Skip to main content

Knowledge Hub

New page title image

Front and Centre: The New Urgency of Cyber Resilience

5 min read
Front and Centre: The New Urgency of Cyber Resilience
Image Source: Canva

If recent conflicts around the globe have made one thing clear, it is that resilience of critical infrastructure has moved from nice-to-have to “front and centre,” observed Andre Shori, the APAC Cybersecurity VP and CISO at Schneider Electric, in an interview with GovWare.

Such attacks, he noted, are not random retaliation but “part of the overall tactics and strategy” of those involved. With this in mind, how is this development changing the conversation in boardrooms and government agencies?
 

Shifting Tides

For Shori, the conversation starts with recognising that the threat actors themselves have changed. Instead of financially motivated attackers seeking a payday, organisations and governments are now contending with nation-state actors with substantially greater resources, far more sophisticated playbooks, and opaque policy objectives.

Attacks on critical infrastructure also have a public-facing dimension, where confidence in essential services matters as much as technical recovery. For Shori, this makes communications and response planning just as critical as prevention. Governments need to assume that some attacks will get through and focus on how they demonstrate preparedness, transparency, and effective remediation when incidents occur – the factors that ultimately shape public trust.

This ties back to his earlier point about resilience no longer being a nice-to-have; the challenge has evolved beyond a purely technical one into a matter of governance.

“Cyber resilience is becoming a governance topic and an operational requirement.”
Andre Shori, APAC Cybersecurity VP and CISO, Schneider Electric


In other words, it now sits alongside business continuity and national strategy, not just in the IT department.

Yet despite this shift, Shori argues that the fundamentals haven't changed, and that practitioners should hold steady to the basics: “The one thing that we have to cling on to as practitioners is really our fundamentals – understanding the systemic risk, assessing the operational impact, prioritising your controls, making sure that you have informed threat defence.”

He summed up those fundamentals simply: “Hope for the best, prepare for the worst, and protect your crown jewels, protect your essential services.”
 

You Can’t Protect What You Can’t See

Where can government agencies start when it comes to protecting the infrastructure that underpins daily life? Shori suggests that one of the biggest challenges remains visibility. Organisations and even nations don't always have an accurate picture of what they're protecting or how systems depend on each other.

“Having a unified national asset inventory would be really good. And then once you have that, understanding the dependencies, co-dependencies, and having good collaboration with the operators to tell you, from their perspective, what's the most important thing to protect.”

Given the complexity and diversity of modern infrastructure, this shouldn't be limited to Operational Technology (OT) either, but extend across IT systems, IoT appliances, and cloud deployments. With so many interconnected systems, gaps in coverage become harder to catch and easier to exploit. “You can protect bits and pieces here and there, but the pieces that you're not protecting – are they really as unimportant as you think they are?”

When it comes to legacy systems, surely the simplest solution is to replace them? Not so fast, says Shori. These systems remain because they're still generating returns: “These systems make money. They support their long-term investment, and they're continuing to pay off. The ROI for many of these is not even being reached yet.”

Then there's the practical reality: “You can't replace them. You can't patch them. In many cases, the original OEM has gone out of business.” Even if replacement were an option, the undertaking would be enormous.
 

Where Resilience Gets Real

But if replacing legacy systems isn't realistic, what can organisations do differently going forward? In the near term, organisations must find ways to manage the risk these systems pose, whether through network segmentation, monitoring, or compensating controls. But in the longer term, Shori believes the answer lies not in technical controls but in Secure by Design: this must become the universal standard to enable a gradual transition to more resilient and secure technologies.  

This means thinking beyond whether a system is secure at deployment and asking whether it can remain secure over time, especially as threats loom on the horizon. Resilience also depends on good intelligence. Shori applauded Singapore's move to share threat intelligence with Critical Information Infrastructure (CII) operators but cautioned that raw intelligence can be “a tsunami” if it isn't filtered and mapped to specific assets. 

Effective threat-informed defences require two-way information sharing: government and operators must both exchange intel, since each detects unique threats. Proper bi-directional sharing greatly enhances security. When both parties actively share threat intelligence, they can respond faster and more accurately to emerging risks.  

However, establishing trust and secure channels for exchanging sensitive data can be challenging. By overcoming these barriers, organisations and nations are better equipped to coordinate responses, anticipate future attacks, and foster a culture of collaboration that strengthens overall cyber resilience.  

Nevertheless, despite the widespread adoption of secure-by-design principles and effective intelligence sharing within the industry, breaches remain inevitable. This exposes perhaps the most overlooked gap in resilience: recovery. On this, Shori notes that crisis simulations routinely practise incident handling and communication, but almost never test whether interdependent systems can actually recover together. 

He recalled a crisis simulation where plans were in place to ship replacement parts to a breached CII site. Except that the attack also “took down the traffic light system, so there's no transportation.” If interconnected systems fail simultaneously, can any single entity actually recover on its own? Without testing these scenarios collectively, Shori warns, “we'll be caught completely off guard.” 

Because resilience isn't just about preventing breaches or detecting them faster. It's about making sure that when things go wrong, everything that depends on everything else can actually come back.

 

View All Articles
Loading
GW26_Early Bird Last Call

Last Chance For Early Bird Savings!


Enjoy Early Bird rates from now until 31 July 2026
20% OFF Full Conference Passes
30% OFF Group Bookings (3+ Passes)

Secure Your Pass Now