Achieving Resilience Through Zero Trust
Published 08/29/2025
“The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.” - Sun Tzu
“Resilience is the ability to remain viable amidst adversity." Historically, we believed as an industry we could prevent incidents by the deliberate implementation of defenses. The few that got through would easily be addressed by the technical staff or would be covered by insurance (risk transfer). We also believed technical defenses were sufficient. After all, it is the digital assets under attack.
That is no longer the case. Incidents happen too often. Incidents are too disruptive, taking businesses offline for days, weeks, or even months. The impact to the business is too great. Too much to be covered by insurance. The long tail can last years with resulting lawsuits and loss of digital trust lasting years.
The malicious actors understand that many years of implementing technical controls have made these technical controls our strongest defense, so they go around them by attacking the people, the process, and the organizational dimensions. Most agree attacks on the human dimension (social engineering) are key to north of 90% of incidents. Some believe the number is 98%.
What to do? The solution is simple, but it takes execution. Instead of just focusing on technical defenses we focus on the technology, the people, the process, and the organizational dimensions through the entire cyber lifecycle of protecting, detecting, and recovering. NIST decomposes this into the five phases (Identify, Protect, Detect, Respond, Recover) in the Cyber Security Framework (CSF). There is no material difference in principle.
This is graphically represented:
Resilience builds upon this in crucial ways.
No longer treat the delivery of products and services as either on or off like we did with Disaster Recovery (DR) and Business Continuity (BC).
Rather we look for ways of remaining “viable amidst adversity.” The military refers to this as “mission assurance.” Instead of being on or off, alive or dead, we operate above Minimum Viable Service Levels (MVSL) until we can fully restore.
An easily understandable example is a municipal water supply taken offline by a cyber incident. The MVLS may be that emergency services (e.g., fire) and hospitals can go without municipal water for no more than two hours. No more than 10k people will be without municipal water for more than 24 hours. In resilience, we prioritize according to business need (or the mission) while also engaging alternative strategies to get us through.
Look for alternate strategies.
To remain viable, the main strategy must include alternative strategies. Note that the above example says “municipal water.” Fire trucks can be supported by tanker trucks full of water, hospitals can have stand-alone water supplies, and constituents can be supplied with bottled water and tanker trucks until municipal water is fully restored.
Use of the Business Impact Analysis (BIA) to increase alignment between the business strategy, the security architecture, and operations.
Resilience takes alignment and an understanding of dependencies. Let’s face it, nobody has unlimited resources and not all services are created equal. Knowing our priorities helps focus our attention and allocation resources.
Focus on external dependencies.
Our world is more interconnected than ever. We rely on Cloud Service Providers (CSP), Managed Service Providers (MSP), and Managed Security Service Providers (MSSP). Historically, our plans focused heavily on our internal systems, internal assets, and internal dependencies. To be successful now, we have no choice but to look at external dependencies. Think about what services you are not available to deliver to your customers if your CSP or SaaS provider experiences a significant outage. Verizon’s 2025 Data Breach Investigation Report (DBIR) shows 30% of incidents are the results of a third party. That is doubled from the previous year. Others like Security ScoreCard and Marsh believe the percentage is almost twice as much.
The role of Zero Trust
A quick review of the Zero Trust Guiding Principles shows an alignment between Zero Trust and resilience.
- Begin with the End in Mind (Business / Mission Objectives)
- Do Not Overcomplicate
- Products are Not the Priority
- Access is a Deliberate Act
- Inside Out, not Outside In
- Breaches Happen
- Understand your Risk Appetite
- Ensure the Tone from the Top
- Instill a Zero Trust Culture
- Start Small and Focus on Quick Wins
- Continuously Monitor
Zero Trust’s foundational concepts of always verifying identity and access controls are essential to building resilience. Both Zero Trust and resilience employ techniques to reduce the blast radius, thereby reducing the impact and fostering faster recovery. Both employ techniques to continuously monitor. The key difference is resilience is a much broader business imperative. Everything you do for Zero Trust fosters resilience.
What’s Next
CSA formed a joint working group with the Financial Services Leadership Council and Zero Trust Task Force. We are on track to have a draft “Zero Trust Guidance for Building a Resilient Enterprise” out for review this fall. Additional contributors are always welcomed.
Unlock Cloud Security Insights
Subscribe to our newsletter for the latest expert trends and updates
Related Articles:
The Emerging Identity Imperatives of Agentic AI
Published: 08/28/2025
Risk-Based vs. Compliance-Based Security: Why One Size Doesn’t Fit All
Published: 08/27/2025
The Urgent Need for Hypervisor Security in Healthcare
Published: 08/26/2025