‘Resilience debt’ is now one of the most pressing cyber challenges for enterprises – here's what it means and how you can tackle it
Research from Dell Technologies suggests the gap between cyber resilience and perception of readiness is getting bigger
Can your company recover after a cyber attack? Perhaps not as well as you think, according to new research from Dell Technologies.
The vast majority of organizations have a cyber resilience strategy – 99% of those surveyed, according to the tech giant – but nearly two thirds of IT leaders think their bosses are overestimating their readiness.
That hubris is what the tech giant describes as "resilience debt", and it refers to the gap between what organizations believe they can recover from and what they can actually recover from
"That mismatch isn’t an abstract philosophical disagreement – it’s a leading indicator of resilience debt," said Colm Keegan, Senior Consultant at Dell Technologies, in a blog post. "Because when leaders believe they are more prepared than they are, they stop asking the deeper operational questions."
Those questions can include when the last recovery test was run, whether backups are validated or if the company just hopes they work, and if the team tried running a full restore.
Keegan argues that "recovery readiness decays unless it is actively refreshed," leaving organizations feeling prepared but caught off guard when they do fall victim to a cyber attack.
For example, backups can be corrupted or even targeted by attackers, while documentation ages out of use as staff depart or infrastructure changes.
The Dell study found that enterprises that test their recovery process monthly will have a 55% success rate, while those that test less frequently fall to 38%.
Crucially, it found that failing to recover is common. More than half (57%) of organizations surveyed said they did not recover as well as hoped following a recent incident or drill.
"That's resilience debt coming due," said Keegan.
Resilience debt vs security debt
Keegan compared resilience debt to security debt, which includes unpatched flaws or outdated policies. Recent research from Veracode shows eight-in-ten public sector organizations are leaving flaws unpatched for a year, while separate research from the security company shows remediation times have grown 47% over the last five years.
While there's no question that security debt also needs addressing, Dell is arguing that resilience debt is harder to spot and a tougher sell for companies.
"Resilience debt is more deceptive – because it remains hidden until the worst possible moment: When the organization actually needs to recover," he said.
Dell found that 78% of enterprises invest more in preventing attacks than prepping for recovery. While this is expected, Keegan said that imbalances often leave recovery “underfunded, untested, and underprioritized”.
"Prevention-only strategies don’t eliminate resilience debt; they accelerate it,” he added.
How to address resilience debt
So what should companies do to target resilience debt? Treat it as a strategic capability with board-level support, just like security, rather than an afterthought.
That idea echoes comments made by a Gartner analyst last year, who noted security leaders need to stop seeing resilience as a "tick box exercise”.
At a practical, technical level, Dell suggests that could include building "isolated cyber vaults" to protect critical data, using automated validation to test recovery, and running regular tests of recovery systems.
As with security debt, the good news is that enterprises can make headway in addressing the problem. But progress on this front depends on swift action, according to Keegan.
"Resilience debt is real. But it’s not irreversible."
FOLLOW US ON SOCIAL MEDIA
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
-
Dell CTO John Roese says the real potential of AI agents is only just being realizedNews As businesses look for return on investment with AI, Dell Technologies believes agents will begin showing true value at mid-tier tasks and in managerial roles.
-
DeepSeek rocked Silicon Valley in January 2025 – one year on and it looks set to shake things up againAnalysis The Chinese AI company sent Silicon Valley into meltdown last year, and it could rock the boat again with an upcoming model
-
Veeam patches Backup & Replication vulnerabilities, urges users to updateNews The vulnerabilities affect Veeam Backup & Replication 13.0.1.180 and all earlier version 13 builds – but not previous versions.
-
Critical Dell Storage Manager flaws could let hackers access sensitive data – patch nowNews A trio of flaws in Dell Storage Manager has prompted a customer alert
-
Millions of Dell laptops are are at risk thanks to a Broadcom chip vulnerability – and more than 100 device models are impactedNews Widely used in high-security environments, the PCs are vulnerable to attacks allowing the theft of sensitive data
-
Dell brings new cybersecurity features to PowerStore, Data Domain, and PowerScale product linesNews The company is leaning into the disaggregated infrastructure and AI-powered cybersecurity trends with these latest updates
-
Futurum Group endpoint security trends 2023whitepaper Protection across AI attack vectors
-
Workshop: Network security design for cloudwhitepaper Network security design
-
Hackers claim fresh Dell data breach just days after the company confirms probe into employee info leakNews In what could be the second Dell data breach in the space of a week, hackers claim to have accessed 3.5GB of company data
-
Dell says data breach affecting 49 million customers poses no 'significant risk’News Dell claims customers aren’t exposed to significant risk in the wake of a major breach, but they should be wary of targeted social engineering attacks.
