Why Prevention Isn’t Enough: Shifting to True Operational Resilience in 2026

As cyber threats grow more sophisticated and persistent, enterprises are rethinking long-held assumptions about security. A prevention-first mindset — once considered the gold standard — is no longer sufficient in a world where breaches are inevitable, and identity systems sit at the center of risk.

To better understand how organizations can move beyond prevention and build true operational resilience, eWeek spoke with Darren Mar-Elia, principal security strategist at Semperis and a 14-year Microsoft MVP and veteran in identity and access management (IAM). 

Drawing on decades of experience across enterprise IT and security, Mar-Elia explains why resilience — not just defense — must become a core operational priority.

Why is a prevention-first security mindset no longer sufficient for modern enterprises? What changes in the threat landscape are forcing organizations to rethink this approach?

Mar-Elia: I would argue that prevention was never sufficient. It’s certainly an important step, but for a while now, most organizations have needed to adopt an “assume breach” mindset, because the level of sophistication and “asymmetry” of the attacker has only increased. 

So, instead of relying strictly on prevention and detection, organizations need to be able to “shrug off” the attack as if it never happened. That’s resilience. The ability to bounce back quickly and restore critical applications that allow the business to function as quickly as possible. And of course, identity has been a key part of that, since it controls access to an organization’s applications and data.

What does operational resilience actually look like in a cybersecurity context, and how does it differ from traditional incident response or disaster recovery strategies?

Mar-Elia: Operational resilience involves ensuring that you are practiced and prepared for all aspects of the security lifecycle — from before, during, and after the attack — and ensures that during an incident, the organization has the tools to communicate and coordinate the most efficient response possible. This ensures that an incident goes from “oh no, what just happened?” to, “OK, we’ve practiced this, we have our procedures and we know who needs to do what in order to bring the environment back, securely.”

Identity systems have become a primary target for attackers. What are the biggest risks organizations face when identity infrastructure is compromised, and how should security teams prepare for that scenario?

Mar-Elia: Identity systems in most organizations hold the “keys to the kingdom.” If you compromise the identity system, you compromise all applications and data. So protecting the identity system is really job one for any organization. 

In terms of preparation, it really requires a number of best practices, including ensuring that your identity systems are hardened against attack, that you are monitoring those systems for threats at all times, and that you have a process in place to recover your identity systems if they are compromised.

Further, you need to have a mechanism to coordinate the recovery of your identity systems when the very foundation of your communication and collaboration infrastructure is no longer trusted and viable. 

Finally, you need to ensure that you specifically practice (e.g., through tabletop exercises) the steps that are required and the realities that could happen during an identity compromise. This ensures that you can recover that identity system in the face of many other systems and applications that rely on that system being unavailable.

If prevention inevitably fails at some point, what capabilities should organizations prioritize to contain and recover from an identity-based attack quickly?

Mar-Elia: The key is to prioritize the recovery process. That means ensuring you have a recovery process and solution that works, that you test it frequently, and that you have a crisis management plan that is documented and implemented during those recovery tests.

Further, being able to monitor your identity systems in real time so that you have a history of the activity leading up to the compromise.

This can also be used to help threat hunt within that compromised system, and it will help to ensure that once the identity system is recovered, you have some confidence that the attackers don’t still persist within the system.

What are the most common gaps you see in enterprise resilience planning today, and where do organizations tend to underestimate their exposure?

Mar-Elia: The first thing is assuming that identity systems can be recovered like file servers. Generally speaking, they cannot. 

To make matters worse, you need an identity recovery system that can operate in the face of cyber-type attacks without reintroducing the malware or persistence that got the system compromised in the first place. 

Once you have a cyber-first recovery system for your identity infrastructure, you need to plan for a practice for the inevitability of its compromise. Too often, organizations check the box that they have a backup solution in place, but don’t exercise that in a real-world way. 

Identity systems underpin access to more than just applications and data. They also get used to grant access to the tools that IT will need to recover the identity system in the first place. 

Whether it’s the backup software itself, the virtual environment, or other management infrastructure, if the identity system is down, how will you operate if the tools you need are also down? 

This is often overlooked and can be a critical failing during a disaster. This is why organizations also need to practice and be able to coordinate and communicate during the crisis.

For security leaders looking to shift from prevention to resilience, what are the first practical steps they should take to build stronger operational defenses?

Mar-Elia: Start by practicing, either through tabletop exercises or actual DR drills, your identity system recovery. Simulate the actual circumstance as closely as possible, including having a way of communicating when email and messaging are down. 

Make sure all parties relevant to the recovery know their jobs up front. Have the playbook documented. Practice it. Make sure you understand what your RTO and RPO are up front, and document the systems and applications that depend on your identity system so that you can understand the impact when it goes down.

Without naming the organization, can you share a customer scenario where compromised identity infrastructure significantly impacted business operations?

Mar-Elia: There have been many examples, some public over the years, of organizations whose identity systems were compromised, impacting the whole business. 

Perhaps one of the most public was an organization whose Active Directory was encrypted. And it took them two weeks to recover it. It was estimated to cost 300 million dollars in lost revenue, and they were only able to recover it by virtue of a lucky circumstance. The reality could have been much worse. 

Bottom Line

The shift from prevention to resilience isn’t just a tactical adjustment — it’s a fundamental change in how organizations approach cybersecurity. 

As Mar-Elia makes clear, today’s threat landscape demands more than stopping attacks; it requires the ability to absorb them, recover quickly, and continue operating with minimal disruption.

For security and IT leaders, that means rethinking priorities. Identity systems can no longer be treated as just another component of infrastructure — they are the backbone of access, operations, and recovery. When they fail, everything else follows.

Organizations that perform best will be those that plan for the possibility of failure, regularly test their recovery processes in realistic scenarios, and establish clear procedures and coordination for responding effectively. 

As attackers increasingly leverage AI to scale and accelerate their tactics, cyber resilience plays a critical role in minimizing operational impact and maintaining continuity.