Last month a plant manager looked me in the eye and asked a blunt question: “If we pass our next cyber audit, are we protected?” After two decades on plant floors and running cyber programmes at operational sites, my honest answer still makes leadership uncomfortable. Passing a cyber audit means your digital locks are in place. It does not mean your business can survive a punch to the gut.
The audit paradox
The industry is suffering from a dangerous conflation of cyber resilience and operational resilience. We treat them as interchangeable — and that mistake is the difference between a controlled recovery and a business-ending event. We saw it globally with the 2024 CrowdStrike incident. That wasn’t a hack; it was a software update that brought the world to its knees. The companies that recovered in hours rather than days didn’t have better code — they had better operational resilience.
1. The scope gap: digital vs physical reality
Cyber resilience is digital-only. It lives in IT systems, OT networks and data integrity, and it’s designed to stop lateral movement and recover from a breach. Operational resilience is everything else. It doesn’t care whether the downtime came from a hacker, a regional power cut, or a forklift driver hitting a server rack.
Organisations fall into one trap above all: assuming digital readiness equals total readiness. A cyber programme won’t help you when a primary supplier goes bankrupt or a natural disaster levels your main distribution centre.
2. The staggering cost of “down”
Being “down” has moved from an IT headache to a board-level existential threat, and the numbers in the field are stark.
| 196 minAverage outage duration, all industries | 90%of mid-to-large firms lose >$300k per hour | 41%see costs of $1M–$5M per hour | $184Bannual cost of supply-chain disruption |
|---|
Set that $184 billion of supply-chain disruption against the $53.2 billion attributed to cyber-specific supply-chain attacks. That ~$130 billion gap is the point: operational risk is a far larger, more diverse bucket than cyber risk alone.
| “The financial impact isn’t measured in slide decks. It’s measured in process downtime, missed production targets, contractual penalties and eroded customer trust.” |
|---|
3. From “unhackable” to “unbreakable”
After two decades of operational delivery, I’ve accepted that perfect prevention is a myth. In an era of machine-speed, AI-driven attacks, the goal has shifted from building higher walls to building continuity under pressure.
| “By 2026, security is no longer about being unhackable — it’s about being unbreakable.” |
|---|
Resilient organisations no longer aim for “never breached.” They aim for “never broken.” The mindset assumes the perimeter will fail at some point; the value is in keeping critical services running while the environment is compromised. That’s grit, not just encryption.
4. The integration trap: when cyber defence hurts operations
The most common failure mode I see is the silo effect. IT and Operations work in parallel, and in a crisis their objectives collide. Attacker behaviour is shifting too — many high-impact events now aim for pure operational sabotage, deleting data and disabling systems rather than demanding ransom. When disruption is the goal, defences tuned for data exfiltration are useless.
I’ve watched an IT team correctly isolate a system to contain a threat — and inadvertently kill production, because no one realised that system fed critical process data to the floor. Avoiding that trap takes five non-negotiables:
Cross-functional impact analysis — map how a digital hiccup cascades into a physical stoppage.
Aligned Recovery Time Objectives — if IT thinks four hours is fast but the line dies after thirty minutes, the strategy has already failed.
Backup communication protocols — channels that work when the primary network is dark.
Supply-chain visibility and redundancy — a plan for operating when a key supplier vanishes.
Testing under realistic conditions — beyond polite tabletops, simulate the pressure of a cascading failure.
5. The preparedness gap and the regulatory sleepless night
Despite the stakes, only 20% of organisations call themselves fully prepared for an outage. Most are stuck in a reactive loop, waiting for the alarm before deciding who’s in charge.
And that gap is hitting a wall of regulation. 79% of technology executives admit they’re not ready for the governance standards in DORA and NIS2. Among my peers, 44% are losing sleep over the fines tied to unplanned downtime — and with 95% of leaders expecting a major crisis within two years, “hoping for the best” is no longer a strategy.
The three-outage audit
Cyber tools alone won’t save your company when the underlying infrastructure breaks. Cyber resilience is a vital part of risk strategy — but it’s not a substitute for being operationally unbreakable.
So this week, audit your last three outages. Don’t read the IT logs; read the business impact. Mark which were cyber-driven and which were operational failures, then ask whether your current programme would even have recognised the problem. If your next disruption isn’t a sophisticated attack but a power failure or a logistics collapse — is your “resilient” organisation actually ready to keep moving? If you can’t answer yes, you’re not resilient. You’re lucky. For now.
| Audit your last three outages with us.NuvantiQ helps operators close the gap between cyber resilience and operational resilience — aligning RTOs, testing under real pressure, and making the business unbreakable, not just unhacked. Start the conversation. |
|---|
About the author
Achal Lekhi leads the OT Security Practice at NuvantiQ. He started his career as a PLC programmer on the plant floor, and now helps critical-infrastructure operators across energy, water, manufacturing, food & beverage and transport turn OT compliance into proven operational resilience.
Find out if your operations could survive disruption.
We pressure-test resilience the way an incident would, then give you the evidence to act on. Engineers who have stood in the control room, not a sales queue.