What does resilience really mean?

Everyone talks about resilience. But not many organisations actually have it. 

According to a 2025 report from PwC on digital trust, only 2% of organisations globally say they have fully implemented cyber resilience actions across their business – despite cyber risk being consistently ranked as a top strategic concern by executives. 

And this is not a funding problem. PwC found that 77% of organisations expect their cybersecurity budgets to increase over the next year. Leaders know the risk is real. What’s missing is translation – turning spend into an organisation that can keep operating, communicating, and making decisions when something goes wrong. 

So that’s the first crack in the buzzword; resilience isn’t how many controls you own, but how your organisation behaves under stress.

The limits of ‘lock it all down’

Security strategy has conventionally been dominated by the idea that we should (and can) prevent incidents at all costs. Harden systems, reduce access, block threats at the perimeter. But that approach doesn’t really work in the current threat landscape. 

When we spoke to Daniel Bowden (CISO at Marsh McLennan), he described how his own thinking evolved:

“Early in my career, I thought cybersecurity was about locking things down. Control everything, restrict everything, prevent everything. Classic ‘castle-and-moat’ mindset.

“Now, I see security as an enabler of trust and resilience, not just a blocker of bad things. The real mission is risk-informed decision support that enables the business to operate confidently in a world of uncertainty.

“I’ve also learned that you can’t firewall your way out of systemic risk. You need visibility, intelligence, and adaptability. Security must be dynamic – aligned to business priorities and scalable across complex ecosystems.”

That assessment is backed by Accenture’s State of Cybersecurity Resilience 2025 report, which found that 90% of organisations lack the maturity to defend against modern, AI-driven cyber threats. And only 36% of technology leaders believe their security capabilities are keeping pace with advances in AI.

Prevention is still an important part of cybersecurity strategy, of course; but it doesn’t define resilience on its own. 

Instead of a product, resilience is an organisational muscle 

One reason resilience is so often misunderstood is that it can’t be bought or installed, as much as we wish it could. It’s an outcome of how technology, people, and decision-making fit together.

Stefan Baldus (CISO at HUGO BOSS) put the focus firmly on fundamentals when we interviewed him for the blog: 

“If you can take the time, don’t start in cybersecurity right away. You need to understand how the world works to make it secure. To be effective in security, you need base knowledge in operational systems, networks, development, and how things work together.

“If you can try to see all of this just a little bit, it’ll help later on with the network or system engineers to also see their side of the coin; and it gives you some grounding for your arguments in the discussions to come.”

Having a grounding in the world outside of cyber alone becomes invaluable during incidents, when resilience is tested by coordination, authority, and speed. The better you understand the world, the more likely you are to build a security strategy that can withstand it. 

And trust is the real resilience test

PwC estimates the average cost of a data breach at USD $3.3 million, before reputational damage or regulatory fallout is considered. But the harder cost to measure is trust.

Lakshmi Hanspal (Strategic Advisor and Investor at Silicon Valley CISO Investments) framed resilience through its ripple effects:

“When trust is broken in the security context, the impact reverberates far beyond the immediate epicentre. It's like a stone thrown into a pond – the initial splash might be contained, but the ripples touch every shore.”

And she argued that resilience is about what happens next:

“Not only is it possible [to rebuild trust] – it can emerge stronger than before. I've witnessed organisations transform security incidents into powerful catalysts for positive change.”

Hanspal calls this the “Phoenix Effect”, grounded in three behaviours:

“They communicate with immediate and honest acknowledgement of the event. They provide clarity on remediation steps. They demonstrate tangible long-term commitments to security improvements.”

So what does resilience really mean?

Strip away the marketing, and resilience looks very unglamorous. It’s straight-up preparedness, confident and effective decision-making, and real trust rather than compliance optics. 

As Hanspal put it:

“Stop treating security as a compliance checkbox rather than a cultural cornerstone. The ‘check-the-box’ mentality creates a dangerous illusion of security while undermining the very trust it's meant to build.”

All organisations today should design for failure. Assume breaches will happen, and optimise for detection, response, and recovery. And then treat trust as an outcome – because transparency and learning matter just as much as technical fixes.