-optimized.jpg){kind=avatar}
The recovery game has changed, but most organisations are still playing the old one, says Richard Cassidy, CISO at the platform Rubrik.
For years, enterprise security has been built around a single question: how quickly can you detect a threat? Mean Time to Detect became the gold standard. Frameworks like MITRE ATT&CK reinforced a detection-first logic focused to identify attack patterns, surface indicators and respond before damage spreads, which was a logical approach for a threat landscape that moved at a human pace.
That landscape no longer exists. Recent developments have made this shift impossible to ignore. In April, Anthropic disclosed Claude Mythos Preview, an AI system capable of identifying thousands of previously unknown vulnerabilities and generating working exploits with extraordinary speed and accuracy. What once took skilled attackers weeks or months can now happen in hours or less. Detection remains necessary, but when attacks are created and executed at machine speed, it no longer wins the war on its own.
Measuring what matters
The metric that now defines enterprise security is Time-to-Recovery (TTR): how long it takes an organisation to restore a clean, stable and verifiably trustworthy operating environment after a breach. TTR does not mean how quickly an alert is made or how fast the initial response is mobilised. It concerns the length of time it takes for the business to be fully operational again, with confidence that what has been restored is genuinely clean and uncompromised.
Most organisations cannot answer that question. Not because it hasn’t been asked, but because it has never been tested. Recovery plans exist on paper, but the real test is whether they work under pressure, at speed, with the dependencies and constraints that only surface during a live incident. In many cases, the honest answer is that nobody knows until an attack takes place.
The cost of not knowing what’s at stake
The consequences of that uncertainty are significant. Research shows that 43% of organisations would take 25-48 hours to restore their identity infrastructure after a compromise. For any modern enterprise, where identity underpins almost every system and transaction, that delay translates directly into financial loss, operational disruption and regulatory exposure. In a world shaped by AI-driven threats, those timelines are even more dangerous. When the window between vulnerability discovery and exploitation collapses from weeks to minutes, as emerging research suggests, downtime becomes a question of ‘when’, not ‘if’.
A week of halted production, locked data or inaccessible systems is not a theoretical scenario, but a board-level crisis, which raises questions about leadership, preparedness and accountability. According to Rubrik Zero Labs research, more than a third of major cyber incidents lead to C-suite changes within months. The incident may trigger the fallout, but recovery capability often determines its severity.
Rethinking resilience
Organisations have direct implications in how they prioritise security investment. Prevention remains essential, and controls such as firewalls, endpoint protection and vulnerability management are foundational. But they are no longer sufficient as the primary line of defence. When attackers can identify and weaponise weaknesses faster than defenders can patch them, resilience is defined by how quickly you can recover, not whether you can prevent every intrusion.
This means investing in capabilities that ensure systems can be restored quickly and safely, including immutable backups that cannot be altered, isolated recovery environments that prevent reinfection, and orchestrated workflows that reduce manual intervention under pressure. Critically, businesses must have regular testing that produces a realistic, evidence-based TTR. The organisations gaining an advantage are those that have elevated TTR from a technical metric to a board-level KPI. Leadership does not need to understand the mechanics of immutable storage, but it does need to understand how long the business can tolerate disruption, which services need to be restored first, and whether those assumptions have been validated under realistic conditions.
After all, there is a fundamental difference between a recovery plan that looks complete on paper and one that works at 3am during a live incident. Most organisations only discover that gap once.
A new measure of security
The organisations that will navigate the current threat landscape with confidence are not necessarily those with the most sophisticated detection capabilities. They are the ones that can recover fastest, limit the impact of disruption and prove that their restored environment is clean and trustworthy. This is what true preparedness looks like, rather than relying on a business’s capability to rapidly detect and then react to a threat or attack. Cyber attack simulations are an important step in preparedness best practice; those who know the speed at which operations can recover will be the ones best prepared.
TTR is not just a technical metric; it is the manifestation of how seriously an organisation takes its own resilience. In an environment where AI has fundamentally changed the economics and speed of cyber attacks, it is increasingly the measure by which that seriousness will be judged by your board, your customers, and ultimately your regulators.
