How Critical Infrastructures are Forcing Cybersecurity’s Evolution
By Alain Sanchez, EMEA CISO, Fortinet
Meeting after meeting, keynote speech after keynote speech, I realize that the pursuit of 100% prevention has become an anachronism. The combination of systemic complexity, the exponential acceleration of AI-driven threats, and the sophistication of nation-state-level attacks make the total avoidance of incidents not only an impossibility but a dangerous concept.
For the modern Chief Information Security Officers (CISOs) and the executive leadership they serve, this is a sobering truth that necessitates a fundamental shift in strategy: the evolution from a singular focus on security to a comprehensive commitment to resilience.
Security, in its traditional sense, creates a false sense of protection—a fortress mentality designed to keep the adversary out. Resilience, by contrast, is about ensuring operational continuity when the walls have been, even slightly, breached. It carries a bit more modesty beyond the acknowledgment that the breach is inevitable, and the true measure of success lies in the speed and efficacy of the recovery.
More pragmatic, this new paradigm of resilience is defined by three core capabilities, which move the focus from the perimeter to the core mission:
- Anticipatory Response: This isn’t just about spotting bugs; it’s about learning from a live attack as it happens. The idea is to use the attacker’s own moves to understand and respond to their attack in real-time. By connecting the dots, this posture can predict where the system might fail next and have recovery tools ready to go before the damage spreads.
- Managed Degradation: This is the ability of an organization to maintain a limited, well-defined set of critical services while assuming that other parts of the network might be compromised. It is the strategic decision to operate in a “degraded state,” ensuring that the most vital functions—be they financial transactions, power grid control, or patient care—remain operational, even if at reduced capacity.
- Rapid Restoration: The focus shifts from “if we are ever hit” to “how fast can we bounce back.” This capability is measured by the Recovery Time Objective (RTO) and is underpinned by immutable data backups and robust, tested recovery playbooks.
The Critical Infrastructure Imperative: From Choice to Legal Obligation
While the shift to resilience is a trend for most organizations, it is rapidly becoming a legal and regulatory obligation for those operating Critical Infrastructure (CI). Critical Infrastructure encompasses the assets, systems, and networks—whether physical or virtual—that are considered so vital to a government that their incapacitation or destruction would have a debilitating effect on security, national economic security, public health, or safety.
Historically, governments have set security standards for CI. However, the new resilience mandate represents a profound shift in the social contract between government and private entities that manage these vital systems. Governments are now declaring that the ability to withstand and recover from disruption is a matter of national security, thereby assigning the obligation to be resilient to the private operators.
Cloud Sovereignty and Local Control
The concept of resilience is now inextricably linked to technological independence and the definition of “local control.” To meet the stringent requirements of the DNA and CSA2, new infrastructure models are emerging:
- Sovereign Cloud Partitions: Cloud providers are launching environments that are physically and logically isolated, with governance structures shielded from foreign jurisdictions. One example is the AWS European Sovereign Cloud, where the management console, Identity and Access Management (IAM), billing, and executive management team are guaranteed to be located entirely within the EU. This ensures that the control plane for critical data remains within the required legal and physical boundaries.
- Sovereign Edge Computing: Telecommunications companies are integrating security and processing directly at the network edge. This model ensures that sensitive industrial data is processed locally before reaching the public internet, enforcing both managed degradation and data sovereignty simultaneously.
Global Drivers and the Market Response
The regulatory push is mirrored by a strong economic consensus. At the World Economic Forum’s annual meeting in Davos, Fortinet executives discussed this evolving landscape. The WEF’s 2026 report indicates that 92% of CEOs now prioritize cyber recovery capabilities over traditional perimeter defense spending. This shift in executive focus is expected to drive major market changes:
- Insurance Transformation: Major cyber-insurers have begun implementing “Resilience Audits.” Premiums are no longer calculated solely on the occurrence of a breach but are increasingly tied to a company’s Recovery Time Objective and the immutability of its data. This financial incentive is pushing organizations to invest in recovery frameworks that can be quantitatively measured and validated.
- The OECD Governance Framework: The Organisation for Economic Co-operation and Development has emphasized that ensuring critical infrastructure resilience requires new governance models that limit service disruptions and promote cross-sector collaboration. These frameworks encourage redundancy, incident reporting, and infrastructure sharing at a national level.
The Technological Frontier: Autonomous Resilience
The technological response to the resilience mandate is emerging through Autonomous Resilience Agents and self-healing networks. These tools go beyond simple blocking mechanisms. Instead, they allow suspected attacks to proceed in sandbox environments where the system can automatically generate and distribute immunity signatures across the entire infrastructure.
This AI-driven approach reflects the resilience philosophy: rather than failing to prevent an attack, the system uses the attack itself as a learning opportunity to adapt and restore operations rapidly. It represents the practical application of managed degradation, turning a localized compromise into a broader defensive advantage.
Conclusion: The Architect of Continuity and Control
The shift from traditional security to resilience, combined with the growing mandate for technological sovereignty, represents a profound philosophical and operational transformation. For critical infrastructure operators, resilience has become a fundamental cost of doing business, reinforced by government regulation and economic realities.
However, regulation alone cannot achieve this transformation. Success depends on deep public-private partnerships that combine government security intelligence with the operational expertise of private sector operators. These collaborations ensure that sovereignty mandates remain both technically feasible and economically sustainable.
The resilience model can be compared to immunization. Just as a body learns to defend itself by being exposed to a controlled version of a virus, a resilient enterprise uses cyberattacks as learning events. Rather than viewing a breach solely as a failure, the organization leverages it to strengthen defenses and refine recovery strategies.
In this evolving landscape, the role of the CISO is transforming. No longer simply the guardian of a digital fortress, the CISO becomes the architect of continuity. The mission is not to prevent every attack—an increasingly impossible task—but to design systems that can absorb shocks, adapt rapidly, and restore operations within legally defined sovereign boundaries.
In today’s increasingly complex threat environment, the most resilient and sovereign organizations will be those capable of withstanding disruption, learning from incidents, maintaining their most critical functions, and moving forward with minimal interruption.
