80% of what you will read about “cyber resilience” on LinkedIn today is nonsense. It will not make your organisation resilient. Understanding systems, and the system dynamics of resilience, tells us why.
Systems are the product of an underlying set of mental models. If the mental model is built on incorrect beliefs and assumptions, the system will reflect those errors in its behaviour. Our mental models in cyber need a course correction:
- The point of cyber resilience is not cyber resilience. The point of cyber resilience is organisational resilience.
- The point of the cyber org itself is not to “stop bad things from happening”, or to “manage security risk” on behalf of the rest of the org, or to “secure the org”. It is to enable the organisation to achieve and sustain its business goals and objectives. This is not semantics. If you shift mental models from “secure the org” to “protect the business”, you get a completely different set of priorities, behaviours, and outcomes.
Now to the downstream system dynamics:
- Organisational resilience cannot be built just by adding together individually-resilient organisational functions.
- Right letter, wrong word: Cyber resilience is not Engineered. It Emerges from the system, not from its individual parts.
Resilience, just like adaptability and risk, is not “in” the nodes, it’s “in” the network (i.e. resilience is an emergent property that arises from the interactions between the parts, not from the parts themselves).
In Imaginary Security World, malware is the problem. Malware is not the problem. The problem is the system’s (in)ability to adapt and learn under pressure. The whole organisational system, not just the part of the system under the CISO’s remit.
Cyber incidents are stressors, not just events. Impact propagates through decision, coordination, authority, trust, and meaning structures. Organisational collapse almost never happens because a security control failed…it happens because the organisation couldn’t adapt fast enough to the new conditions created by the event. Resilience could not emerge.
Which begs the question: what are the reasons why an organisation cannot adapt and learn? It rarely has anything to do with cyber capabilities, or even technology…even when it seems like it does.
An example: orgs tend to focus on outputs like “legacy technical debt”, rather than the deeper systemic reasons why they developed the legacy tech debt to begin with. As a consequence, they find themselves painted into a corner they can’t get out of, i.e. they can’t adapt and learn. Along comes a sincere, well-meaning leader (or a new UK government cyber action plan) talking about “cyber resilience”, and why we need to “deal with our tech debt”…but unless those deeper systemic structures are changed, what follows will only ever be performative security theatre, because those structures will just reconstruct the current state. You’ll be back where you started in 5 years. An organisation that cannot (or will not) adapt and learn cannot be resilient.
This doesn’t mean the individual cyber and technical capabilities don’t matter, of course. They absolutely do. We should keep doing all the good and sensible things we do (sophisticated EDR, security awareness training, immutable backups, etc). I’m just saying that many organisations, when put under pressure, are surprised to learn that their mature, sophisticated cyber capabilities do not magically translate into organisational resilience.
Yet from a systems perspective, this outcome is entirely predictable when we build organisations that are vertically capable, but horizontally dysfunctional. Until and unless that changes, the kind of organisational resilience we want and need will elude us, no matter how much we talk about it.
If resilience was an engineering problem, it would live in things like tools. It doesn’t. It lives here:
- Decision velocity under uncertainty: Organisations that struggle to make decisions under pressure do not have a technical problem, they have a leadership and culture problem.
- Authority & agency distribution: High control, low agency orgs are brittle and cannot adapt.
- Information flow integrity: Does reality travel upwards unfiltered, or does it get massaged/suppressed by fear, politics, and metric pressures?
- Cross-boundary interdependency: It’s not just about coordination. Under pressure most functions collapse into local optimisation and self-protection (a culture and incentivisation problem).
- Psychological safety & trust: If being honest is costly, people won’t be honest (again, a cultural and leadership issue). You will find out about things when they explode, not when they’re starting to boil.
- Learning and feedback: Just because you have feedback mechanisms doesn’t mean you are learning; the question is, is that feedback reshaping the structural dynamics?
Whenever you read about cyber resilience henceforth, ask yourself: is this advice going to help me fundamentally reshape the underlying organisational mental models and system structure dynamics that will allow resilience to emerge? Or is this just performative theatre that exchanges true resilience for the illusion of resilience?
An illusion that will fail you precisely when you need resilience the most.