.png)
Copyright © Avertro Pty Ltd 2026
All Rights Reserved
For years, cyber governance has been built around a relatively simple assumption: if an organization can demonstrate alignment to recognized frameworks, standards and regulatory requirements, it can demonstrate effective oversight. Frameworks such as NIST CSF 2.0 and ISO 27001, and regulations including NIS2, DORA and Australia's SOCI Act, provide structure. Audits provide validation. Compliance reporting provides visibility. Together, they create confidence that cyber risks are being managed appropriately.
The problem is that compliance confidence is not the same as cyber resilience. An organization can achieve full framework alignment and still be wholly unprepared for real-world disruption, because checking boxes confirms that controls exist, not that they will hold.
Recent attacks affecting organizations such as Marks & Spencer, the Co-op and NHS supply chain providers have highlighted a reality that boards and regulators are increasingly confronting. Organizations can be compliant, well governed and highly mature on paper, while still experiencing significant operational disruption when cyber incidents occur.
The distinction matters because the consequences of cyber failure are not only confined to technology teams. They affect operational continuity, financial performance, customer trust and, increasingly, executive accountability. When critical services go down, the cost is measured in lost revenue, regulatory exposure and recovery spend, not in control counts.
As cyber attacks become more disruptive and costly, governance expectations are evolving. The question facing leadership teams is no longer simply whether they are compliant. It is whether they can demonstrate resilience.
Most organizations have invested heavily in governance, compliance and assurance activities over the last decade. Frameworks, standards and regulations provide a common language for managing cyber risk and establishing accountability. They remain essential components of any mature cyber security program.
The challenge is not that these frameworks are failing. The challenge is that organizations increasingly expect them to answer questions they were never designed to answer.
Demonstrating alignment to a recognized framework provides confidence that controls have been implemented. It demonstrates adherence to a set of requirements at a given point in time. What it does not necessarily demonstrate is whether those controls remain continuously effective against evolving threats, whether critical services can withstand disruption, or whether the organization is operating within acceptable resilience thresholds.
Yet governance confidence is often derived from exactly these signals. Controls mapped. Audit passed. Compliance achieved. The assumption is that resilience follows. The Marks & Spencer, Co-op and NHS supply chain incidents make the problem concrete. Each organization operated within mature governance frameworks. None of that maturity prevented significant operational disruption. Compliance confirmed that controls existed. It could not confirm that those controls would hold under real-world pressure.
Much of the discussion surrounding the proposed UK Cyber Security and Resilience Bill has focused on obligations, reporting requirements and regulatory scope. The more important signal is what the legislation reveals about the direction of governance itself.
The Bill reflects growing recognition that cyber incidents are no longer isolated technology events. They are operational events capable of disrupting essential services, supply chains and economic activity. The government's focus on resilience, operational continuity and accountability reflects the reality that organizations are increasingly being judged on outcomes rather than activities.
This shift is occurring against a backdrop of rising cyber disruption across the UK. High-profile attacks have demonstrated how quickly operational impacts can extend beyond technology environments and into customer services, business operations and public confidence. Government data also points to a growing number of nationally significant incidents and increasing economic impact from cyber attacks.
In this environment, governance is evolving. The focus is shifting from demonstrating that controls exist to demonstrating that organizations can continue operating when those controls are challenged.
This is where many organizations encounter a governance blind spot.
Compliance confidence comes from evidence that controls have been implemented, obligations have been met, and assurance activities have been completed. Compliance may demonstrate preparedness for an audit. Resilience demonstrates preparedness for disruption.
Avertro defines cyber resilience as knowing, with evidence, how prepared your organization is to maintain critical operations during a cyber incident, and how quickly you can recover when one occurs.
Resilience confidence is different. It requires answering questions that no compliance framework was built to answer:
These are fundamentally different questions.
One measures alignment. The other measures outcomes.
As executive accountability increases, governance models built primarily around compliance evidence will struggle to provide the visibility leaders need to answer resilience-focused questions with confidence. This shift is already beginning to influence the questions boards and executive teams are asking.
Boards are increasingly being asked to oversee cyber risk in the context of resilience, operational continuity and business performance. As a result, governance discussions at the board level are beginning to change.
Instead of asking:
Leadership teams are increasingly asking:
These are not compliance questions. They are resilience questions. And they require a different level of visibility, assurance and context to answer effectively.
Frameworks, standards and regulations remain essential. They provide the structure that organizations need to manage cyber risk consistently and responsibly. But they were never intended to be the sole measure of resilience. Treating them as such is the governance blind spot the UK Cyber Security and Resilience Bill is designed to expose.
The UK's proposed Cyber Security and Resilience Bill is not asking organizations to prove that they are compliant. It is asking them to prove that they are resilient.
That distinction represents a significant shift in how cyber governance is evaluated.
Organizations that continue to treat compliance as the primary indicator of resilience may find themselves with confidence, but limited visibility into how they would perform when disruption occurs. Those that develop a deeper, evidence-based understanding of resilience, operational dependencies and cyber effectiveness, and can quantify it in business terms, will be better positioned to support executive decision-making, strengthen governance outcomes and adapt to evolving expectations.
CyberHQ® is built for exactly this shift. The Cyber Resilience Command Platform answers the questions many organizations are struggling with: are we investing in the right things? If something goes wrong, can we keep our operations running? It gives you the evidence to answer both, with data you can stand behind.
Experience the power of a connected, automated platform that empowers you to Simulate Attack Paths, Automate Compliance, and Quantify Risk centrally.
28 Geary St, Ste 650 #1686
San Francisco, CA 94108 United States
81-83 Campbell Street
Surry Hills NSW 2010 Australia
