2011 could very well be called “Year of the Cyber Attack” given the thousands of reported and unreported hacking events. There is no doubt cyber threats facing governments and companies have certainly increased, but they’ve been met by host of powerful new ways to respond to them. Like a sickness to the body, industry and government have been working hard to build immunity with varying degrees of success.

Virtualization and cloud strategies now allow large and small companies to manage their data architecture with a flexibility that was impossible a few years ago. New collaboration software allows them to share documents more reliably on secure storage spaces. Modern data centers allow them to make their data continuously available to those who should have access to it, and invisible to those who don’t. The exponential growth of mobile devices drives an exponential growth in security risks.

A well-trained workforce familiar with cyber security issues can help companies train for emergencies, respond effectively and learn from their experiences. A truly resilient enterprise dynamically innovates and changes its practices, policies, and processes, both in response to changing threats from the outside and changing requirements from the inside.

Resilience is achievable, but companies will have to change the way they operate to reach their goals. Resilient companies are stronger companies. By addressing the resilience challenge, businesses can give provide the trustworthiness and reliability their customers expect and deserve.

But how willing are executives to embrace this resilience change? In a research program sponsored by Booz Allen Hamilton, The Economist Intelligence Unit conducted a global survey of 387 executives to assess attitudes toward cyber security, and their progress towards implementing resilience strategies.

Nearly half (48%) of survey respondents are board members or C-level executives, including 92 CEOs. The respondents are based in Asia-Pacific (29%), North America (26%), Western Europe (26%), Latin America (9%), Middle East and Africa (7%) and Eastern Europe (3%). Over half of the survey respondents (55%) work for companies with global annual revenues exceeding US$500 million. Nineteen different industries are represented in the survey sample, including financial services (20%), professional services (14%), energy and natural resources (12%), information technology (IT) and technology (10%), and manufacturing (8%).

The result? The survey paints a mixed picture about the current state of corporate and government cyber security strategies:

  • 53% of the survey’s respondents said their organization has a cyber security strategy already in place.
  • 33% of respondents admitted they had no cyber resilience strategy in place, 14% were unsure.
  • Executives believe both their organizations and their governments could devote more resources to security issues: Some 67% say their organization needs to pay more attention to cyber risks, and less than one-quarter (23%) think their government is doing enough to promote cyber resilience.
  • Although 87% of respondents believe improved understanding should come from a greater partnership between government and private industry, a far lesser number — 36% — believe government should actually take the leadership role for maintenance of cyber security.

From the survey we can see that the new attitude toward resilience accepts that companies cannot achieve perfect security or absolute continuity. We are seeing businesses moving away from the “bunker mentality” that encouraged them to retreat behind so-called “hardened endpoints.” Instead of aiming for a security standard that is impossible to achieve, they should focus on balancing resilience with productivity.

In addition, organizations can improve resilience by improving their critical data centers and by making access to their systems more secure. Virtualization strategies and off-premise cloud architectures enable these data centers to be more secure than ever. Resilience should be about making data continuously available to those who should have access to it, and invisible to those who don’t.

Finally, a truly resilient enterprise dynamically innovates and changes its practices, policies, and processes, both in response to changing threats from the outside and changing requirements from the inside. Organizations must accept that data are protected by people, not machines, and their cyber security training has to be a corporate priority.

To improve resilience, executives around the globe must enable and educate their workforce.

Roger Cressey is a senior vice president with Booz Allen Hamilton where he supports the firm’s cyber security business. He was former deputy for counterterrorism, National Security Council, at the time of Sept. 11, 2001 attacks, and featured in a recent story on Breaking Gov.