Introducing the Blog Series: Cyber Resilience Board Briefings

Written By Jimmy Blake

What are Cyber Resilience Board Briefings?

Over the past few years, I’ve spent a significant portion of my time working with organisations in the middle of ransomware and destructive cyberattacks. Not tabletop scenarios or theoretical models: real incidents, with real operational impact, unfolding under pressure, alongside senior executives.

What stands out is not simply how these attacks succeed. It is how often organisations mistake restoration for resilience. I have seen recoveries declared successful, only for the organisation to discover weeks or months later that risk had been reintroduced, trust had been assumed rather than proven, or critical decisions had been made with incomplete evidence.

I have also seen organisations receive significant post-incident budget and headcount increases, then spend that investment without addressing the operating model failures that made the incident so damaging in the first place. More money does not automatically create resilience. Without governance, accountability, and clear decision rights, it often just funds a larger version of the same problem.

Equally, I have seen overconfidence evaporate quickly. Claims of impenetrable protection rarely survive contact with a determined adversary, and some leaders who projected the greatest certainty before an incident were no longer in post after it.

At that point, the issue is no longer purely technical, it is a governance failure.

The gap between cyber and the boardroom

Cybersecurity has become a standing item at board level: awareness exists, investment has increased, reporting has improved and best-practice frameworks are widely adopted. Yet, when a destructive cyber event occurs, many organisations still struggle to answer a small number of fundamental questions:

  • What does “recovered” actually mean?

  • Can we trust the environment we are restoring into?

  • Are we prioritising speed, or assurance and who decides?

  • What level of risk is acceptable in the recovery process?

  • How do we evidence that decisions taken under pressure were appropriate to partners, regulators and cyber insurers?

These are not questions for the Security Operations Centre, they are board-level decisions, often made implicitly rather than explicitly.

The problem with current cybersecurity and cyber resiliency narratives

Much of the cyber industry narrative still focuses on:

  • Prevention

  • Detection

  • Tooling

These are all hugely important aspects, but largely irrelevant at the point where the organisation is already compromised. When your organisation can’t deliver products, services or its mission and, identities are untrusted and time pressure is acute, the problem shifts from “How do we stop this?” to “How do we safely continue operating?” That transition is where many organisations falter. Not because they lack technology, but because they lack:

  • Defined decision rights

  • Clear recovery conditions

  • Alignment between security, IT, line-of-business and executive leadership

  • A shared understanding of what “good” looks like under failure

What this series will do

Cyber Resilience Board Briefings is designed to address that gap. Each briefing will be:

  • Short and focused, easily consumable by the board

  • Grounded in real incident patterns I’ve observed first-hand

  • Framed in business and governance language

  • Oriented around decisions, not tooling

Cyber Resilience Board Briefings topics will include:

  • The difference between recovery and recovery to a trusted state

  • Why identity is the critical path in most recoveries

  • Common failure modes observed during ransomware response

  • The hidden risks in “clean” backups

  • Decision frameworks for operating under degraded trust

  • How to align cyber recovery with regulatory expectations (e.g. operational resilience requirements)

Who Cyber Resilience Board Briefings are for:

  • Board members and non-executive directors

  • Chief Information Officers, Chief Information Security Officers and Chief Risk Officers

  • Investors and advisors to technology organisations

If your role involves oversight, accountability, or decision-making under uncertainty, this series is for you.

A different lens on cyber resilience

Cyber resilience is often described as a capability, in practice, it is an emergent property, the result of how well an organisation coordinates:

  • Governance

  • Technology

  • People

  • Decision-making under pressure

Your organisation doesn’t discover whether it’s resilient in a policy document, it discovers it when:

  • Your identity systems can’t be trusted

  • Your tooling is degraded or evaded

  • Your teams are working from incomplete information

  • And the business is demanding answers

What comes next

The first briefing in this series will focus on a foundational issue: Why “recovery” is not the same as “recovery to a trusted state” and why that distinction matters at board level. In many of the incidents I’ve been involved in, the real damage wasn’t caused by the attack itself, it was caused by what happened after systems came back online.

If cyber resilience is now a board-level concern - and it is - then it needs to be understood, discussed, and governed at that level. That’s the purpose of the Cyber Resilience Board Briefing series.

Jimmy Blake

Previous

Cyber Resilience Board Briefing Series 1: Recovery vs Recovery to a Trusted State
Next

Cold Logs, Warm Truth: The Value of Logging That Never Reached the SIEM