Resilience Isn’t Recovery
CYBERUK 2026 is putting operational command — not just recovery capability — at the centre of the UK’s cyber resilience agenda. Most organisations aren’t ready for the distinction.
There is a specific moment in a severe cyber threat scenario that most incident response plans do not account for. Not the moment the breach is discovered, or the moment remediation begins. The moment — usually somewhere in the first hour — when the team realises that the tools they planned to use to coordinate are no longer trustworthy.
Email may be compromised. The identity provider may be down. Teams or Slack may be running through infrastructure the attacker already controls. The question is not whether your detection was good enough. It is: how does your team talk to each other right now, and who has the authority to make the calls that need to be made in the next 15 minutes?
Most organisations do not have a clean answer to that question. They have a plan that assumes some version of normal communications will still be available — and they discover the gap only when they are already inside the crisis.
The UK recorded 204 “nationally significant” cyberattacks in the year to August 2025 — a 129% increase on the year prior — making it the most targeted country in Europe. What that number does not capture is how many were made significantly worse not by the breach itself, but by the coordination failure that followed it. CYBERUK 2026’s Resilience Track is a reckoning with that reality — framing resilience as a leadership discipline, not a technical one.
Why Plans Fail When You Need Them Most
The NCSC’s “continue and recover” doctrine sets the right benchmark. The ability to maintain essential operations while responding to a breach — not just restoring systems after the fact — is what separates organisations that control a crisis from those consumed by one. Yet most incident response plans assume the breach will be contained to a specific system or environment, and that the infrastructure used to manage the response will remain trusted.
Sophisticated attacks routinely invalidate that assumption. When an identity provider is compromised, every dependent system becomes potentially untrusted — and the collaboration tools running on that network shift from asset to liability. The team that planned to coordinate via their standard channels is suddenly force to work out, in real time, how to communicate without them. That problem cannot be solved on the fly.
The fallback is typically improvised: a WhatsApp group stood up in the moment, decisions made on personal mobiles with no record of who authorised what, escalation paths determined by who is reachable rather than who holds authority. In post-incident reviews, this is the failure pattern that surfaces most consistently — not the breach itself, but the first fifteen minutes of confusion over who is running the response, which channel to use, and whether anyone on the call has the authority to make decisions. By the time that clarity emerges, the attacker has had another quarter of an hour unchallenged.
“In those first 60 minutes, leadership is still debating which messaging group to use, or which document to go to for the incident plan. The structure has to exist before the incident — not during it.”
— James Mullins, VP EMEA & APAC Sales, Mattermost
When things break down, it is rarely technical. It is governance. Who has the authority to act? What is the escalation path? What gets logged and what is lost? These are not questions you can answer for the first time during a breach. The organisations that navigate serious incidents effectively have one thing in common: they have already run this scenario before they needed to.
Testing your readiness before an incident is always better than discovering the gap during one. Mattermost and OSP Cyber Academy are running a live exercise at CYBERUK — Thursday 23 April, 11 AM, 50 minutes, limited seats. → Reserve your workshop spot
What the Resilience Bill Is Actually Asking
The UK Cyber Security and Resilience Bill, currently progressing through Parliament and expected to receive Royal Assent in 2026, makes this a regulatory question as well as an operational one. Organisations in scope — CNI operators, government departments, managed service providers, and significant parts of their supply chains — will need to demonstrate not just that they recovered from a serious incident, but that they maintained coordination and command throughout it.
That is a materially different bar. It requires audit trails, decision lineage, and evidence of control — a structured record of who knew what, when, and what they did about it. Proof that the response was managed, not improvised.
None of that record exists if incident command ran through consumer tools, personal devices, or channels that are themselves part of the compromised environment. A useful test: if regulators asked you tomorrow to produce a decision log from your last simulated incident — showing who authorised which actions, at what time, and on what basis — could you? If not, that is the gap the Bill is moving to close.
This is the shift the Resilience Track at CYBERUK 2026 is signalling: from resilience as recovery capability to resilience as command discipline under pressure. It is a boardroom question, not just a security team concern. The Bill places accountability at the executive level — which means a CISO who cannot demonstrate a structured, auditable command process is carrying risk that now sits on the board’s agenda.
A Live Test at CYBERUK — Come and Find Out
Talking about coordination failure in a conference session is one thing. Experiencing it — even in a controlled exercise, with the stakes deliberately compressed into fifty minutes — is another. That is why we are running a live tabletop with Richard Preece, Chief Training Officer at OSP Cyber Academy, rather than another panel discussion.
The scenario puts participants inside an active incident. The identity provider has been compromised. Normal tools are untrusted. The team must maintain command, escalate decisions, and coordinate a response — with incomplete information and no safety net. Participants operate as a crisis management team, making real-time decisions that expose exactly where their plan would break.
The exercise is not designed to be comfortable. The gaps it surfaces — unclear escalation authority, fallback tools that haven’t been tested under load, coordination that depends on individuals rather than a repeatable structure — are the same ones that appear in post-incident reviews from real breaches. Most organisations do not discover these weaknesses exist until they are already inside a live crisis.
The organisations that come through serious incidents with command intact are not those with the most sophisticated tools. They are the ones that ran this test before they needed it — and fixed what broke.
The workshop runs Thursday 23 April, 11:00–11:50 AM, Carron 1 & 2, SEC Glasgow. Seats are first come, first served at the venue. If you are attending CYBERUK and operational command is on your agenda, this is the session to prioritise — and the meeting to book before you board the train to Glasgow.
Don’t wait until Glasgow.
Workshop seats are first come, first served at the venue. Pre-event meeting slots are filling now.
→ Reserve your workshop spot — Thu 23 April, 11 AM, Carron 1 & 2
→ Book a meeting with the team before CYBERUK
