Not Your Father’s Information Security Program: Digital Risk & Resilience by Design

Michael RasmussenWritten by
Published onUpdated onDiscussionLeave a Comment on Not Your Father’s Information Security Program: Digital Risk & Resilience by Design
This 3D animation illustrates the concept of Cyber Resilience. A glowing, futuristic processor labeled with the text and a padlock icon is central to a complex digital infrastructure, symbolizing robust Protection and Network Security. The glowing plexus network represents the flow of data and the system's interconnectedness. This image is ideal for themes related to Information Technology, data security, and Corporate Business strategy for mitigating cyber threats. It visually communicates concepts of Innovation, advanced system configuration, and the critical importance of a secure and resilient digital foundation.

This week I’m back in the United Kingdom—wall-to-wall engagements, packed rooms, and board-level urgency. Two themes are dominating every corridor conversation and every executive session:

  1. Digital risk & resilience management (cyber risk, IT risk, information security), this is not your father’s information security program—and the market has noticed, and
  2. UK Corporate Governance Code Provision 29—the looming attestation requirement that pulls risk and controls from the boiler room to the bridge.

They’re not separate stories. They’re the same plotline: governance must now prove risk, control, and resilience.

Next week I head to Denmark and Sweden with an overbooked schedule and an active waiting list. It’s so busy I’ve booked four business meetings on Sunday in Copenhagen because the workweek is full. Demand is surging because the operating reality has changed.

The UK Context: Incidents That Forced the Issue

Yesterday in London, over 90 professionals registered for my Digital Risk & Resilience Management by Design workshop. We opened with what the UK has actually experienced this year—real events that disrupted operations, damaged trust, and elevated the conversation to the board:

  • Harrods disclosed a new incident after hackers compromised a third-party, stealing 430,000 e-commerce customer records—a second major event this year (see the latest from GRC Report: Harrods Suffers New Data Breach Exposing 430,000 Customer Records. This wasn’t “just” a data problem; it was a digital supply-chain failure with reputational consequences.
  • Marks & Spencer acknowledged a significant cyber incident in the spring, with official updates noting personal data exposure. Independent analyses estimate substantial disruption costs.
  • Co-op faced an attack that affected operations and supply, with press reporting on material revenue impact.
  • Jaguar Land Rover (JLR) suffered a major cyberattack that halted production and cascaded across suppliers, leading to government action to stabilize the supply chain and a phased restart. This is cyber risk turning into industrial and financial risk overnight.
  • Airports across Europe (including the UK) experienced disruptions tied to a third-party check-in provider—collateral damage when an ecosystem vendor falters.
  • Looking back to 2024, the Synnovis ransomware event reminded everyone that cyber incidents can spill into clinical operations—in this case, impacting NHS pathology services across London.

Add to that the UK’s Cyber Security Breaches Survey 2025 and public warnings from officials about rising hostile activity; the trendline is clear: frequency, materiality, and interdependence are all up.

Provision 29: When Governance Must Prove Resilience

The updated UK Corporate Governance Code 2024 applies from 1 January 2025, with Provision 29 (the board’s declaration over the effectiveness of material internal controls, including those over reporting) applying to financial years beginning on or after 1 January 2026. Translation: boards must step beyond narrative disclosure to assert control effectiveness—and evidence it.

Practical guidance circulating in the market rightly pushes companies to identify risks to objectives, define material controlsstand up testing and monitoring cycles, and remediate weaknesses well ahead of the first reporting year. If you wait until year-end, you won’t have the audit trail, telemetry, or confidence to sign. I am teaching a full-day workshop on this on November 6th, UK Corporate Governance Code by Design, LONDON.

Provision 29 makes cyber and digital resilience a governance obligation as it is part of broader risk and internal control management. It’s no longer sufficient for security leaders to say “we’re doing our best.” Boards must demonstrate that controls over risk, operations, and reporting are effective—continuously, not sporadically.

“Not Your Father’s Information Security Program”: What Keeps Leaders Up at Night

In yesterday’s workshop opening breakouts, attendees shared the nightmares that wake them at 2 a.m. Below I expand on each—because every one is valid, and together they define the new scope of digital resilience.

