Security and Continuity: How a Minimum Viable Company Posture Can Help CISOs

Jaguar Land Rover (JLR) must have had some kind of disaster recovery/business continuity (DR/BC) strategy. Yet it dissolved on contact with reality. A five-week suspension of vehicle production following a ransomware breach ended up costing the UK economy an estimated £1.9bn.

For a growing number of organisations, the answer is to plan around the concept of a minimum viable company (MVC). By defining essential services and infrastructure and identifying key dependencies, it’s possible to take a more mature, pragmatic approach to cyber resilience.

Outages take their toll

Any executive who still believes cybersecurity is strictly an IT matter should cast their eyes over the past year. Aside from JLR, ransomware attacks on Marks & Spencer and The Co-operative Group led to bare shelves in-store and, in the case of M&S, a complete halt to online operations for over three months. Supply chain risk also caused significant damage. A ransomware attack on a little-known aviation software provider in March caused chaos at Heathrow and other European airports.

“Jaguar Land Rover (JLR) must have had some kind of disaster recovery/business continuity (DR/BC) strategy. Yet it dissolved on contact with reality.”

Disruption isn’t always caused by cybersecurity issues. As IT operations grow in complexity and more organisations adopt digital-first business models, mass outages become inevitable. All three of the hyperscaler giants suffered massive, platform-level incidents in 2025 that impacted millions of users globally. AWS users were disrupted for 15 hours in October due to a DNS error, while the same month a faulty configuration change impacted Azure customers for eight hours. In June, a malfunctioning policy update caused service outages at Google Cloud.

A skeleton plan to boost resilience

The idea behind an MVC strategy is to promote resilience as a boardroom priority, according to PwC. It’s a message the National Cyber Security Centre (NCSC) is also trying to get through to the C-suite.

“You must have a plan for continuity. You must know how to keep going should an attack get through,” said NCSC CEO, Richard Horne, at the launch of the agency’s Annual Review last year. “If your IT infrastructure was crippled tomorrow and all your screens went blank, could you run your payroll systems? Or keep your machinery working? Or stock your shelves? If the answer is ‘no’, or more likely ‘don’t know’, act now.”

In this regard, MVC works by defining the bare minimum an organisation needs from a people, process and technology perspective to stay afloat during a crisis. It includes the business-critical applications, infrastructure, staff and workflows needed to keep the company not just operational, but also financially viable.

Don’t confuse it with business continuity/disaster recovery (BC/DR). It is more IT-centric than that, says Guido Grillenmeier, principal technologist EMEA at Semperis.

“If your IT infrastructure was crippled tomorrow and all your screens went blank, could you run your payroll systems? Or keep your machinery working? Or stock your shelves?” Richard Horne

“Planning the MVC is not about a particular service, nor a single building going down, but the whole company’s survival being in danger and the need to ‘reduce to the max’, by knowing which services are actually needed most urgently to survive a true crisis,” he tells Assured Intelligence. “It’s similar to how the human body functions, when endangered by cold temperatures. It will always prioritise protecting the most vital organs, including the heart, lungs and brain.”

No two organisations are the same, which is why MVC planning is so important. But most would typically need the same underlying infrastructure to remain operational. This could include a corporate network, a communications system, Active Directory or a similar system, and physical/virtual servers to host operationally critical applications and related databases, says Grillenmeier.

It is these apps where organisations will differ most. A retailer may prioritise point of sale systems, whereas a hospital may need to ensure electronic health records are accessible, for example. Organisations may also need to identify which parts of their supply chain are most critical to maintaining minimum viable services.

Accelerating recovery

When a crisis hits, the hope is that anything deemed MVC would be insulated from attack, or at least recoverable and restored rapidly. Then the organisation can focus on rebuilding its other operations with as little impact on the bottom line and brand reputation as possible. Organisations that don’t plan, test, and embed their MVC strategy risk a slower, more fragmented recovery and a larger financial/reputational impact.

“MVC is about short-term enterprise survival,” PwC cyber, data and tech risk leader, Avinash Rajeev, tells Assured Intelligence. “It defines the absolute floor below which the company cannot fall and provides a sequenced recovery approach to keep operating at that minimum level until broader recovery is possible.”

Getting started

CISOs should be the driving force behind MVC strategy. But they can’t do it alone, Rajeev argues. “The reality is that MVC requires top-down sponsorship and a close partnership between the business, technology, risk, and operations,” he continues. “CIOs or CISOs will not be successful taking this on alone – it requires clear co-sponsorship with the business.”

However, the first practical step in building an MVC strategy should be to define what “viability” means. “That includes agreeing which outcomes truly matter in a crisis: revenue preservation, customer obligations, regulatory requirements, liquidity, staff safety, and so on,” Rajeev says. “Then it’s about identifying the very small set of services that must continue to achieve those outcomes. If robust operational resilience work already exists, CISOs can leverage that mapping rather than starting from scratch.”

“MVC programmes need to be deployed, tested, monitored, and continuously updated and ideally integrated into existing resilience programmes.” Avinash Rajeev

Time should be the next consideration. That means working with business leaders to determine how long the organisation needs to operate in its minimum viable state – be it days, weeks, or even longer. “This drives every design decision that follows,” argues Rajeev.

Then the focus must shift to design. “Work with business leaders to determine how those critical services could function during disruption: through manual workarounds, alternative suppliers, or technology-enabled recovery environments,” says Rajeev. “Just as important is agreeing recovery sequencing – what gets stood up first, second and third – across realistic scenarios such as ransomware or infrastructure failure.”

However, MVC is about more than just promoting rapid recovery and restoration of critical services, argues Stratascale CISO, Casey Corcoran. He tells Assured Intelligence that it should also include “narrowly scoped resilience measures” such as zero-trust micro-perimeters to neutralise breaches and prevent revenue-generating operations from going down in the first place.

“Security architects and engineers must apply zero-trust principles and tooling to the relevant infrastructure to ensure explicit trust boundaries, strong identity controls, and continuous verification and monitoring,” he adds. “These ensure the highest level of protection from cyber attacks for the most critical infrastructure – ensuring business continuity.”

Finally, CISOs should decide on some relevant MVC metrics to help “communicate the enterprise’s viability under cyber stress”, Corcoran claims.

“Primarily, this involves moving beyond classic cybersecurity framework compliance and incident response metrics such as mean times to detect/respond/recover,” he says. “Instead, it will look at business risk factors such as revenue continuity, customer services/satisfaction, and regulatory and legal compliance.”

A question of continuity

There’s one more thing to think about, according to Semperis’ Grillenmeier. CISOs need to determine whether an MVC should be a ‘temporary parallel environment’ used only during the crisis, or if they build it out after the incident to create a new production environment. They might want to consider the availability of dedicated emergency hardware, or whether cloud IaaS would be an option, he adds.

For CISOs, planning work never ends, adds PwC’s Rajeev.

“MVC programmes need to be deployed, tested, monitored, and continuously updated and ideally integrated into existing resilience programmes with regular exercises and clear resilience indicators to help make sure MVC will actually work when it’s needed,” he concludes.

“Companies cannot think of this as a ‘one-and-done’ effort.”