The Harvard Business Review ran a piece back in July 2024 on the future of computer security,
https://hbr.org/2024/07/when-cyberattacks-are-inevitable-focus-on-cyber-resilience
Well written (imo) in straightforward language, the gist is:
What is cyber resiliency? And why is it different than cyber protection?
A prevention mindset means doing all you can to keep the bad guys out. A resilience mindset adds a layer: while you do all you can to prevent an attack, you also work with the expectation that they still might break through your defenses and invest heavily preparing to respond and recover when the worst happens. Resilient organizations specifically devote significant resources to drawing up plans for what they will do if an attack happens, designing processes to execute them when the time comes, and practicing how to put these plans into action. Prevention is critical — but it's not enough.
[...]
Yet in my work as a researcher in conversation with chief information security officers and other cyber experts, I have noticed that many leaders focus most, if not all, of their security resources on prevention and leave recovery to business continuity plans that aren't usually designed with cyber incidents in mind. Instead, leaders need to embrace a mindset of cyber-resilience.
The HBR readership is (I believe) tilted toward C-class executives, so this may well filter down into IT departments. Anyone here seen any signs of a push toward "resilience" recently?
Paywalled? Try https://archive.is/CSFA3
(Score: 3, Informative) by zocalo on Sunday October 06, @08:03AM
Most of what they are saying is, as you note, embedded in certifications like CISSP, but it's also been in things like CIS Core Controls, Defence in Depth strategies, and other similar best practice guides from multiple government advisory bodies and regulators for ages - certainly back to the late 1990s/early 2000s because I can remember working on ensuring compliance of a system being put in place as part of Y2K upgrades. In many countries, it's also already backed by a legal requirement to have all this in place, especially for owners and operators of critical infrastructure or other heavily regulated sectors, e.g. the UK's NIS Regulations of 2018, and there are a number of well established corporate accreditations that require you have this kind of resilience as well.
Better late than never, I suppose, and if it mops up a few more of the laggards then that's good news for everyone as there's less chance of their compromised systems being leveraged to launch further attacks or even more of our personal data being leaked. Quite frankly though, if this is news to anyone, I'd like to know who that is so I can ensure they're not anyone my clients and I are doing business with.
UNIX? They're not even circumcised! Savages!