If there’s one word security leaders love, it’s “resilience.” But as Datacom’s Mark Micklefield, Associate Director — Security Consulting, and David Stafford-Gaffney, Associate Director — Cybersecurity Consulting, put it — saying you’re resilient and being resilient are two very different things.
“You’ll hear executives say, ‘Oh yeah, we’ve got a good handle on cyber.’ But they haven’t tested their plan. They’ve never walked through a live scenario. That’s not resilience — that’s hope,” says Stafford-Gaffney.
Resilience isn’t just about recovering after an incident. It’s about building the kind of operational strength that stops a small issue from becoming a business-wide disaster. It’s knowing how your systems respond under pressure, how your people act when the heat’s on and where the weak points really lie.
According to Datacom’s State of Cybersecurity Index 2025, there’s a growing gap between confidence and capability:
It’s a reality check. While many businesses have decent technical controls, they’re not preparing the people, processes and decision-making muscle needed to manage a real incident.
“Most organisations don’t know how their business would function if they had to switch to manual mode. That’s the test,” says Micklefield.
“And when you’re recovering from an attack, no one estimates how many people it takes to bring everything back online. Teams get tired. Fast.”
Building strength from the inside out means thinking beyond tools. It means aligning across people, governance and process, and building that alignment before you need it.
It starts with clear ownership. Resilience isn’t a tech issue, it’s a board-level priority. That means aligning risk decisions with business context and having a framework that guides what matters most.
“You have to align to the regulatory environment first — talk to leaders about what’s important. Build a framework that maps to that, and you’ll catch what you actually need to test,” says Stafford-Gaffney.
Your response plan is only as strong as the people using it. And if they’ve never walked through a live scenario, chances are they won’t perform under pressure.
“If your people haven’t rehearsed their roles, the tools won’t matter,” says Stafford-Gaffney.
“And they need breaks. The same people can’t be on the hook all the time. Burnout becomes a risk during recovery.”
You don’t know where the cracks are until you test for them. Micklefield stresses the need for ongoing simulation and live exercises that put plans (and people) through their paces.
“Resilience isn’t built on paper. You need to simulate, stress-test and fix the gaps before something happens.”
Although a security operations centre is ideal for some organisations, what is vital for all is a clear, tested and realistic process that matches your level of risk and your business context.
That starts by shifting your mindset. As Stafford-Gaffney puts it:
“It’s not about perfection. It’s about progress. Just start. If you’re waiting for the ideal framework, you’re not running at anything.”
So, what are three questions to ask today when considering your own cybersecurity resilience?
Resilience isn’t a checkbox. It’s a capability you build over time through training, repetition and clear-eyed assessment.
You won’t always know what threat is coming. But with the right structure, support and strategy, you’ll know how to respond.
Effective cybersecurity starts with more than just technology — it begins with a mindset. At Datacom, we combine innovative technology with expert guidance to help protect your systems, people and data. By addressing both the technical and cultural aspects of cybersecurity, we empower your organisation to reduce risks and build resilient, lasting defences against cyber threats.
