Resilience means ensuring that plan holds up under real-world pressure. Yet, many organizations unknowingly design for the illusion of resilience rather than actual preparedness. From boardroom complacency to technical and data vulnerabilities, gaps in crisis readiness often remain hidden until they’re exposed by disruptive events. The challenge is embedding resilience into the DNA of an organization so that when a crisis hits, leaders can act decisively, not reactively.
In this part 2 of 3 series, we explore the topic of blind spots with Mark Heywood, a crisis management expert with decades of experience advising multinational organizations on cyber threats, terrorism, and operational disruptions. He explores why technical and data resiliency are often treated as IT problems instead of business imperatives, and why traditional risk management approaches fail to account for long-tail, high-impact events.
Most importantly, Mark shares practical strategies for making resilience more than a buzzword – so organizations can withstand not only today’s threats but also the unforeseen crises of tomorrow.
Q: The elephant in the room: technical and data resiliency. What should organizations do differently to be better prepared?
Mark: When it comes to technical and data resiliency, the elephant in the room is that most organisations are reactive, not proactive. They treat technology and data security as IT problems rather than business-critical issues tied directly to survival, reputation, and competitive advantage. Too often, technical resilience is seen as an insurance policy – something you have but hope never to use – instead of embedding it into culture, strategy, and operations. That mindset needs to change.
6 Habits of Digitally Resilient Organizations
1. Resiliency is a Boardroom Issue
- Technical resilience is too often delegated to IT teams or cybersecurity specialists, leaving boards and executives disconnected from the risks they don’t fully understand.
- Boards and leadership teams must recognize that technical and data resilience is a strategic business risk, not just a technical one.
- Leaders don’t need to be technical experts, but they must ask the right questions, demand accountability, and treat data and technology failures as existential risks to the business.
Board insight:
If our systems or data failed completely tomorrow, how long could we operate – and how would we recover?
2. Test the Unthinkable – Regularly
- Many organizations run theoretical business continuity plans or occasional tabletop exercises, but they rarely go deep enough to truly test catastrophic scenarios such as:
- A complete systems failure
- A ransomware attack that locks all operational data
- A cloud provider outage impacting global operations
- Beyond compliance-driven testing, organizations need to simulate real-world crises that test system vulnerabilities and human response capabilities.
Takeaway:
Run full crisis simulations involving cross-functional teams (not just IT) so every part of the organization understands their role when systems fail. Use real-world scenarios, not idealized ones.
3. Backup Alone Isn’t Enough
- Many organizations operate with the illusion of safety, assuming that backups are sufficient for recovery.
- Reality check: Backups can fail, be corrupted, or even be compromised during cyberattacks.
- True redundancy means:
- Geographically dispersed backups
- Offline backups to prevent ransomware compromise
- Redundant systems that allow critical operations to continue
Key principle:
Don’t rely on a single safety net. Assume one safety measure will fail and design layers of protection to account for it.
4. Treat Data as a Strategic Asset, Not a Commodity
- Many companies treat data as replaceable, only realizing its value after a breach or loss.
- Data must be treated as the lifeblood of the organization, requiring:
- Identification of mission-critical data and applying highest levels of protection
- Real-time monitoring for unauthorized access or anomalies
- Continuous updates to protection strategies against evolving threats
Priority initiative:
Conduct a data impact analysis to understand the business-wide implications of losing or compromising specific data assets. Make protecting those assets a top priority.
5. Build Resilience Into Vendor Relationships
- Many organizations overlook third-party risk, assuming that vendors have their own resilience plans.
- Reality: Supply chain partners, cloud service providers, and technology vendors create significant points of vulnerability.
Key actions:
- Assess vendor disaster recovery plans and their ability to operate during outages or cyberattacks.
- Include right-to-audit clauses and insist on transparency around security protocols.
- Develop contingency plans for key vendor failure – including identifying alternative providers.
Operational question:
If our primary cloud or IT vendor fails, how do we continue operating, and how quickly can we switch providers?
6. Create a Culture of Cyber and Data Accountability
- Many organizations focus on technical tools and overlook the human element.
- Employees are both the first line of defense and the biggest vulnerability in cyber and data resilience.
Key actions:
- Train employees to recognize phishing, social engineering, and suspicious behaviors.
- Embed security accountability into every role, not just the IT team.
- Foster a no-blame culture so employees feel safe reporting mistakes immediately, rather than covering them up out of fear.
Leadership strategy:
Make cyber resilience part of the organization’s DNA by tying it to individual performance goals and company values.
Resilience is About Mindset
Resilience isn’t just about technology – it’s about mindset. Organizations that thrive in the face of technical and data challenges are the ones that see resilience as a competitive advantage, not just a cost center.
The question isn’t if your organization will face a technical or data crisis – it’s when. And when that moment comes, the companies that have embraced resilience as a way of life will be the ones that not only survive but emerge stronger.
