Adversaries constantly adapt and learn from failures. The complexity of their tactics is ever increasing, creating unpredictable outcomes after an attack. Adaptability and resilience in the face of this unpredictability, then, becomes the key to a successful security posture and business continuity.

Today's digital, physical and social landscapes are complex. This complexity hides untested and unchecked security holes. Having a security program that is fixed, doesn't take into account the evolution of attacks and attackers, and continues to carry over legacy ideas, will most likely crumble under the pressure of a real security incident. It would probably provide a good immediate response, however unless the plans and procedures are flexible and resilient enough, chances are the plan will not survive first contact with the enemy. Having the ability to design programs, business processes, technology architectures, and digital security with the protection of critical assets in mind, while maintaining and integrating business continuity across all aspects of this will create resiliency.

In complex environments, resilience often spells success, while even the most brilliantly engineered fixed solutions are often insufficient or counterproductive.
— General S Mcchrystal, Team Of Teams: New Rules Of Engagement For A Complex World

Adaptability and resiliency must become the central focus for a good security program to be successful. Organizations must build digital resilience to protect their most valuable data. Agile and resilient plans and procedures must be the way security teams develop their techniques, and move forward.

Resilient thinking is the opposite of predictive security, where things like perimeter security technology lives. Resilience, adaptability, and the ability to think like an adversary is a better way to know what we don’t know, expect the unexpected, and explore other options. In other words, apply an adversarial mindset, an offensive view of things, and create a more resilient program.
It's nearly impossible to have a good overview of how well a security program performs without first understanding its risk. When organizations fail to do so, they may end up with a program that doesn't suit their organization or architeture, or a plan that will not stand a real world attack.

Understanding the adversary will help creating this resiliency. Testing, stress-testing and adapting the plan and response actions will ensure the survival of your business. Start thinking like an adverdsary, adopt the mindset of an open system that can adapt to the environment, and be ready for the next attack. It will happen.

(Note: the original version of this article was first published on the Advanced Capabilities Group blog)