  1. Digital dependence. When every process is digitized, digital is business risk. Capture business-service twins (see below) that tie technology to outcomes so investment and trade-off decisions are made in business units, not technical silos.
  2. Ransomware (mentioned repeatedly). Assume data theft + encryption + extortion. Emphasize identity (MFA, phishing-resistant auth), immutable backups, segmentation, EDR containment, and exfil detection. Align with cyber insurance obligations before an event.
  3. Data breaches. Move beyond perimeter thinking to data-centric controls: classification, encryption, retention/rationalization, and continuous DLP tuned to business context. Reduce toxic data stores—what you don’t keep can’t be stolen.
  4. Third-party & digital supply chain. Most incidents now arrive through someone else’s API, SSO, or managed service. Build tiered criticality, continuous assurance (evidence feeds, attack-surface monitoring), and kill-switch playbooks (token revocation, traffic shaping, failover).
  5. Complexity of environment. Hybrid/Multi-cloud, SaaS sprawl, legacy on-prem, OT/ICS—complexity is the attack surface. Rationalize platforms, impose architectural guardrails (identity first, least privilege, service isolation), and automate hardening at the pipeline.
  6. Pace of technology, business, risk, & regulatory change. Static frameworks fail in dynamic environments. Shift from annual cycles to continuous risk assessment, streaming indicators (threat intel, misconfig drift), and regulatory horizon scanning tied to policy updates and training.
  7. Real-time insight into digital risk & resilience. Dashboards must reflect material risk now, not last quarter. Integrate attack surface, identity risk, vuln posture, and control status into one place, with drill-downs that show evidence, not just colors.
  8. Social engineering. Human-centric attacks (phishing, pretexting, MFA fatigue) bypass hardened perimeters. Resilience demands behavioral control design, adaptive training, and active monitoring of anomalous requests—especially in finance, HR, and privileged IT channels.
  9. Behavior. Policies don’t move mice; people do. Incentives, consequences, nudges, and leadership example-setting are necessary to turn rules into reflexes. Measure cultural indicators (reporting rates, near-misses, phishing test performance) as rigorously as technical KPIs.
  10. AI risk. AI expands both attack surface (prompt injection, data leakage, model theft) and attacker capabilities (automation, deepfakes). Establish an AI risk register, model validation, and guardrails (content filters, retrieval hardening, data minimization), and treat AI vendors as high-risk third parties.
  11. Employee practices on social media. Oversharing enables social engineering, doxxing, and physical risk. Provide clear, practical guidance, red-team your own open-source footprint, and monitor for impersonation and brand misuse.
  12. Silos of oversight. Security, risk, audit, privacy, and compliance often operate on parallel tracks. Converge on a common risk ontology, unified control library, and shared telemetry to eliminate duplicative testing and blind spots.
  13. Lack of assurance. Assurance is not a PDF; it’s a signal backed by evidence. Operationalize continuous control monitoring (CCM), link tests to controls, and maintain an immutable evidence ledger for internal audit and Provision 29 support.
  14. Critical system availability. “Data protected” is not “business up.” Map business services to dependencies (apps, data, vendors, facilities), define impact tolerances, test recovery to realistic RTO/RPO, and engineer graceful degradation.
  15. Corporate culture. A culture of speed and shadow IT without guardrails breeds loss events. Bake controls into the developer and product experience (policy-as-code, paved roads) so doing the right thing is the fastest path.
  16. Interconnected nature of digital risk on other risks. Cyber incidents cascade to operationalfinanciallegal, and reputational risk. Quantify causal chains: “one auth outage ⇒ order backlog ⇒ revenue dip ⇒ covenant risk.” This is the language of the board.
  17. Cyber incidents. Treat incident response as business continuity with forensics. Pre-negotiate counsel, crisis comms, and law enforcement engagement. Rehearse board-level tabletop exercises to align decisions under pressure.
  18. Extended enterprise. Partners, affiliates, franchisees, integrators—risk propagates through contracts. Expand scope beyond “vendors” to all external relationships; standardize onboarding, evidence exchange, and offboarding data destruction.
  19. Constant data breaches. Frequency has normalized, but tolerance hasn’t. Move toward event-ready posture: pre-built comms templates, regulator playbooks, customer remediation workflows, and materiality decision criteria.
  20. Cyber insurance. Policies are tighter; exclusions matter. Map controls to underwriting requirements (MFA, backups, EDR, patching SLAs), maintain attestable evidence, and simulate loss scenarios to set economically rational limits.
  21. PCN attacks on refineries (OT/ICS). Process Control Networks in energy and petrochemicals raise safety, environmental, and macro-economic stakes. The UK energy sector remains a prime target; bring OT and IT risk under a single governance model, with strict network isolation, asset discovery, and incident drills that include safety.
  22. Access control. Identity is the perimeter. Enforce least privilege, JIT/JEA for admins, continuous access review, and session recording for high-risk functions. Kill standing privileges.
  23. Out-of-date systems. Technical debt is breach bait. Build a decommission cadence, isolate what you can’t patch, and make “end-of-life” a board metric with remediation funding.
  24. Lack of segmentation. Flat networks turn local issues into enterprise outages. Segment by trust zone, blast radius, and business service; verify with purple-team exercises.
  25. Regulations. Requirements are multiplying (DORA, NIS2, CER, UK Code, UK Operational Resilience). Normalize obligations to controls and tests; avoid duplicate evidence generation by centralizing control mapping across frameworks.
  26. Support streams such as power. Cyber resilience depends on physical resilience (power, cooling, connectivity). Model these dependencies explicitly and test alternative sites, UPS run-times, and failover contracts.

