As cyber threats grow in sophistication and scale, traditional prevention-first security models are proving insufficient for modern enterprises.
This article examines the evolution toward operational resilience, emphasizing the protection of identity systems, rapid containment, and recovery as essential capabilities. It explores how organizations can adopt an “assume breach” mindset, strengthen identity infrastructure, and build recovery-focused strategies to ensure business continuity in the face of inevitable cyber incidents.
The Shift from prevention to operational resilience in 2026
For years, cybersecurity strategies have centered on prevention — building stronger perimeters, deploying advanced detection tools, and attempting to stop attackers before they gain a foothold.
While prevention remains a critical component of any security program, it is no longer sufficient on its own. The modern threat landscape is defined by increasingly sophisticated adversaries, asymmetric attack methods, and a growing reliance on identity systems that underpin enterprise operations.
As a result, organizations must shift toward operational resilience: the ability not only to defend against attacks but to withstand, contain, and rapidly recover from them. This shift reflects a broader recognition that breaches are not a matter of if, but when.
The limits of prevention in a modern threat landscape
A prevention-first mindset assumes that threats can be fully mitigated before damage occurs. However, this assumption has become increasingly unrealistic. Attackers today leverage automation, social engineering, supply chain vulnerabilities, and identity-based exploits to bypass even well-funded defenses.
The concept of “assume breach” has emerged as a necessary evolution. Rather than relying solely on prevention and detection, organizations must prepare to “absorb” attacks and continue operating. This requires resilience — the capacity to recover quickly and restore critical systems with minimal disruption.
Identity systems are central to this challenge. Because they control access to applications, data, and infrastructure, they are high-value targets. When compromised, the impact extends far beyond a single system, often affecting the entire enterprise.
Defining operational resilience in cybersecurity
Operational resilience goes beyond traditional incident response or disaster recovery. While those approaches focus on reacting to events or restoring systems after failure, resilience encompasses the entire lifecycle of a cyber incident, including preparation, response, and recovery.
In practice, operational resilience means:
- Having well-defined and rehearsed response procedures.
- Ensuring clear communication and coordination during incidents.
- Maintaining the ability to restore systems securely and efficiently.
- Reducing uncertainty during crises through preparation and practice.
A resilient organization transitions from reactive confusion like “What just happened?” to structured execution, “We’ve practiced this, and we know what to do”.
This level of preparedness is especially critical when core systems — such as identity infrastructure — are compromised.
Identity as the foundation of enterprise security
Identity systems are often described as holding the “keys to the kingdom.” They govern authentication, authorization, and access across the enterprise. Consequently, their compromise can lead to widespread operational paralysis.
The risks associated with identity compromise include:
- Unauthorized access to critical applications and data
- Loss of trust in authentication systems
- Inability to manage or recover other infrastructure
- Persistence of attackers within the environment
To mitigate these risks, organizations must adopt a comprehensive approach that includes:
- Hardening identity systems against attack
- Continuous monitoring for suspicious activity
- Dedicated recovery processes designed for cyber incidents
- Crisis coordination mechanisms that function even when identity systems are unavailable
- Regular testing and simulation, such as tabletop exercises
Increasingly, organizations are also turning to specialized identity resilience solutions — such as those from vendors like Semperis — to support threat detection and secure recovery for systems like Active Directory.
Prioritizing recovery over prevention alone
If prevention is destined to fail at some point, recovery becomes the defining capability of a resilient organization. Effective recovery requires more than backups; it demands a validated, practiced, and secure process.
Key priorities include:
- Establishing a reliable, cyber-aware recovery solution that avoids reintroducing malware.
- Testing recovery processes frequently under realistic conditions.
- Maintaining detailed activity logs to support post-incident threat hunting.
- Implementing crisis management plans that guide decision-making.
Real-time monitoring of identity systems is critical, providing visibility into attacker behavior and helping ensure restored environments are free of persistent threats.
Common gaps in enterprise resilience planning
Despite growing awareness, many organizations still underestimate their exposure.
A common misconception is that identity systems can be recovered like traditional file servers, when in reality they require specialized, security-focused recovery approaches rather than standard backup and restore methods.
Additional gaps include overreliance on untested backups, a lack of coordination planning when identity systems are unavailable, dependency blind spots where critical tools rely on the same compromised identity infrastructure, and insufficient communication strategies during outages.
If identity systems are down, access to recovery tools, virtual environments, and administrative platforms may also be disrupted.
It is therefore essential to ensure recovery can proceed without relying on identity systems or the trust they provide. Otherwise, recovery efforts can stall when they are needed most.
The Marks & Spencer incident
The consequences of inadequate resilience planning are evident in high-profile incidents. In April 2025, Marks & Spencer (M&S) experienced a ransomware attack that severely disrupted operations and highlighted the critical role of identity infrastructure.
The attack, attributed to the Scattered Spider group, involved social engineering tactics targeting a third-party IT provider. Once inside the network, attackers deployed ransomware, encrypted systems, and exfiltrated sensitive data.
The operational impact was significant:
- Identity and core systems were compromised
- Automated processes were disabled, forcing manual operations
- Online services were suspended for weeks
- Customer data was exposed
- Estimated losses reached approximately £300 million
Recovery took weeks, and the organization relied, in part, on favorable circumstances to restore its systems. The incident underscores how identity compromise can cascade into widespread business disruption and financial loss.
Building a resilience-first security strategy
For security leaders, transitioning to operational resilience requires deliberate action. The following steps provide a practical starting point:
Conduct regular recovery exercises
Simulate identity system failures through tabletop exercises or full disaster recovery drills that reflect real-world constraints, including the loss of identity services, email, and administrative access.
Document and rehearse playbooks
Ensure all stakeholders understand their roles and responsibilities during an incident.
Plan for communication outages
Establish alternative communication channels that do not rely on compromised systems.
Define recovery objectives
Clearly outline Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO).
Map dependencies
Identify systems and applications that rely on identity infrastructure to understand potential impact.
Invest in identity-focused resilience solutions
Technologies that combine threat detection, backup integrity, and secure recovery — such as those offered by Semperis — can play a critical role in strengthening resilience.
Bottom line
The evolving threat landscape demands a fundamental shift in cybersecurity strategy, as prevention alone is no longer sufficient; organizations must embrace operational resilience—prioritizing the ability to recover quickly and securely alongside defense.
Identity systems sit at the center of this transformation. Protecting, monitoring, and rapidly restoring these systems is essential to maintaining business continuity in the face of modern cyber threats.
By adopting a resilience-first mindset — grounded in preparation, practice, and recovery — enterprises can move beyond reactive security and toward a more durable, adaptive defense posture.
This approach aligns with zero-trust principles, which assume compromise and continuously verify identity to limit the impact of attacks.
