Cyber resilience as the strategic imperative

Aligning IT, security, and strategy for tomorrow's cyber threats

The C-suite, and particularly the CIO, has never been more central to business success, but this elevated influence comes with an unprecedented level of threat. Today's enterprises must champion radical innovation, like the strategic adoption of artificial intelligence, while simultaneously navigating a rapidly escalating and complex threat landscape.

Such an environment demands a critical reckoning on the very definition of security, moving past simple defence and toward true cyber resilience. After all, the average time for an organisation to recover from a cyber event is 24 days, as Commvault’s Ian Wood, Senior Technical Director for Northern Europe, shared at the latest Food for Thought discussion.

This reality requires more than just better technology; it necessitates a complete organisational transformation. It calls for moving past the historical friction between IT and security teams to forge a unified front, while proactively designing a resilient enterprise that is not only prepared for tomorrow's threats but is built to continuously evolve at the market's blistering pace.

In this Food for Thought online panel, hosted by HotTopics in partnership with Commvault, executives talked about three key topics: cyber resilience, alignment between IT and security, and designing for the future. 

As is customary, the session was discussed under Chatham House Rule and attended by:

• Steve Edwards, Head of Transformation and Governance at Sei
• David Appleyard, Global Security and Compliance Director / Global Data Privacy Lead at Mondelēz International
• Martin Jimmick, Global Head of Information Security at Vue
• Liz Greenwood, Director of Technology at Legal & General
• Shruti Kulkarni, Information Security Architect at Elexon
• Brian Brackenborough, Chief Information Security Officer at Channel 4
• Karys Oram, Head of Business Resilience at Admiral Group
• Chris Clark, Non Exec Director at Aviva
• Victoria Brasier, Director of Information Management at Sky
• Heather Prentice, Resilience Risk Lead (UK Insurance) at Admiral Group
• Simon Mortimer, Chief Digital Officer at Hymans Robertson
• Mark Gabriel, Senior Programme Manager at Thomson Reuters
• David Stringer, Director - Head of Technology & Innovation Bidwells at LLP
• Frank Aboki, Director at Morgan Stanley
• Minu Ali, Head of Architecture & Design at AllPoints Fibre Networks
• Mariana Montalvao Reis, Enterprise Head of Data Governance at WPP
• Dimple Singh, Customer domain Data Steward at John Lewis & Partners

Defining cyber resilience

The very start of the discussion made it clear that different organisations view cyber resilience differently. From the ability to tolerate a major attack to recovering and bouncing back, the meaning changes based on the industry, level of security, and maturity, though the three-pronged approach of ‘repel, tolerate, and recover’ is widely present in some form.

This is where the concept of minimum viable recovery was introduced into the conversation, which is the strategic practice of identifying and restoring the core set of data, processes, and functions as quickly as possible. Yet, despite the necessity of understanding organisational priorities to operate at a fundamental level in the event of a major disruption, many companies fail at the task.

In that light, the first agreement among panellists was that cyber resilience is a game of balance, where businesses (particularly large ones) need to find the optimal point between protection, agility, and user experience. With the move to the cloud and the way technology has shifted, a lot of companies found themselves in no man’s land.

As such, it’s no longer enough to merely focus on prevention, since organisations must plan for the inevitability of a breach. The main challenge is the strategic mix of defence and continuity by making aggressive investments in perimeter hardening to repel attacks, while simultaneously ensuring that business continuity and disaster recovery plans are so robust that they guarantee a rapid bounce-back.

Aligning security governance with IT strategy

The conversation naturally veered into the CIO vs CISO territory, which has historically been fraught with friction, even to this day. There is an emotional layer to the issue as well, as the CISO community needs to find a responsible way to respond to the fears and distress present at the board level.

All executives concurred that education has a major role here, from teaching IT teams what true cyber resilience actually is to the difference between the backup and a truly immutable type of backup arrangement. In other words, education was pinpointed as key to changing the organisation’s resilience mindset from a technical cost to making the risk real to the organisation, so that it can then fund it and prioritise accordingly.

“For me, it's probably less about educating the IT team and a little bit more about educating at the board level,” one executive added, highlighting the fact that an effective resilience strategy is a much broader challenge, particularly for less tech-savvy leaders. Case in point was made about backups that tend to create a false sense of security, since the C-suite perceives them as a be-all solution, rather than one (albeit critical) component.

The panel clearly delineated the difference between traditional backup and true cyber resilience, as backup only provides the ability to restore data but doesn’t guarantee business continuity. Frequently mentioned as an example was the recent Marks & Spencer data breach in April, where a cyberattack disrupted the company’s online services and in-store operations for almost four months.

Integrating security into future architecture

At this point, creating a dynamic plan became the central topic of discussion. All executives were unanimous that hardening a business moving forward requires a holistic view.

“It’s very much like Mike Tyson said that everyone has a plan until they get punched in the mouth,” one executive remarked.

The consensus was that this critical architectural roadmap must be business-driven, warranting the same level of scrutiny and methodical walkthrough that the IBS level enjoys. It should include understanding what's most important to the organisation to get it up and running, whether it’s impact in dollar terms, from a reputational point of view, and so on.

In that context, interdependencies between applications and systems got a specific mention as an element that often catches organisations off guard. Without knowledge of these functional and technical links, recovery efforts become based on guesswork, not facts.

For that reason, testing the plan is key. A resilience plan starts to degrade the moment it's written. So, beyond exposing hidden dependencies, testing makes sure that the plan remains a living document, driving necessary updates to technical controls, documentation, and the overall strategy. 

“Having a plan that you tested two years ago in the world we live in is not as valuable at all,” one executive concluded.

Resilience is a strategic outcome

Cyber resilience has moved past being an IT problem and is now a core determinant of business performance, valuation, and executive leadership. It’s achieved intentional alignment and continuous testing, because the new reality is that the ultimate measure of a modern organisation is not whether it gets breached - it’s how quickly and effectively it recovers.