, “critical” often expands to include a wide range of systems. In a crisis, we must make the definition narrower and more precise.Think of aviation. When an aircraft loses power, the pilot focuses only on the critical systems required to keep the plane in the air and safe. Everything else remains secondary. We need this kind of discipline in cyber resilience.A well-defined MVC establishes the following:These are not technical exercises. They are business decisions companies must make and owned at the executive level.The reason many organizations avoid this conversation: it forces trade-offs, but it’s not possible to have everything.Defining an MVC means accepting that some services will remain unavailable longer than business owners would like. It means prioritizing certain outcomes over others and making decisions that are uncomfortable outside of a crisis. Those trade-offs do not disappear in an incident: they simply become implicit, reactive and often more damaging.Organizations that perform well are not those with the most advanced tooling or the largest teams. They are the ones that have already made these decisions and tested them before the attack happens.Recovery to a trusted stateSpeed often gets treated as the primary metric in recovery. In reality, trust should become the more important measure. Bringing systems back online quickly has little value if those systems are still compromised.It’s particularly critical for identity and authentication services. If these are not restored to a “known-good” state, every subsequent recovery step gets built on unstable ground.The MVC model supports recovery to a trusted state. By narrowing the scope of initial recovery, organizations can:This allows for controlled, deliberate recovery rather than a race to restore everything at once.Turn theory into operational capabilityMVC represents a practical framework as opposed to a theory, but only if it’s operationalized. It’s not architecture, it's a capability. That means embedding MVC definitions into incident response and recovery playbooks, testing them against realistic attack scenarios and aligning IT and security teams around a shared operating model.It also requires recovery tooling and processes that support investigation and forensic validation, not just restoration. Without that, organizations are delivering hope, not cyber resilience.Above all, it requires executive ownership, because MVC decisions are business decisions, not technical ones.Cyber resilience often gets framed as a technology problem: it isn’t, it’s a decision-making problem under pressure. MVC offers a structure for making those decisions in advance, rather than improvising them in a crisis.In a destructive cyberattack, we cannot restore everything at once. So here's our choice: we decide on what matters most beforehand, or let the attackers decide.James Blake, vice president, global cyber resiliency strategy, response, and consulting services, CohesitySC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
- Essential services required to meet regulatory and contractual obligations.
- Critical data and systems needed to support those services.
- Dependencies that the team trusts before recovery can begin.
- The sequence of recovery to avoid compounding risk.
- Investigate the incident to determine remediations needed.
- Validate clean recovery points.
- Rebuild critical systems from trusted configurations.
- Re-establish identity integrity before scaling operations.
- Limit the attack surface during the most vulnerable phase.
