Resilience, regulation, recovery – and the reality facing cyber leaders

From prevention to resilience

In recent years, the industry has recognised that no system is invulnerable. Breaches are more common and the key questions have become: when I get hit, how bad will it be? How quickly can I bounce back? And who didn't get hit - and why not?

Resilience means more than recovery. It's the ability to adapt, maintain operations and emerge stronger after disruption. True resilience combines technology, people, and processes in a way that reduces the impact of incidents and accelerates recovery.

A changing regulatory landscape

Regulation is catching up with this shift. One year on from the EU's Digital Operational Resilience Act (DORA), no major fines have yet been issued.

In the UK, the forthcoming Cyber Resilience Bill builds on NIS2 (Directive on Security of Network and Information Systems (Version 2)). This will expand reporting requirements - notably including managed service providers - and promoting the NCSC's Cyber Assessment Framework (CAF). It also consolidates responsibility in DSIT (Department for Science, Innovation and Technology) and grants the Secretary of State significant independent powers.

However, regulation brings challenges. By setting targets, it can inadvertently encourage organisations to focus only on compliance, reassured they have met obligations, without necessarily becoming more resilient. The real challenge is to punch through the regulatory barrier - going beyond a minimum standard to embed resilience as a business advantage.

In highly regulated sectors such as aviation and finance, frameworks are well established and clearly justified. Cyber regulation needs to achieve the same balance: light enough to avoid stifling response to adversaries, but robust enough to drive genuine improvement.

The cost of failure

The financial and operational impact of disruption is stark.

• In the UK, Marks & Spencer faced significant disruption across all of its operations.
• Land Rover was forced to shut down manufacturing plants after an attack.

These incidents highlight not only the cost of downtime but the importance of domain separation, robust backups and clear recovery strategies.

The reality is simple: you never recover to the exact same state. Every breach leaves a mark. The lesson is to prepare now, so that recovery is faster, cheaper and less damaging when the inevitable happens.

Learning from resilience

Instead of only studying victims, we should look more closely at organisations that withstand attacks.

• Ubisoft spotted a ransomware attempt in 2023 and removed the attackers before data exfiltration took place.
• The Library of Congress survived a parallel attack that compromised the UK's British Library, thanks to two-factor authentication and strong monitoring.

What architectures, processes and decision-making structures made the difference? How did their teams respond under pressure? These are the lessons that can help businesses move beyond compliance and embed resilience as a source of strength and competitive advantage.

Five questions every CISO should ask

We have distilled these reflections into five quick questions. If you can't answer yes to all five, your organisation may be compliant - but it isn't resilient.

1. Beyond compliance - are we treating regulation as a baseline, not the finish line?
2. Architecture for recovery - could our systems contain the impact of an incident and restore operations quickly?
3. Exercising for reality - have we tested leadership and teams under live crisis conditions, not just tabletop drills?
4. Resilience economics - do we understand the true cost of downtime and invest accordingly?
5. Learning from survivors - are we studying organisations that withstood disruption, not only those that failed?

These questions aren't abstract - they map directly to practical steps organisations can take, from immersive exercising and red team simulations to supply chain resilience and cultural measurement. At QinetiQ, we've built these capabilities to help high-assurance organisations turn resilience from an aspiration into an operational reality.

The cyber landscape is evolving fast. Regulation is important, but it sets only a baseline. The real test is resilience: the ability to recover and adapt in the face of disruption. By asking the right questions and learning from those who have weathered the storm, organisations can build the confidence to operate securely in an uncertain world.

Resilience is like a Kintsugi bowl: systems can be repaired and even strengthened after damage but the lines of recovery will always show. By practising, stress-testing and embedding resilience into culture, organisations can operate with confidence in an uncertain world.

Get in touch to find out how QinetiQ helps high-assurance organisations move beyond compliance to true resilience.