Cyber resilience has evolved into a board-level discipline focused on decision-making, but many firms make the mistake of treating resilience and security as one and the same.
Nicholas Currie, a risk and resilience expert and Principal Consultant at Beyond Blue, cautions against relying on traditional risk management strategies for emerging threats.
Currie asserts that qualitative, evidence-based recovery plans are critical for building genuine resilience.
Though the terms cybersecurity, cyber resilience, and risk management are often used interchangeably, they're not one and the same. Understanding the distinction defines an organization's ability to absorb disruption, respond under pressure, and adapt afterward across its technology, people, data, and operations. Cyber resilience has emerged as a strategic discipline precisely because today’s most damaging failures are systemic, compounding, and impossible to prevent outright.
Experienced risk and resilience expert Nicholas Currie is a Principal Consultant at Beyond Blue. With a PhD from UCL, Currie serves as an authoritative guide for high-stakes clients in government, critical infrastructure, and financial services. He explains that before organizations can build resilience, they must first understand what it really is.
"Security and resilience are two different things. They’re mutually complementary, but they’re fundamentally different," says Currie. "If you build security, you don't make yourself any more resilient. If you build resilience, you don't make yourself any more secure. What you need to be is secure and resilient."
A new chief in town: In this context, resilience often falls outside the traditional domain of the CISO, leaving many security leaders accountable for a function their role is structurally unsuited to own. Responsibility sometimes lands with the COO, whose mandate for operational resilience is a more natural fit. Still, governance is a challenge. "When it comes to who is responsible for resilience, at the moment, we're in the Wild West," Currie says. To address this structural misalignment, the UN has launched a network of corporate Chief Resilience Officers (CROs) specifically focused on embedding resilience into business practices.
False comfort: While a growing number of firms recognize the importance of building resilience, Currie says many make the mistake of using technical data as a proxy for firm-wide resilience. "There's so much different data that can seem relevant that the dangerous temptation is to skip the bit in the middle, which is to do all of the work." Currie argues that too much data can create a misleading sense of security while ignoring the human, cognitive, and practical elements needed for recovery. "You need to transform that data into insights about resilience at the macro level."
Quality over quantity: Currie advocates instead for qualitative and scenario-based insights, which are often more accurate and useful at the board level. "Organizations often don't put enough time into defining what a successful outcome looks like. My standard mantra is 'don't be afraid to be qualitative.' It's better not to misrepresent the truth and to have a qualitative story about your resilience than to try and immediately turn all that data into something quantitative."
Currie emphasizes that an effective recovery process hinges on two key components: defining what a good outcome looks like, such as bringing services back online within a set number of hours, and grounding recovery assumptions in hard evidence, like the actual time it takes to fail over to another data center. The ultimate litmus test, he says, is whether your resilience insights provide enough confidence to support the strategic decisions boards need to make about where to invest, what risks to accept, and how to respond after a failure.
Resilience for a volatile world: Currie points out that relying on traditional risk management to deal with emerging threats from agentic AI is an obsolete playbook that puts firms in danger of "falling on their face." That's what makes this new approach to resilience so vital. "Systemic risk increasingly is the thing that will kill organizations in this highly volatile, complex world," he says. "Resilience is just a technique for managing systemic risk."
While strong security is a critical part of any defense, Currie suggests it's no longer the ultimate goal. Boards must focus more heavily on the organization's ability to bounce back from an attack. "You can have all the security you want, but if someone gets in and you're not resilient, it's game over. And there will always be someone who gets in," Currie concludes.
