Every week, the UK faces four nationally significant cyberattacks, according to the National Cyber Security Centre – and yet, an overwhelming 94% of business leaders remain confident in their organisation’s ability to respond effectively. At first glance, that confidence sounds encouraging, but in reality, it may be one of the biggest emerging risks facing UK firms, argues Si West, London director at leading cyber insurer Resilience.
The gap between boards’ perceived readiness and their actual readiness is widening, and this ‘confidence gap’ faced by CISOs needs to be addressed because it often conceals the very risks those CISOs are tasked with managing. Many boards equate visible investments in compliance and security tooling with genuine preparedness, but in doing so, they lose sight on loss control and operational resilience.
This misplaced confidence can obscure underlying weaknesses that only become evident in a crisis, when prevention alone is no longer enough. Across boardrooms, confidence is too often mistaken for preparedness. Many organisations assume that because they’ve invested in cybersecurity tools or achieved compliance standards, they are equipped to handle whatever comes their way. ‘
But cybersecurity investment does not automatically translate into resilience, and ‘defence’ is only one layer of protection. True resilience is about how quickly a business can respond, recover, and continue to operate when the inevitable happens. The ability to rebound from disruption, alongside preventative measures, defines whether a company survives or stumbles. When boards equate spending with safety, confidence can easily mask vulnerability. In practice, this means that even well-funded organisations can find themselves paralysed by a single breach, struggling to coordinate recovery efforts or maintain customer trust.
Structural blind spots in cyber planning
One reason this gap persists is structural. Security spend itself is often misaligned with what truly drives resilience. Roughly 30% of a typical security team’s budget is allocated to tools, around 40% to headcount, and about 15% to outsourcing. The strongest justifications for these investments tend to focus on compliance requirements and attack surface reduction – important objectives, but not necessarily those that best manage an organisation’s overall risk surface.
When risk management is not treated as the top priority, boards can mistake responsible-looking expenditure for comprehensive protection, reinforcing a misplaced sense of confidence. As companies move into their 2026 budget cycle, Chief Information Security Officers are still too often brought into financial planning only after major decisions have already been made. By the time security leaders are consulted, budget frameworks and strategic priorities are largely set. That late involvement limits their ability to align cyber strategy with business objectives or to highlight where assumptions about readiness don’t match reality.
Boards may believe their cybersecurity budgets are sufficient, but without CISO input at the planning stage, that belief is often misplaced. The result is spending that looks robust on paper but fails to deliver genuine resilience in practice.
Turning confidence into measurable capability
Bridging the confidence gap starts with integrating resilience into risk and budget planning from the outset. Boards should ask not only how to stop an attack, but also how to recover when one inevitably succeeds. Effective resilience planning relies on three principles: understanding which incidents are most likely and most damaging; involving operations, communications, legal and finance teams in regular response exercises; and tracking how quickly critical systems can be restored and where recovery bottlenecks exist, ensuring redundancy.
These steps turn abstract confidence into measurable capability. They also expose interdependencies, such as supplier vulnerabilities or outdated internal processes that are often invisible in traditional cybersecurity reviews. Adding short, scenario-based exercises that test decision-making under pressure can also reveal hidden weaknesses that technology alone cannot fix.
Insurance as an intelligence tool
Insurance can play an unexpected but powerful role in this process. Modern cyber insurance is no longer just about transferring risk; it’s an intelligence tool that helps organisations understand it. Data from insurers can benchmark an organisation’s preparedness against peers, highlight systemic weaknesses, and inform more targeted investment.
Used effectively, this intelligence allows boards to make data-led decisions about resilience, replacing optimism with evidence. At Resilience, we’ve seen how organisations that integrate insurance insights into their planning are better able to justify security investments, refine incident response strategies, and accelerate recovery when incidents occur.
From confidence to capability
Cyber-attacks are now a constant feature of doing business in the UK. The question is not if a company will be targeted, but how well prepared it will be when it happens. To close the confidence gap, boards must treat resilience as a strategic priority rather than a compliance exercise. That means involving CISOs early, testing response capabilities regularly and using real-world intelligence to guide decisions.
Confidence alone is not a metric of protection; capability is. Ultimately, in this era of relentless cyber pressure, the companies that thrive will be those that plan not just to defend, but to recover, adapt and endure.
