Cyber Resilience Starts In The Board Room.

Written By Michael Hawthorne

It is now widely accepted that no organisation can prevent every cyber attack. Despite significant investment in cyber security controls, monitoring tools and threat intelligence, determined adversaries will succeed. The real differentiator between organisations that suffer lasting damage and those that recover quickly is not simply technical defence — it is cyber resilience.

Cyber resilience is the ability of a business to withstand, respond to, and recover from a cyber incident while maintaining critical services. Achieving this requires more than strong IT security. It requires clear leadership and ownership at Board and executive level.

Moving Beyond Prevention

For many years, cyber security strategies focused primarily on prevention: firewalls, endpoint protection, patching, and access controls. These remain essential, but they cannot guarantee immunity from attack.

Modern cyber strategy must therefore balance protection with resilience. Organisations should aim to:

  • Detect and mitigate cyber threats to IT assets.

  • Minimise operational disruption during an incident.

  • Recover business operations swiftly and effectively in line with business priorities.

This shift in mindset places business leadership — not just IT teams — at the centre of cyber preparedness.

The Gap in Many Business Continuity Plans

Most organisations have Business Continuity Plans (BCPs) designed to navigate operational crises and restore services. Many executives assume these plans will automatically work during a cyber attack.

However, in reality, many BCPs were not designed with cyber incidents in mind.

Traditional continuity planning often assumes that IT systems will remain available or can be restored quickly. A significant cyber event — such as ransomware, destructive malware, or a compromise of core infrastructure — may render systems unavailable for extended periods.

Without specific cyber response procedures, BCPs can fall short when they are needed most.

Understanding How the Business Actually Operates

The purpose of a BCP is to protect critical business functions and minimise disruption. To achieve this during a cyber incident, organisations must understand how their operations depend on technology.

This requires a fundamental question from leadership:

  • Which business services must continue, even if IT systems are fully or partially unavailable?

Answering this requires collaboration across the organisation. Departments must understand:

  • Which IT systems enable their day-to-day operations

  • What workarounds exist if those systems fail

  • How services could be delivered in a degraded or manual environment

This is not simply a technical discussion — it is a business capability discussion.

Cyber Response Is a Leadership Challenge

In many organisations, too much responsibility for cyber crisis response sits with the IT department. IT teams are expected to restore systems while simultaneously supporting the wider organisation during a high-pressure incident.

However, restoring IT infrastructure is only part of the challenge.

The real leadership task is delivering critical business services while operating with compromised technology.

That requires executive decisions about:

  • Which services must be prioritised

  • Which activities can be temporarily suspended

  • What acceptable levels of disruption look like

  • How the organisation communicates with customers, regulators, and partners

These decisions cannot be delegated entirely to the CISO and IT. They must be led by the business leads.

The organisation — not the technology — should determine what must be recovered first and why.

The Scale of the Cyber Threat

This challenge is becoming more urgent each year. Cyber crime has grown into a vast global economy. Estimates suggest it now generates around $3 trillion annually, making it comparable to the world’s largest national economies.

Against this backdrop, the well-known observation from Ciaran Martin, ex head of the NCSC, remains highly relevant:

“It is a matter of when, not if.”

Cyber incidents are no longer hypothetical risks. They are operational realities that every organisation must be prepared to manage.

Increasing Pressure From Shareholders, Insurers and Regulators

Shareholders, cyber insurers, regulators and advisory bodies are also shifting their focus. Increasingly, they are less concerned solely with whether organisations can prevent attacks, and more interested in whether they can continue delivering services during and after a cyber event.

Key questions now include:

  • Can the organisation operate during a major IT outage?

  • How quickly can critical services be restored?

  • Are executives prepared to manage a cyber crisis?

In short, resilience — not just security and defence — is becoming the benchmark of organisational cyber maturity.

What Boards and Executives Should Do Now

At first glance, strengthening cyber resilience across a complex organisation can feel overwhelming. However, Boards and executive teams can make significant progress through a number of practical steps.

1. Revisit Business Continuity Plans through a cyber lens

BCPs should explicitly consider scenarios where IT systems are unavailable or untrusted. Plans should include clear procedures for operating during a cyber incident.

2. Identify and prioritise critical business services

Leadership teams should define the services that are essential to customers, regulatory obligations and revenue generation.

3. Map technology dependencies

Understand how digital systems support each business-critical service and/or product. This helps identify vulnerabilities and recovery priorities.

4. Plan for degraded operations

Organisations should explore how services could continue with limited or unavailable IT capability. In some cases this may involve temporary manual processes or simplified workflows.

5. Exercise crisis decision-making at the executive level

Cyber resilience is strengthened when executives practice responding to realistic cyber scenarios. Leadership familiarity with crisis decision-making can significantly reduce response time and confusion.

Resilience Is a Strategic Leadership Responsibility

Cyber resilience is no longer just a technical issue. It is a strategic leadership responsibility.

Boards and executives must ensure their organisations are not only investing in cyber defences, but also preparing to operate through disruption and recover rapidly when incidents occur.

In a world where cyber attacks are inevitable, the organisations that thrive will not be those that avoid every breach — but those whose leadership ensures the business can withstand the shock and continue to deliver what matters most.

Michael Hawthorne http://aristos-partnership.com
Next

Why cybersecurity needs L&D, not just IT.