The Entropy Podcast

Is Your Cyber Recovery Plan Just Fiction? with Francesco Chiarini

Francis Gorman Season 2 Episode 26

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 40:36

In this episode of the Entropy Podcast, Francis Gorman speaks with Francesco Chiarini about why cyber resilience must go far beyond traditional cybersecurity, backups, and compliance checklists.

Francesco breaks down the uncomfortable reality that many organisations are not as recoverable as they think. From ransomware spreading at scale to compromised identity systems, encrypted tooling, failed assumptions, and board-level misunderstandings, this conversation explores what really happens when the worst-case cyber scenario becomes real.

The discussion covers cyber resilience versus cybersecurity, APT-grade attacks, out-of-band communications, crisis operating models, data vaulting, DORA, recovery planning, minimum viable organisations, and why resilience has to be designed before disaster strikes.

This is a direct, practical conversation about building organisations that can continue operating when the normal playbook no longer works.

Key Takeaways

Cyber resilience is not the same as cybersecurity. Cybersecurity focuses heavily on prevention and protection; cyber resilience asks whether the organisation can still operate, recover, and adapt when prevention fails.

Backups alone do not equal resilience. Francesco warns that recovery depends on architecture, governance, people, tooling, identity, sequencing, and validated operating models not just stored copies of data.

Organisations need to stress-test their assumptions of recoverability. If Active Directory, communications, patching tools, or recovery platforms are compromised, the real question is: what still works?

Boards often misunderstand resilience as a technology problem. Francesco argues that technology matters, but cyber resilience also requires clear accountability, capability maturity, skilled teams, and rehearsed decision-making.

Cyber recovery investment is often too low. Many organisations spend heavily on prevention, detection, and protection, while underinvesting in recovery capabilities and last-resort operating models.

Data vaulting and isolated recovery are essential, but incomplete on their own. They must sit inside a wider cyber resilience strategy that includes threat modelling, minimum viable operations, interoperability, deception, and recovery sequencing.

Soundbytes

“Your cyber recovery plan is only real if it still works when everything around it has failed.”

“Backups are not resilience. They are only one piece of the survival plan.”

“The worst time to design recovery is during the incident.”

“Cyber resilience starts where cybersecurity assumptions break.”

“If your identity stack, tooling, and communications are gone, what still works?”

“Being compliant does not mean being resilient.”

“Recovery is not just a technology problem. It is an organisational capability.”

“Most companies know how to prevent. Far fewer know how to restart.”