Karakor
CYBERSECURITY · STRATEGY

Invulnerable systems do not exist. The discipline worth investing in is the speed at which you detect, contain, and recover.

An illustration of an incident response plan on a desk, marked with three brass tabs for detect, contain, and recover. A signature line and a brass seal in the lower right mark the plan as rehearsed and approved before any incident.
Shahed Daoud5 min read

Most security budgets are spent on the wrong axis. Firms invest in the perimeter — the firewall, the endpoint agent, the email filter — and treat the inevitability of failure as a separate, smaller concern.

The math does not support this. An attacker who tries a hundred angles needs to succeed once. A defender who guards the perimeter needs to succeed every time. The asymmetry is structural and it has not changed in twenty years.

The discipline worth investing in is not invulnerability. It is the speed at which you detect, contain, and recover.

What resilience actually means

A resilient firm has answered three questions in writing, before an incident, and rehearsed the answers more than once:

  • When something is wrong, how do we know? Detection is a measurable property — mean time to detect, in minutes or hours, against scenarios the firm can describe.
  • Once we know, what stops the damage from spreading? Containment requires named owners, pre-authorised actions, and the authority to act without escalation.
  • Once it is contained, how do we get back to work? Recovery is not the same as cleanup; it is the documented path from "we are responding" to "we are operating."

The firms that do this well are not the ones with the most tools. They are the ones who can produce the answer on a Tuesday morning, in writing, when a partner asks.

Compliance is not the goal

Frameworks — NIST CSF, ISO 27001, SOC 2 — are useful structure for these conversations. They are not the answer to them.

A firm that earns SOC 2 certification has demonstrated that a set of controls is in place. It has not demonstrated that those controls will function during a real incident. The gap between the audit and the rehearsal is where most failures live.

What the next engagement looks like

A serious resilience engagement begins with two artefacts: a written incident response plan that names roles and decisions, and a tabletop exercise that runs the plan against a plausible scenario. Both deliverables are signed off by the principal — usually a managing partner or a CISO — before any tooling decisions are made.

Tooling follows the plan. Not the other way around.

The firms that succeed during incidents are the ones that decided what they would do before they had to do it. That decision can be made on a quiet afternoon for the cost of a competent practitioner's time. It cannot be made under the pressure of a live event, regardless of budget.

← All insightsRequest a consultation →