A striking gap is emerging in the way that enterprises view and mitigate their cyber risks. Research by FT Longitude for Uvance Wayfinders, Consulting by Fujitsu, suggests that while 64% of business and IT leaders believe their organization could withstand and recover from a major cyber incident without significant commercial damage, 19% disagree.1
Yet when you look at what separates these cyber-resilience leaders from the laggards, the difference is primarily cultural and strategic. Leaders prioritize long-term business resilience over short-term risk reduction. They’re more likely to focus on employee training and awareness and run attack simulations to test them. They monitor and govern shadow AI usage and apply appropriate security controls.
Crucially, this divide extends to the C-Suite, with 62% of leaders believing cyber risk is clearly understood and overseen at the board level. Only 11% of laggards say the same.2
Here the leaders have adopted a posture all enterprises should consider — that cyber resilience is a leadership, cultural and business risk issue, rather than an IT concern. If technical issues create vulnerabilities, it’s human behaviour, process gaps and operational decisions that unintentionally increase exposure.
As Laura O’Neill, Head of Advisory and Assurance at Fujitsu, explains, “treating cybersecurity as a siloed IT function reinforces the misconception that vulnerabilities are something ‘IT will fix’ rather than a shared responsibility.” “In reality,” she says, “risk exposure and resilience depend heavily on people, their awareness, incentives, decision-making and how security is prioritised in day-to-day work.”
When security is framed as a core part of business strategy, it’s less likely to be sidelined from business conversations and more likely to be integrated into new initiatives.
Rethinking for resilience
O’Neill suggests that struggling organizations begin with security fundamentals rather than advanced tooling. “From a governance perspective” she explains, “this means clearly assigning accountability for cyber risk at the executive level and embedding it into existing risk and decision-making forums.” Similarly, she recommends shifting away from one-off awareness training sessions to an ongoing program of role-specific education, reflecting the real-world scenarios and risks faced by different teams.
This strategic, culture-led approach is growing more important as enterprises embrace AI, while threat actors harness agentic capabilities. Traditional, perimeter-based approaches face new challenges from AI-driven threats that can adjust their behaviour autonomously. Here, security models that prioritise detection, response, redundancy and resilience will be more effective than preventive controls.
O’Neill points out that, while machine-learning driven security controls and agentic AI can empower new counter measures and enhance resilience, they “are not a substitute for good governance or oversight.” Indeed, she argues, “their effectiveness depends on clear controls, human accountability and alignment with business risk appetite.”
Cyber-resilience leaders have learnt to factor security into innovation from the outset, rather than retrofit later. Of the resilience leaders surveyed, 72% agreed that they adopted emerging technologies cautiously, once the risks were established and guardrails were in place. Laggards appear more reckless; 58% said they prioritized early adoption of emerging technologies, even if the cyber risks weren’t fully understood.3
Organizations who have yet to adopt cyber resilience within their wider culture could be making a dangerous mistake as AI-enhanced threats scale outwards and preventive measures struggle to keep pace. This divide is defined by attitudes right now but may predict which businesses will eventually thrive or falter.
Get practical guidance on building board-level cyber resilience, governing AI-driven risk and embedding security into enterprise decision-making — read the latest Uvance Wayfinders insight here.
1 Uvance Wayfinders AI & Cyber Reslience Report, (due to be published in June 2026)
2 ibid
3 ibid
Read More from This Article: The boardroom divide: Why cyber resilience is a cultural asset
Source: News