Are we building genuine cyber resilience, or just better compliance ‘theatre’?
As cyber security policies become more structured and heavily audited, most organisations can demonstrate compliance with recognised frameworks, standards and controls. However compliance doesn’t test resilience, organisations can pass every audit and still fall apart under a real attack.
Frameworks measure posture, not performance. They show whether controls exist, not whether those controls will work when tested. In practice, incidents test how organisations operate. When a cyber incident occurs, decisions need to be made quickly, often with incomplete information. Systems may be unavailable and communication channels may be disrupted.
What matters in those moments is how teams operate, how decisions are made and how effectively organisations communicate and coordinate their response. These are not capabilities that can be assumed or based on theory, they need to be rigorously tested.
From compliance to readiness
Compliance shows that a plan exists. Readiness shows that it works. Frameworks provide a baseline and are essential, but they are not all encompassing. Resilience requires organisations to assume breach and move beyond documented controls to demonstrated capability in practice. Red teaming, tabletop exercises and crisis simulations are what separate compliance from readiness.
What needs to change?
Drawing on themes discussed at the roundtable, shifting from measuring compliance to measuring readiness will require changes across the system.
Regulation will need to place greater emphasis on evidence of tested response, rather than solely documented controls. Insurance may act as a faster lever, with underwriting linked more directly to an organisation’s ability to respond in practice. Frameworks will need to evolve, with compliance treated as a baseline rather than the end state. Procurement also remains underused, with organisations mandating tested resilience from suppliers likely to drive change more quickly across supply chains.
Each of these would move the industry closer to measuring what matters: performance under pressure.
Closing the gap
The cyber threat continues to evolve. Attackers are organised, well-resourced and increasingly able to exploit complexity, scale and human behaviour, while many organisations still rely on measures that do not reflect how they will perform in a live incident. So closing that gap requires a real shift in focus from more than just compliance with frameworks, to testing performance against them under real-world conditions.
