Over the years, Indy Dhami has spent a lot of time helping some of the largest organisations in the world navigate cyber incidents, operational disruption, and regulatory scrutiny. Many of these were moments where pressure exposed the stark reality hidden behind the aspirations contained in PowerPoint slides and strategy documents. In this article Indy notes that there is one thing that becomes quickly obvious during a crisis – resilience is rarely just a technology problem.
Security teams can have the latest tooling, impressive dashboards, “AI-enabled” detection capabilities, beautifully documented playbooks and still struggle badly when disruption hits. Why?
Because resilience is fundamentally about how organisations operate under pressure.
One of the best frameworks I’ve seen for understanding this didn’t come from cyber security or operational resilience. It came from developmental psychology.
The “7 Cs of Resilience”, developed by Dr. Kenneth Ginsburg, was created in 2014 to help young people develop resilience and adaptability. Ginsburg suggests building blocks that help develop coping strategies. They emphasise competence, confidence, connection, character, contribution, coping, and control as the foundations for navigating adversity with stability and growth.
When you look at it through the lens of cyber and operational resilience, the parallels are striking. In fact, I’d argue many organisations have an imbalance towards technical resilience over broader organisational resilience. That distinction matters far more than many executives realise. I’ve used Ginsberg’s model to provide a different perspective:
1. Competence – capability beats documentation every time
A lot of organisations confuse compliance with resilience. Passing audits, producing policies and climbing maturity ratings can create a complacent sense of security. But competence is proven operationally, not administratively. When a ransomware event unfolds on Christmas Day, nobody cares how polished the policy library looks.
What matters is:
- Can teams make decisions quickly?
- Can operations continue safely?
- Can recovery happen in a controlled manner?
- Does leadership understand the trade-offs?
- Can the organisation function under uncertainty?
The strongest resilience programmes I’ve led, or supported the creation of, all invested heavily in operational muscle memory, including:
- Simulations
- Tabletops
- Crisis rehearsals
- Technical recovery exercises
- Executive decision training
The organisations that perform best in crises are rarely those improvising or taking unrehearsed actions for the first time.
2. Confidence – calmness is a competitive advantage
One of the biggest differentiators during major incidents is confidence.
Not arrogance. Not overconfidence. Operational confidence.
The kind that comes from preparation, experience, clarity and conviction. In high-pressure situations, uncertainty spreads rapidly and answers to the following questions must be a priority:
- What systems are affected?
- Is/are the attacker(s) still active?
- Do we shut operations down?
- What do we tell customers?
- Are regulators about to get involved?
Without confidence, organisations become hesitant and fragmented. Leadership starts searching for certainty that simply doesn’t exist yet. Decisions slow down. Teams second-guess themselves. The best leaders understand that confidence doesn’t come from having all the answers. It comes from having a framework for making good decisions with imperfect information; that is a very different skill.
3. Connection – resilience is intrinsically collaborative
Modern organisations are massively interconnected. Cloud providers, third parties, suppliers, outsourced operations, regulators, crisis advisors, insurers, communications teams; all are connected and part of the resilience ecosystem. Yet many organisations still operate in silos. Security speaks one language, operations another, legal another, the board another. That fragmentation becomes painfully visible during incidents.
The strongest organisations I’ve worked with tend to share three common characteristics:
1. Strong relationships already existed before the crisis.
2. Trust had already been built.
3. People knew their roles and how to work together.
These matter enormously when pressure escalates, because, during a major cyber event, organisational friction becomes one of the biggest risks to recovery.
4. Character – crisis reveals culture
Incidents expose organisational culture very quickly. You learn a lot about leadership teams when things go wrong. Having observed multiple leadership teams I look to answer the following questions:
- Do they communicate transparently?
- Do they support teams or look for blame?
- Do they make difficult decisions early?
- Do they prioritise reputation management over operational reality?
- Do they tell customers the truth?
Increasingly, regulators, customers and investors are judging organisations less on whether incidents occur and more on how organisations behave when they do. That shift is important.
Cyber resilience is no longer purely a technical conversation. It is a trust and leadership conversation, and that trust is built through character under pressure.
5. Contribution – resilience isn’t a siloed capability
One of the most outdated ideas in cyber security is that resilience belongs solely to a single team. It doesn’t. Finance teams help prevent fraud escalation. HR manages workforce continuity and insider risks. Communications teams protect stakeholder trust. Legal teams navigate disclosure obligations. Operations teams keep critical services running. Executives make strategic risk decisions.
In resilient organisations, everybody understands they have a role to play. That cultural alignment becomes increasingly important as:
- AI accelerates change
- Organisations become more decentralised
- Shadow IT expands
- Supply chain dependency grows
- Business-led technology adoption increases
Resilience scales when ownership becomes distributed across the enterprise rather than concentrated within one function.
6. Coping – those who can withstand pressure will endure
Many businesses can handle short-term disruption. Far fewer can sustain effectiveness when high levels of operational stress continue for weeks or months.
That is the reality of modern cyber incidents. Recovery is rarely linear. Regulatory scrutiny continues long after restoration. Media attention comes in fits and starts. Customers lose patience. Teams become exhausted. Fatigue sets in.
This is where coping capability, or operational endurance, becomes critical. The best organisations deliberately design for this by:
- Rotating crisis teams
- Managing burnout
- Preserving decision quality
- Maintaining executive cadence
- Supporting workforce wellbeing
- Avoiding “hero culture”
That last point matters more than many realise. Hero culture is common, even encouraged, in cyber security, but it creates fragility because it depends on individuals rather than systems. Mature resilience is repeatable, sustainable and operationally disciplined.
7. Control – visibility supports resilience
One of the biggest operational risks facing organisations today is complexity. Most enterprises now operate with a mixture of:
- Hybrid environments
- Multi-cloud ecosystems
- Legacy platforms
- SaaS dependencies
- Third-party integrations
- AI-enabled tooling
- Global supply chains
The challenge is that complexity often grows faster than visibility, and when visibility declines, control weakens.That’s when organisations discover:
- They don’t fully understand their dependencies
- Recovery priorities are unclear
- Asset inventories are incomplete
- Decision-making becomes reactive
- Critical business services lack resilience mapping or a consistent understanding
You cannot protect what you do not fully understand. Operational resilience ultimately depends on understanding what truly matters and how disruption propagates across the organisation.
One of the reasons I like the 7 Cs framework is because it helps cut through the noise. Cyber and operational resilience are often discussed in highly technical or regulatory terms. But at their core, they are organisational capability and cultural challenges.
Technology absolutely matters but technology alone does not create resilience.
People do. Leadership does. Culture does. Preparation does.
The organisations that will outperform over the next decade will not necessarily be the ones with the biggest security budgets or the most advanced tooling. They will be the organisations that can:
- Absorb disruption
- Adapt under pressure
- Make decisions quickly
- Maintain trust
- Recover effectively
- Continue operating despite uncertainty
Resilience is not about preventing every crisis. That is impossible. It is about ensuring the organisation can withstand pressure without losing control of itself in the process.
Written for CIISec by: Indy Dhami, Executive Advisor, CIISec Fellow
LinkedIn