A Digital Resilience Resolution to Start the Year

As 2026 opens, many organisations will review their progress on culture, risk and resilience. Cyber security often appears in these discussions as a defined topic, important, well-documented and supported by policy. Yet experience continues to show, backed up by a long list of failures in 2025 by flagship organisations who should know better, that cyber security outcomes are shaped less by what is written and more by how decisions are made day to day.

Corporate culture is not a set of statements; it is the pattern of behaviour that emerges under pressure. In this context, cyber security is most effective when it operates not as a standalone chapter but as the shared language through which trade-offs are discussed, priorities set and actions taken, consistently and with diligence. I have previously referred to it as the New Operating Model.

When cyber security is embedded in organisations at a DNA level, as a language, it influences how teams design systems, how leaders evaluate risk, how delivery timelines are balanced and how exceptions are justified. It becomes part of the decision-making grammar rather than an after-the-fact review. This does not slow organisations down; it reduces friction by aligning expectations early and making risk visible before it becomes costly.

Many incidents attributed to technical failure are, in reality, cultural mismatches, where speed, growth or convenience unintentionally override resilience. Policies may exist, but if cyber security is not the language used in planning, budgeting and execution, those policies struggle to shape outcomes or deliver the value the aspire to.

As boards look ahead to 2026, the key question is not whether cyber security is documented but whether it is consistently understood and applied proactively. Is it present in investment decisions? In delivery governance? In how success is measured? If not, go back to the start and don’t pass GO till you can tick these boxes. Anythuiugn else is modern day digital equivalent of Russian Roulette.

Cyber security-aware cultures are not defined by more controls, but by clearer thinking. When cyber security becomes the language of the organisation at a DNA level, resilience follows naturally, if it is not then any organisation can be regarded as still being in BETA!