Of Course You’re Not Resilient… You Never Practised Failing

Leave a Reply

A blunt critique of organisations that claim to be resilient but have never stress-tested their systems, rehearsed recovery under pressure, or practised failure in any meaningful way. The article challenges boardroom bravado and highlights the psychological and operational consequences of untested confidence, arguing that true resilience is earned through discomfort, not declared in policy.

This article was inspired by the recent cyber attacks across UK retail, specifically Marks & Spencer’s and the Cooperative, plus the Harris Federation (of Schools), as reported on BBC Radio 4’s Today Programme (01/05/2025). This interview will be unavailable after a month, but you can still read excerpts at “Inside the Breach: What M&S and the Harris Federation Reveal About UK Cyber Vulnerabilities“.

Everyone wants to be resilient. It’s the word that gets thrown around boardrooms like a magic shield: “We’re investing in resilience,” “Our systems are resilient,” “This team has proven its resilience.”

But here’s the truth no one wants to admit:

You’re not resilient. Because you’ve never practised failing.

Resilience isn’t an adjective. It’s a verb. It’s what happens when you fall, then figure out how to get back up faster next time. If you’ve never tested what collapse looks like, your confidence is pure fantasy. And in cybersecurity, fantasy is expensive.

The Myth of Strength Without Stress

In military training, units drill for failure constantly, but why? Because no battle plan survives contact with the enemy. Soldiers rehearse with broken radios, downed leaders, and false intel. Not because it’s fun, but because resilience is built through friction.

In cyber? Most orgs don’t even run a real simulation. At best, they do tabletop exercises where no one’s screen actually goes dark, and every outcome is “noted for improvement.”

That’s not resilience. That’s theatre.

Cyber Resilience Without Chaos Is a Lie

Want to know how you’ll respond in a breach? Shut everything off on a random Thursday afternoon and don’t tell anyone it’s a drill.

Who panics? Who freezes? Who leads? Who blames?

You’ll learn more in those first 10 minutes than from three years of Gantt charts and SOC2 paperwork. Because chaos reveals the truth: resilience is not how good your tools are. It’s how well your people operate when they break.

Confidence Without Collapse Is Delusion

There’s a reason elite athletes train under duress. A reason astronauts rehearse total system failure in simulators. A reason crisis negotiators practise dealing with death threats.

It’s because confidence built only in comfort is fake. Resilience is not “knowing what to do.” It’s “knowing how it feels” and still doing it anyway.

In psychology, this is known as “stress inoculation.” You don’t build mental resilience by avoiding fear. You build it by meeting it in controlled conditions, over and over again, until your nervous system adapts.

Most organisations? They avoid stress until it’s real. And then they fold.

The Culture of False Certainty

Boards love assurances. “We’ve tested our backups.” “Our firewall is state-of-the-art.” “We’re ISO compliant.” Good. But those aren’t tests of resilience. They’re hygiene.

Real resilience asks:

  • What happens when leadership is unreachable?
  • What if we can’t trust our monitoring tools?
  • Who speaks for the company when comms are down?

If you don’t know, or worse, assume it’ll work, you’re not ready.

Practise the Fall. Rehearse the Recovery.

You don’t need to simulate a perfect crisis. You need to simulate mess. Chaos. Ambiguity. Misinformation. You need to practise getting it wrong, and still finding your way back.

If that sounds risky, ask yourself: what’s riskier, practising failure now, or performing it live for the first time in front of your customers, the media, and your regulator?

Conclusion: No One Is Resilient by Default

You’re not resilient because you want to be. You’re resilient because you’ve rehearsed being wrecked.

As Dave Walker put it to me the other day:

“You can have all the training in the world, but it doesn’t mean you’ll remember it, or react on it, when it matters.”

Resilience isn’t built in the classroom. It’s built in the chaos.
If your organisation has never failed in private, you’re going to fail in public. Loudly.

So start practising. Today. Break something. Build it back. Do it again. And again. And again.

Because if you never train for collapse, you’re just waiting for reality to train you instead.