Cyber leaders warn resilience gap as boards eye 2026

CISOs and security leaders face a persistent gap between cyber security plans and real-world resilience as businesses move into 2026, according to senior figures at identity security company Semperis.

The executives warned that boardroom understanding of cyber risk is advancing. They said spending levels may not keep pace with the complexity of hybrid IT environments and the scale of business disruption from attacks.

Simon Hodgkinson, Strategic Adviser at Semperis and former bp CISO, said organisations now face incidents that impact entire operations.

“Given the impact cyberattacks have on businesses, organisations need proper crisis and risk management. We're no longer dealing with 'cyber crises', we're dealing with full-blown business crises. Businesses and their entire supply chains coming to a halt due to a cyberattack simply cannot be the norm,” said Hodgkinson, strategic adviser at Semperis and former bp CISO.

He said security teams have focused on prevention for many years.

He argued that the emphasis should now move towards resilience and recovery.

Hodgkinson said organisations should adopt an “assume breach” mindset and plan for disruption.

He said this mindset means expecting the unexpected.

He highlighted the need for tested recovery processes and coordinated incident response across business functions.

He said organisations require the ability to restore key infrastructure quickly so that critical services keep running.

Hodgkinson pointed to a gap between perceived readiness and actual performance during crises.

He said slow responses often arise from communication failures during incidents.

He cited Semperis research on ransomware risk.

The study found that 96% of companies worldwide report having a cyber crisis response plan.

Yet 71% of respondents suffered at least one high-impact cyber event in the last year that stopped critical business functions.

Dan Lattimer, Area VP EMEA West at Semperis, said board members now take a more informed view of cyber risk and its consequences.

He said this greater understanding also shapes spending decisions.

“Board members have a much better and more nuanced understanding of cybersecurity and the potential impact of incidents. But because they understand the risk, they are also more willing to accept that you cannot reduce the risk level to zero and as a result, cybersecurity spend will likely only increase marginally,” said Lattimer.

Lattimer said data-driven risk frameworks are gaining ground as companies seek clearer views of exposure.

He highlighted the FAIR model, which aims to quantify risk in financial terms.

He said quantitative analysis is complex and resource intensive.

He added that it gives organisations a more precise picture of their risk landscape, likely fallout from attacks, and associated costs.

Lattimer said such analysis supports decisions on which controls to implement.

He said artificial intelligence now supports these calculations.

He said this may reduce the need for large teams of specialist risk engineers.

Lattimer suggested the market may shift around one standardised risk framework in future.

He also said resilience requirements may become more formal.

“Alongside this, resilience may become more regulated, with stricter requirements that would push organisations towards more evidence-backed recovery plans, tested processes and measurable response capabilities. Regulators and stakeholders will expect proof that systems, data and operations can bounce back quickly and reliably,” said Lattimer.

Guido Grillenmeier, Principal Technologist, EMEA at Semperis, said more organisations now explore the idea of a “Minimum Viable Company”.

He described this as a practical way to define what must continue during a cyber crisis.

“The concept of Minimum Viable Companies (MVC) is gaining momentum. MVC is the smallest version of a company that can still function to deliver its most essential services, especially after a cyberattack or major incident. It forces you to identify what's essential for business continuity. An MVC will include failover strategies, data recovery and minimum viable operations, all of which are key pillars of resilience, allowing a company to continue or quickly regain their core operations. It also gives them more time to recover their remaining assets to return to full productivity,” said Grillenmeier.

He said the planning work around MVCs also influences internal culture.

“Efforts spent on planning an MVC will also help any company culturally, as it encourages a resilience mindset across their different teams. Together, they will focus on what must survive, not just what must be protected,” said Grillenmeier.

Matthieu Trivier, Area Vice President of Pre-Sales, EMEA at Semperis, said the expansion of hybrid IT has created new attack surfaces and uncertainties.

He said recent years have exposed limits around cloud economics and shared responsibility models.

“Cloud costs have skyrocketed, promises of flexibility collided with contractual rigidity, and above all, organisations discovered, often too late, that cloud providers are responsible only for their infrastructure, not for the data that flows through it,” said Trivier.

He said these pressures have triggered a subtle swing back towards on-premise systems.

He pointed to renewed investment in on-premise identity infrastructure.

“The result: a discreet yet unmistakable move back on-prem. Even Microsoft, after years of near-silence on Active Directory, is reintroducing major updates in Windows Server 2025. The message is clear: on-prem will not disappear. It will coexist with the cloud, in a forced marriage whose terms no one fully controls,” said Trivier.

Trivier said attackers increasingly focus on the gaps between cloud and on-premise environments.

He described these hybrid links as grey zones that lack clear monitoring and ownership.

“This hybrid architecture is attackers' favourite playground. Why? Because it creates grey zones: poorly monitored bridges between the old world and the new. In 2024, for the first time, cyberattacks targeted the cloud more than traditional infrastructures. That shift says everything: attackers are no longer looking for the back door, they are exploiting architectural confusion. And within that confusion, identity is the common thread running through every breach,” said Trivier.

Semperis executives said boards, regulators and security teams will increase their focus on recovery, continuity and identity-centric defences as organisations prepare their cyber security strategies for 2026.