Fresh Thoughts #96: Robust or Resilient?

salt marsh

Words sprinkled into IT presentations and marketing to give a sense of warmth and safety.

I hadn't thought much about it until Dave Snowden posed the question:

What's the difference between a sea wall and a salt marsh? Both stop coastal flooding...

Paraphrasing his idea:

A sea wall is robust. It works well until it fails - and then it becomes more of a hindrance than a benefit.

In contrast, a salt marsh is resilient. It maintains its identity over time. Whether the marsh is flooded or dry - it's still a salt marsh.

This distinction made me pause and consider different cybersecurity tools and techniques.

Which are robust - but lose their effectiveness when breached?
And which maintain their effectiveness and even adapt when parts of the system are compromised?

Robust Defences

For years, we have known firewalls can be easily bypassed. A click on a phishing link bypasses all firewall protections - because the request came from inside the business.

Similarly - last week, I read about the trouble Baracuda email security gateways have preventing internal name spoofing and CEO fraud. As the email security gateway is placed on the network's edge, they don't inspect emails sent within a business - creating a security loophole.

These are robust approaches to security.
Great until they don't work.

But are there resilient approaches?

Resilient Defences

Backups immediately came to mind. If restoring from one backup fails - use the next one...

In the event of a failure, the data may not be as current - but at least we aren't starting from nothing.

Similarly, separate guest, staff, and device management into different network segments - in the event of a failure in one segment, the other networks are not automatically compromised.

As I thought more, a trend appeared. Over the last decade, we started moving from robust to resilient security.

The firewalls of old are being replaced with zero-trust architectures - where no devices are trusted, and access rights are continually verified.

That is not to say that robust defences have no merit.

Robust defences are the foundation of a secure infrastructure.
But they should not be the focus of attention.

Robust vs. Resilient Technologies

As I started listing robust vs. resilient technologies, some counterintuitive highlights emerged in each list.

  • Multi-factor authentication (MFA)
  • Encryption
  • Physical security controls
  • Antivirus and anti-malware
  • VPNs and secure Wifi

...all robust.

  • Network segmentation
  • Zero-trust architecture
  • Security awareness training
  • Mobile Device Management (MDM)
  • Continuous monitoring and auditing

...all resilient.

Final Thoughts

Thinking about robust and resilient technologies provides a new lens through which to view IT and cybersecurity spending.

There isn't always space for a resilient salt marsh, so a mix of approaches is needed.

December 12, 2023
2 Minutes Read

Related Reads

motion blur of people walking in an underground station

Fresh Thoughts #27: Resilience: Keeping the Lights On and the Business Moving

"Never say - redundant. It implies unnecessary. And there's no budget for unnecessary." I was told this 3 days into my cybersecurity career.

Fresh Thoughts to Your Inbox

Fresh perspectives on cybersecurity every Tuesday. Real stories, analytical insights, and a slash through buzzwords.

We'll never share your email.

Subscribe to Fresh Thoughts

Our weekly newsletter brings you cybersecurity stories and insights. The insights that help you cut through the bull.

We'll never share your email.


Fresh Security Support

Your Questions


Fresh Sec Limited

Call: +44 (0)203 9255868