I’m pleased to be joining fellow leaders at the CSO Security Summit in London, where I’ll be sharing cyber resilience best practices with peers from across the industry.
It’s a privilege to be on the same platform as some genuinely sharp thinkers in this space, and I’m looking forward to both contributing and learning from the conversations on the day.
Why Resilience, Not Just Defence
The framing matters. For a long time, the dominant mental model in cybersecurity was defensive — build the walls high enough, and you’re protected. That model has always had limits. In the current environment, with the threat surface expanding and the sophistication of attacks increasing, it’s simply not sufficient.
Resilience is a different proposition. It doesn’t assume you can prevent every incident. It asks: when something goes wrong — and it will — how quickly can you detect it, contain it, recover from it, and learn from it? It’s a more honest frame, and it leads to better decisions.
Resilient organisations share some consistent characteristics:
They have genuine clarity about what matters most. Not everything is equally critical. Organisations that have done the work to identify their crown jewels — the systems, data, and processes that would cause the most damage if compromised — can prioritise their investment and response accordingly. Organisations that haven’t done that work tend to either over-invest everywhere or, more commonly, under-invest in the things that actually matter.
They practise, not just plan. A business continuity plan that’s never been tested is a document, not a capability. The organisations that respond well to incidents are the ones that have rehearsed. Tabletop exercises, red team engagements, crisis simulations — these are investments in actual resilience, not just compliance.
They treat recovery as a first-class objective. Too much security investment goes into prevention and not enough into detection and recovery. Given that breaches will happen, the ability to detect quickly and recover fast is often more valuable than marginal improvements in prevention.
They connect security to business outcomes. Boards and leadership teams engage more meaningfully with security when it’s framed in terms they already care about — operational continuity, regulatory standing, reputational risk, customer trust. Security leaders who can make those connections fluently are more effective, not because the technical work changes but because the organisational support around it does.
The Bigger Picture
Cyber resilience isn’t a project with a finish line. It’s an ongoing capability that needs to be maintained, tested, and evolved as the environment changes. The organisations that understand that — and invest accordingly — are the ones I’d back.
Looking forward to the conversation in London.
Neil Manfred is the founder of Fredian Shield, a specialist consultancy helping regulated organisations adopt AI and technology responsibly. He is a Certified Director of the Institute of Directors and a Non-Executive Director in public education.