The fundamental question has changed

The NCSC’s Annual Review marks a critical inflection point. With nationally significant incidents surging and costs exceeding £300m for single attacks, the question is no longer “Can we prevent every breach?” but “Can we survive and recover when attacked?”

The gap between threat and capability is widening

The NCSC’s top priority for UK critical national infrastructure (CNI) applies universally: closing the widening gap between threat sophistication and defensive capability. Traditional approaches – more tools, more alerts, more controls – won’t close it. Resilience engineering will.

The data is unambiguous: Prevention alone has failed. It’s time to engineer resilience.

Three truths every CISO must accept

1. Assume Breach is Now Operational Reality

The Synnovis incident cost £32.7 million – 7.6x annual profit – and contributed to patient deaths. Marks & Spencer and insurers face £300 million+ in costs. These aren’t outliers; they’re the new normal.

2. Preparation Makes the Difference

In the NCSC’s report Co-op CEO Shirine Khoury-Haq stated: “While you can plan meticulously, invest in the right tools and run countless exercises, nothing truly prepares you for the moment a real cyber event unfolds.”

Yet also said: “Our routine investment in security, the deliberate segregation of systems and frequent testing laid a strong foundation for our response.”

The Co-op maintained core operations despite a multi-stage attack. Unprepared organisations face an existential threat.

3. The Gap Between Threat and Capability is Widening

The NCSC’s top priority for CNI applies universally: closing the widening gap between threat sophistication and defensive capability. Traditional approaches – more tools, more alerts, more controls – won’t close it. Resilience engineering will.

Resilience engineering: the new paradigm

The review introduces resilience engineering – the ability to anticipate, absorb, recover from, and adapt to unexpected shocks. This isn’t theory; it’s practical architecture and operations.

The five pillars of operational resilience

1. Recovery Over Prevention

Critical Capability: Rebuild entire environment from known-good state in hours, not weeks or months.

Required:

• Infrastructure as code (rapid reconstitution)
• Immutable backups with verified recovery from total environment loss
• Offline recovery procedures (hardcopy runbooks)

Test: If you haven’t recovered from bare metal in past 12 months, you don’t have capability – you have hope.

2. Containment Through Segmentation

NCSC’s evidence: “Organisations who intervene during a destructive event and self-isolate recover quicker with less impact.”

Implementation:

• Network segmentation to create trust boundaries
• Management plane segregation (Privileged Access Workstations)
• Ability to operate critical functions in isolation

And pose this question to the Board: “If attackers compromise our corporate network, can we still run production systems?”

3. Zero Trust as Foundation

Principle: Assume no implicit trust; reduce “blast radius” through:

• Least privilege universally applied
• Just-in-time privileged access
• Context-aware authorisation
• Microservices and application isolation

4. Observability for Rapid Response

Purpose: Comprehensive monitoring (hosts, infrastructure, edge, cloud, applications) enables:

• Anomaly detection
• Rapid response
• Post-incident learning

New NCSC emphasis: Understand attacker methods and proactive threat hunting, not passive detection.

5. Validated Through Testing

Chaos Engineering: Deliberate introduction of failure to validate detection and recovery.

Minimum standard:

• Quarterly incident response tabletops
• Annual full technical DR test
• Crisis communication testing (offline channels)
• Board participation in strategic exercises

Conclusion: from surviving to thriving

The Annual Review validates what many leading CISOs have known: the security paradigm has fundamentally shifted. Prevention-focused strategies have reached their limit. The organisations that will thrive in the next decade are those that can absorb impact and recover rapidly.

The Co-op maintained operations during its cyber-attack. Your organisation should too.

This isn’t about investing more in the same controls. It’s about fundamentally rethinking your approach:

• Recovery over prevention
• Containment over total protection
• Operational resilience over security theatre
• Crisis capability over incident plans
• Antifragility over business continuity.

The resilience dividend: Organisations that master these principles don’t just survive incidents better – they build competitive advantage, reduce operational risk, enable innovation, and create lasting value.

The question for every CISO: When (not if) you face a major incident, will your organisation be the one that maintains operations and recovers in hours? Or the one that makes headlines for weeks of downtime?

The bottom line: it’s time to act

The review validates long-standing CISO concerns and provides a mandate for accelerated action. As Anne Keast-Butler, Director of GCHQ, states: “Don’t be an easy target; prioritise cyber risk management, embed it into your governance, and lead from the top.”

This isn’t about perfection – it’s about progress. Even well-prepared organisations face challenges during incidents. But preparation, investment, and cultural commitment make the critical difference between controlled response and catastrophic failure.

The question isn’t whether your organisation will face a cyber incident, but when – and whether you’ll be ready.

It’s time to engineer resilience.

Please contact us if you would like to discuss how we can engineer resilience for your organisation today.