When a significant cyber incident hit Marks & Spencer in April 2025, former John Lewis chairman Sir Charlie Mayfield appeared on BBC Radio 4’s Today Programme to discuss the implications for the retail sector. Among his many insights, one stood out—subtle, but vital:
“You can’t ever be fully resilient. What you have to be is constantly improving your resilience.”
That line deserves to be a headline in every boardroom. Cyber resilience is not a fixed point you can reach. It is a mindset, a culture, and a commitment to ongoing improvement. It’s not a destination—it’s a journey.
This article was inspired by the recent cyber attacks across UK retail, specifically Marks & Spencer’s and the Cooperative, plus the Harris Federation (of Schools), as reported on BBC Radio 4’s Today Programme (01/05/2025). This interview will be unavailable after a month, but you can still read excerpts at “Inside the Breach: What M&S and the Harris Federation Reveal About UK Cyber Vulnerabilities“.
The Illusion of ‘Secure Enough’
Too many organisations treat cybersecurity as a checkbox exercise. Once the firewall is installed, the penetration test passed, or the Cyber Essentials badge awarded, there’s a tendency to assume the job is done.
But Mayfield’s warning is clear: resilience isn’t a switch you flip. It’s a discipline you build over time.
“This isn’t the sort of thing you can switch on and off in a 24 or 48 hour period,” he said. “You’ve got to be constantly improving your resilience.”
Cyber Tzar’s work with clients across critical sectors reflects this same challenge: helping organisations move from periodic assessments to continuous, evidence-driven improvement.
Why Resilience Must Evolve
🔁 Threats Are Constantly Changing
Attackers don’t stand still. New vulnerabilities emerge daily, and tactics evolve. If your defences don’t adapt, they become obsolete.
🧠 Digital Systems Are Expanding
As businesses embrace cloud services, hybrid work, IoT, and AI, the attack surface grows. More complexity means more risk—and more visibility is needed to manage it.
⚡ Business Models Rely on Availability
For retailers like M&S or the Co-op, downtime isn’t just an inconvenience—it’s lost revenue, broken trust, and brand damage. The faster your systems need to run, the more resilient they must be.
👥 Resilience Includes People, Not Just Tech
From phishing emails to supply chain compromise, many attacks target human behaviour. Building cyber resilience means training, culture change, and psychological awareness—not just installing software.
Resilience is Layered, Not Linear
Cyber resilience isn’t achieved through one big project. It’s built from layers:
-
Prevention: Strong controls, patching, access management
-
Detection: Monitoring, threat intelligence, anomaly spotting
-
Response: Incident plans, rehearsals, communication strategies
-
Recovery: Backups, redundancies, restoration timelines
-
Learning: Post-incident reviews, threat updates, continuous improvement
At Cyber Tzar, we help organisations measure how these layers are performing—not just at a single point in time, but continuously—through tools that score resilience, identify gaps, and benchmark against industry peers.
A Leadership Responsibility
Mayfield’s comments weren’t aimed at IT teams alone. He was speaking from a board-level perspective—where strategy meets accountability.
“This is a cost to businesses that everybody’s incurring,” he said. “This kind of incident will simply reinforce the importance of that kind of investment.”
Cyber resilience is not just a technical issue—it’s a business priority. Boards must understand it, fund it, and monitor it as part of core governance. It needs to sit alongside financial, legal, and operational risks.
Cyber Tzar helps frame cyber risk in these strategic terms—quantifying exposure in ways that inform business decisions, not just IT responses.
The Mindset Shift: Always Becoming Resilient
The idea that resilience is something you “are” misses the point. Instead, organisations should ask: Are we becoming more resilient each quarter?
That question opens up better discussions. It reframes the issue from fear and blame to adaptation and growth.
Conclusion: No Finish Line, Just Better Preparation
Sir Charlie Mayfield’s reflection serves as a quiet challenge to all organisations. If your goal is to be “secure,” you’ve already fallen behind. If your aim is to be resilient, then you’re on a continuous path—learning, adapting, preparing.
In the world of cyber threats, there is no final form of protection. But there is progress. And that’s what resilience is made of.
Cyber Tzar gives organisations the tools to measure that progress—clearly, continuously, and confidently.
If you’re committed to resilience, we’ll help you make it real.
