Cyber resilience is no longer optional

In today’s threat landscape, cyber resilience is no longer a differentiator, it’s a fundamental requirement for business continuity. Below are the key themes that every senior leader should be thinking about right now.

1. Backup is easy. Recovery is hard

A recurring theme was the misconception that robust backups automatically equal resilience. They don’t.

Executives are reminded: “You are only as good as your last disaster recovery test.”

The focus must shift from backup services to resilience services, the ability to restore core operations quickly, consistently, and under real-world pressure.

Table-top exercises, immutable cloud backups, and scenario-based testing and exercising are highlighted as essential practices. Yet many organisations still lack true recovery maturity, struggling especially with complex IT estates, interdependent systems, and third-party reliance.

For C-suites, the call to action is clear: insist on evidence, not assumptions, when it comes to recovery capability.

2. Cyber resilience is now a board-level responsibility

Regulators in Critical National Infrastructure (CNI) and financial services are raising expectations for resilience, reporting, and evidence of effective controls. The Cyber Security and Resilience Bill (CSRB) designed to enhance and modernise the NIS Regulations, not supersede them, together with emerging UK Gov and NCSC guidance, makes it clear that boards will be expected to demonstrate full accountability for their organisation’s cyber resilience posture. Budget discussions are often discussed when it comes to cyber security: resilience is not inexpensive, but lack of resilience is far more costly.

Board members should be encouraged to challenge not only internal teams but also suppliers, asking:

• How quickly can we recover?
• When did we last test?
• Do we understand our supply chain exposure?
• Can we demonstrate appropriate controls, pre- and post-incident?

Key take-away points are that security is no longer the Chief Information Security Officer (CISO’s) job alone, it is everyone’s responsibility, starting at the top.

3. The supply chain is our biggest blind spot

The modern supply chain is the largest unmanaged risk area for most organisations.

With organisations relying on hundreds of suppliers, the complexity has grown beyond what traditional compliance and procurement processes can manage.

Key insights included:

• Risks aren’t eliminated; they can only be minimised and managed.
• Organisations tend to “tick the box” on supplier compliance without truly understanding underlying vulnerabilities.
• Even companies with strong certifications (e.g., ISO 9000) can carry hidden risks.
• Third-party vulnerabilities, such as those seen in recent high-profile supply chain breaches, remain a persistent threat.

Risk-ledgers, community threat intelligence groups, and continuous supplier monitoring are highlighted as practical steps forward.

For executives, the takeaway is simple: supply chain resilience must become a strategic priority, not an operational afterthought.

4. Threat intelligence must evolve, and become collaborative

We emphasise that most organisations still rely on outdated models of threat intelligence: vendor mailing lists, siloed reporting, and reactive updates.

We advocate for:

• Shared intelligence communities
• Collaborative threat feeds
• Combining multiple sources, including open-source insights
• Improving situational awareness across the enterprise

The message: resilience is collective. No organisation can rely solely on its own lens when adversaries are operating across global ecosystems.

5. Shadow IT, dependency risks, and AI: the new frontiers

Industry discussions right now are covering vulnerability management and software packages highlighted how quickly modern environments change.
Issues raised included:

• Increasing risk from open-source dependencies
• Teams unknowingly introducing packages with hidden vulnerabilities
• Shadow IT expanding attack surfaces
• AI tools that can now assist in rapid scanning and remediation
• The question: How quickly can your organisation patch?

Executives should be asking:

• Do we know what we depend on?
• Can we detect and patch vulnerabilities fast enough?
• Where can AI accelerate our resilience strategy?

6. Pragmatism beats perfection

One of the most valuable messages was a pragmatic one: There is no such thing as a “perfect supplier” or a perfect cyber posture.

What regulators and attackers, are looking for is:

• Evidence of applied controls
• Reasonable, risk-based decision-making
• Clear accountability
• A demonstrable journey of improvement

“Perfect” is impossible. “Appropriate and demonstrated” is essential.

Conclusion: Cyber resilience is a journey, not a destination

Cyber resilience is not achieved once; it is built continuously.

Leaders must embrace:

• Transparent risk conversations
• Proactive investment
• Regular testing and exercising
• Deep supply chain visibility
• And a culture where security is everyone’s responsibility

As the threat landscape grows more complex, organisations that succeed will be those that treat resilience as a strategic capability, not a compliance checkbox.

If 2025 was the year resilience reached the boardroom, 2026 must be the year it becomes embedded across the enterprise.

To discover how we can support your cyber security:

Read the brochure