Situational awareness is your first line of resilience

A wave of nation-state cyber attacks is hitting critical industries. In recent days, threat actors linked to geopolitical conflicts have targeted healthcare, manufacturing, and defense supply chains. Among the most visible: the March 10 attack on Stryker, a global medical technology company, where attackers disrupted the company's internal Microsoft environment. As of March 15, Stryker has confirmed the incident is contained and restoration is underway, explicitly noting that no malware or ransomware was deployed.

These incidents share a pattern that is concerning to security leaders. Attackers aren't following the ransomware playbook organizations spent years preparing for. They're prioritizing operational disruption over traditional extortion. Even without deploying malware, attackers can turn an organization's own management infrastructure against it, disrupting global operations.

The wake-up call isn't just about stronger defenses. It's about situational awareness: knowing what you have, how it's connected, and building resilience around the single points of failure (SPOFs) before an attacker finds them first.

The tools you trust also carry the most privilege

Systems like endpoint and identity management are the backbone of enterprise IT. They deploy software, enforce policies, control access, and govern who can reach what across the entire environment (aka: keys to the kingdom). That privilege is exactly what makes them high-value targets.

When those systems are compromised, the blast radius is massive. An attacker with access to device management can wipe endpoints. An attacker with access to identity infrastructure can create privileged users and keys, compromise existing ones, access privileged vaults, move laterally, escalate privileges, and lock out defenders. The damage isn't theoretical: it's the pattern emerging from recent nation-state operations.

To be clear: these systems aren't optional. Without endpoint management, IT cannot deploy, patch, or secure a fleet at scale. Without identity management, there's no way to govern access across a modern enterprise. They exist because the alternative is unmanageable chaos. The answer is never "don't have them."

That's precisely why they're single points of failure (SPOF) worth understanding. The more critical a system is to operations, the more important it is to know its blast radius when compromised: what it can reach, what it controls, and what breaks if it's turned against you.

Why situational awareness is difficult

And here's what makes situational awareness so difficult in practice: most organizations don't run one endpoint management system or one identity provider. They run several. One for Mac fleets, another for Windows. A PAM solution for privileged access, a cloud identity provider for SaaS, an on-prem directory for legacy systems. Sometimes these choices are deliberate: the right tool for each job delivers better ROI. Sometimes they're inherited through acquisitions, tech debt, or different business units making independent decisions.

The result is a web of overlapping systems, each with its own scope, its own policies, and its own blast radius. No single console shows the full picture. Industry data tells us 14% of managed enterprise devices lack endpoint protection software entirely: not because no endpoint tool exists, but because the device fell through the gaps between tools. The gap between "managed" and "protected" is where risk lives.

This is where situational awareness becomes existential. You can't understand your SPOFs if you're stitching together partial views from five different consoles. Organizations that can see these dependencies from a single view, across every endpoint tool, every identity system, and the connections between them, are the ones that can plan for resilience instead of reacting to surprise.

Add to that the SaaS apps employees adopted without security involvement (55% of employees admit to this), the non-human identities running automated workflows, and the devices connecting from networks you didn't provision. With a ratio of roughly 16,000 assets per security professional, the scale of the challenge is real. You can't segment a network you haven't mapped. You can't revoke access to an identity you don't know exists. You can't recover endpoints you can't enumerate.

Resilience is a leadership strategy, not a technology checklist

Stryker’s progression into the restoration phase offers a useful signal: They have prioritized the safety of connected products and moved to manual ordering to maintain the supply chain. That kind of response reflects planning and investment that happened long before the incident.

But the broader lesson for every organization isn't "buy more tools." It's this: resilience starts with knowing what you have, understanding how it's connected, and building the muscle to respond when assumptions get shattered.

The next incident won't look like the last one. The attackers won't follow your playbook. The question is whether your organization has the awareness, the controls, and the leadership commitment to adapt when they don't.

Start with the question every resilient organization can answer: Do you know every asset, identity, and connection in your environment? If that answer isn't confident, that's where the work begins.