Contact us

Creating Business Resilience

Business resilience is usually associated with careful planning but when lockdown hit, many businesses suddenly found that this involved rushing out to buy laptops for desktop-based staff who now needed to operate from home. The past six months have reset a new normal of a flexible, dispersed workforce. But during this time, cyber attackers reacted quickly to the opportunities that virtual working presented them. Phishing emails and ransomware attacks breached company defences.

Executive business leaders need to look at the strategic checkpoints to ensure their business is resilient and ready to face future technical operational challenges.

We organised a webinar for our IT Leadership network to address assessing their business’s resilience for known and unknown threats. Our IT Executive search expert, Sue Ormerod, invited Stewart Hogg, Head of Cyber Resilience at Waterstons, to share his expertise and experiences on establishing robust defences.

Here we address:

  • Resilience in a VUCA world
  • Innovation is the best form of defence
  • Next steps to improving your business resilience
  • Build a resilience management system

Resilience in a VUCA world

Business resilience is not just about business continuity – it should involve establishing the practices to thrive and create the right business for your future. This is more important than ever in today’s volatile, uncertain, complex and ambiguous world.

Ambiguous boundaries have merged between home and work life as much of the population works from home. This virtual working adds complexity as businesses are critically reliant upon technology and systems to operate.

But how can businesses assess their resilience and where to go next?  How can they thrive?

Truly resilient organisations need “to anticipate, prepare for, respond and adapt to incremental change and sudden disruption in order to survive and prosper.”  (BS 65000)

This means they need flexible responsiveness. When urgent responses are needed the operation needs to be able to pivot and change direction, rather than edge slowly away from any present threats. This requires planning into the short and medium term and beyond.

Organisations cannot rely on doing things the same way they used to.

Innovation is the best form of defence

Resilient companies are those that adapt and change.

  • Is it survival of the fittest? It is those able to adapt and change who ultimately survive.
  • Managing risk effectively can also bring opportunities to survive and thrive.

Waterstons uses a resilience benchmarking tool to help clients build better, more resilient businesses. Resilient companies address all four strategies.


Where there is a crisis, there are opportunities. Unfortunately, criminals can be more agile than their victims. There was a five-fold increase in cyber attacks as pandemic started.

As COVID-19 spread, the greatest threat in people’s minds was to their health. Not all threats are equal though. And millions of healthy workers were targeted by cyber attacks, with many organisations becoming infected, resulting in data breaches affecting their stakeholders.

Cyber criminals don’t have to be sophisticated computer experts. They can access off the shelf tools to set up dummy websites portraying to represent well known organisations. It takes just a few clicks with very little coding knowledge.

Protecting the business, data and assets is critical but much can be done by  getting the basics right. The UK government’s Cyber Essentials scheme is a simple but effective approach that mitigates 90% of cyber attacks.

It’s important for organisations to equip their people with the right knowledge and awareness because people are often the weakest link in chain.  The government’s ‘10 steps to cyber security is worth reviewing. It breaks down the task of defending your networks, systems and information into its essential components, providing advice on how to achieve the best possible security in each of these areas. Also, it will be important to have a cyber incident response plan that will help your business respond correctly and quickly to a threat in the form of a cyber attack because a cyber attack can cause losses not only to your business but also to your customers.

Resilience is not a one-time project. It should be part of everyday work.


What’s your ability to respond?

Are you monitoring evolving threat?

Adapting effectively requires strategies to be put in place to respond to emerging or actual changes that will impact your operations.  It’s partly cultural as well as structural and it requires flexibility in reacting to the environment.

The solutions here are not necessarily related to technology. They are strongly embedded in the ways that management prepare and implement strategies.


Optimising the workplace is about doing and thinking about things differently. So, it’s not simply about an organisation providing laptops for its workforce to work from home. Instead, it involves equipping them with knowledge to work better remotely.

Companies should optimise themselves by driving efficiency across people, process and technology. This holistic approach involves leadership, risk management, system security, learning and development, etc.  It can be related directly towards people’s tasks and responsibilities and/or related to building the wider business and people’s personal skills. Engaging business continuity planning consultants enables resilience by identifying potential disruptions and responses. These specialists conduct in-depth risk assessments and craft robust contingency protocols tailored to operations.

This requires staff to be equipped with the tools to help them collaborate securely and effectively wherever they may be working. Cloud technologies have accelerated over recent years to enable this more easily. But this does mean that data is being shared and stored widely – providing numerous points for potential attack.

An optimised organisation seeks to increase efficiency and reduce waste in order to increase its productivity and release resources for other value adding activities.

Can you optimise what you do? 


Brewdog presents a great example of innovation. They invested to enhance their products by developing and diversifying to gain a competitive advantage. Innovation is often the best form of defence. Companies who are good at this scan the horizon and consider the “next big thing” in their business world. 

Organisations should take the same approach to their IT infrastructure. Experts can be found within business and IT consultancies rather than relying on limited views of the horizon within existing IT teams who have numerous other responsibilities. For example, companies can hire a Security Manager as a service for a few days per month. This enables smaller businesses to afford robust security advice and measures.

Next steps to consider for improving your business resilience

Resilient organisations will address all four areas discussed here.

As yourself:

  • “How strong is my business in each segment?”
  • “Where do we need to improve?”

 These statements will help you consider each segment in turn:

  • My business can protect our critical services – we have defensive controls designed to safeguard our critical services from a cyber attack or disaster scenario.
  • My business can adapt to change – we have the agility within our people, processes and technology to respond to a disaster, emerging threat or opportunity.
  • My business can optimise – we seek to increase efficiency and reduce waste to increase our productivity and release resources for other value adding activities.
  • My business can innovate – we invest to enhance the products / services we provide by developing and diversifying to gain a competitive advantage.

 A crisis forces bottom left behaviour to defend a current position. However, under normal circumstances, it is better to start by stepping back and considering your business’s current and future direction.

Waterstons provides a business resilience assessment that you may find useful here.  It includes a short survey tool helps companies benchmark where they sit in the quadrant.

Build a resilience management system

It’s recommended to adopt this continuous approach to business resilience: Plan, Do, Check (pause and think) and Act.

Finally, keep in mind that business resilience is not an IT problem.  It’s a business leadership problem. All functions are responsible. Someone cannot be complacent because IT is not their department.  Ensure the topic is discussed at Board level and it’s also worth someone reviewing your cyber insurance’s strengths and limitations.

Our thanks go to Stewart Hogg, Head of Cyber Resilience at Waterstons for sharing his insights with us during our webinar.

Tel: 0345 094 0946

Salary Report

North of England Salaries Report 2023

This report provides an analysis of salaries commanded by professionals across the North of England.

By submitting your details you have read and understood our Privacy Notice