Why Provision 29 and Digital Resilience Are the Same Conversation

Provision 29 isn’t a paperwork exercise; it’s a capability: governance that can see material risk, control it, and prove it. Yes, Provision 29 is much broader than digital risk and resilience, but it certainly is a critical part of it. The declaration forces boards to ask:

  • Which controls are material to our business services and reporting?
  • Do we have evidence, not assertions?
  • Can we detect control failure quickly and respond before outcomes degrade?
  • Are third-party and AI-driven risks within the same scope of control and testing?

The new standard of care is continuousassurable, and board-readable.

Digital Risk & Resilience in the Age of GRC 7.0 – GRC Orchestrate

This is where the next evolution—what I call GRC 7.0 – GRC Orchestrate—earns its keep. Think of it as a business-integrated command center underpinned by digital twinsagentic AI, and continuous assurance:

  1. Digital twins of business services. Map each critical service (e.g., “E-commerce checkout”, “Claims adjudication”) to its applications, data, identities, vendors, facilities, and support streams (power, network). Now you can analyze materiality, simulate impact, and target investment where it moves the needle.
  2. Unified risk ontology & control library. Collapse silos by adopting one language for risk, control, and obligation across security, resilience, privacy, and compliance. Provision 29 depends on a single source of control truth feeding testing, evidence, and reporting.
  3. Continuous control monitoring (CCM) & evidence ledger. Automate tests (config drift, MFA coverage, backup immutability, EDR health, segmentation rules), bind the results to the control, and store signed evidence with lineage. Assurance moves from “annual binders” to streaming signals.
  4. Agentic AI for detection, triage, and mapping. Use AI to reconcile findings to controls and obligations, summarize deviations for executives, draft remediation plans, and keep policies aligned to changing regs (DORA, NIS2, UK Code) without manual re-keying. Humans decide; AI does the grunt work.
  5. Third-party & AI vendor orchestration. Ingest SOC2/ISO attestations, penetration reports, SBOMs, and attack-surface telemetry. Maintain live risk tiers, enforce contractual controls, and keep “pull-to-revoke” playbooks (SSO tokens, API keys) ready.
  6. Identity-first architecture. Make identity and authorization the enforcement plane: phishing-resistant MFA, least privilege, continuous verification, high-risk session recording, and automated removal of stale access.
  7. OT/ICS governance alongside IT. Treat PCN assets with their own twin, zoning, and procedure sets. Drill scenarios that integrate cyber response with safety and environmental controls.
  8. Resilience analytics & impact tolerances. Tie recovery objectives to business outcomes (orders processed, beds filled, flights dispatched). Visualize tolerances and variance in real time; rehearse failovers using your twins, not guesswork.
  9. Board-ready reporting. Replace red/amber/green with narratives grounded in evidence: “3 of 3 material access-controls for E-commerce are in tolerance; segmentation test #142 failed in Zone C; compensating control is active; remediation ETA 72 hours.” That’s a Provision 29-grade update.
  10. Assured compliance. Map control signals to obligations and make audit a bystander effect: when evidence is baked into operations, audits consume it—not create it.

This is not a tool swap. It’s an operating model that treats digital risk as a system-of-systems problem, orchestrated across people, process, technology, and partners—with verifiable assurance as the output.

Closing the Loop

The UK incidents of 2025 — Harrods, M&S, Co-op, JLR, airport disruptions — show how quickly “IT issues” become business crises and governance tests. The only durable answer is a modern resilience architecture with continuous assurance that a board can attest to with confidence.

Now, I’m off to a string of meetings today and tomorrow in London—then wheels up for Denmark and Sweden. If you’re in Copenhagen this Sunday, you already know my schedule is spilling into the weekend. The message from every boardroom is the same: orchestrate resilience, or risk orchestrating your own headlines.

Leave a Reply