True cyber resilience comes from culture

Reflections from the BFI’s new Head of Cyber Security on the vital role of organisational culture in response to rising cyber threats.

A data tape library robot in the BFI National Archive.

Resilience

Resilience is a fashionable word in a world of economic uncertainty and, at times, confusion, a time in which technology travels at 100 miles per hour, bringing both welcome feelings of possibilities and a disorienting fear of missing out.

We hear via TED talks that resilience is never about bouncing back but pushing through, with the realisation that the path is forever changed. We hear the words ‘cyber resilience’ at the King’s Speech and ministers’ talks. We hear the executives echoing the central message of the UK’s national cyber strategy that ‘it is all about resilience’, that ‘it’s inevitable a cyber incident will happen’.

I do not believe cyber resilience is just about a centrally-looked-after monitoring mechanism, or AI-empowered incident response, or a well-rehearsed crisis management simulation in which executives practise making those fundamental reputational decisions, and so on.

All those things matter deeply, of course, which reflects the fundamental complexity, volatility and multi-faceted nature of cyber security. However, above all this, a lasting theme throughout is people.

I passionately believe true resilience comes from a culture where people hold together.

The importance of organisational culture

Let me take you back to the cyber event I experienced from my very first day as the Head of Cyber Security for the BFI.

Three days before I started, colleagues in our retail team discovered our online shop had been compromised, which unfortunately enabled customers’ data to be captured in real time. (We’ll be sharing more about this incident and its lessons in a later blog post – for now, suffice to say we were transparent about it with swift direct comms and a public FAQ for impacted customers.)

In those intensive daily crisis-management meetings, what bolstered our progress and critical decisions were not tools, controls or playbooks – it was leadership, colleagues’ genuine care, the ability to pull together, a psychologically safe space where we spoke up without fear and where diversity of thought fed directly into our most crucial decisions. All of which helped us to not only bounce back from this incident but to leap forward with our cyber resilience overall.

What truly holds us together under pressure in a cyber incident is the same force that sustains us in quieter times – a culture of trust and collective resilience. The day-to-day building of BFI’s cyber resilience rests not only on controls or frameworks but also on something deeper: an inclusive security culture.

Alongside the technical defences we conscientiously invest in, we place equal value on the subtler human loop, the way repeated behaviours shape unconscious thought, the relationship between a process of iterative steps along the way and that wonderful vision at the horizon.

Here at the BFI we believe that an inclusive security culture starts with healthy leadership from the top not just in title but in tone, which purposely cultivates a psychologically safe environment where people are willing to report an incident, to speak when they notice shortfalls or if they’ve done something they’re unsure of.

The culture we believe in comes from strategic thinking that values depth over dazzle, the mindset that does not identify cyber security with just shiny tools or a one-off investment.

We believe in proportionality, in balance and prioritisation, in intentionality and strategic restraint.

Security sets us free

The fundamental purpose of a risk-driven security function is to allow the business to navigate confidently in the direction of its vision, mission and purpose. Picture cyber security as the braking system on a fast car. Ferraris go fast because they have the finest braking systems to allow them to stop safely.

In the end, our resilience is not powered by technology alone but by people who care, think and trust. We invest in technologies to enable our colleagues’ abilities to speedily react and creatively plan and build; we recognise those small iterative steps of shaping our people’s thought processes; we hold the belief that best security does not slow us down but sets us free.

This is precisely where cyber resilience at BFI develops, grows and evolves.


Jia Fu is the Head of Cyber Security in the BFI’s Technology and Digital Transformation directorate. You can follow her on LinkedIn where she posts regular insights.

If you’re interested in supporting the BFI’s digital work as a sponsor or donor, please get in touch with us at philanthropy@bfi.org.uk.