Cyber audit is not proof of security and an audit sign‑off can create an illusion of confidence, says Richard Puckey, Head of Compliance at the managed service provider Espria.
He says: “True resilience is about whether your organisation can detect, contain and out‑manoeuvre an attacker today, not whether you passed an assessment last quarter. In 2026, an organisation can be fully compliant with ISO 27001 [the international standard for information security management] and still be critically exposed to social engineering attacks. Attackers have largely shifted from exploiting technical vulnerabilities to exploiting human behaviour. If your security strategy doesn’t account for how your people act under pressure, an audit alone provides little real protection.
“Compliance remains a necessary baseline, but it is only a snapshot in time, not a living, continuously tested capability. The Government’s own approach reinforces this reality by prioritising multi‑year programmes focusing on measurable improvement and real-world incident readiness, not just paperwork.
“High‑profile breaches continue to impact organisations holding valid certifications at the time of compromise, because audits confirm that a policy exists, not that it performs under stress. Government and industry messaging is converging on the same conclusion: cyber resilience means preparing, detecting, responding and learning in a continuous cycle, not resting on an annual attestation.”
Most successful cyber incidents still hinge on human decision-making, he adds.
“We have to stop treating human error as an unavoidable accident and start treating it as a manageable business risk. From deepfake‑assisted social engineering to business email compromise, attackers exploit urgency and trust to bypass otherwise effective security controls. Managing human behaviour as a measurable risk domain is now essential to closing the resilience gap. This is as much a cultural and architectural challenge as it is a technical one.
“Technology stacks have matured, but attackers increasingly ‘hack people’ rather than systems. Human Risk Management (HRM) brings human behavioural exposure into the same operational risk framework as patching or identity, allowing leaders to quantify exposure and reduce risk accordingly.”
Compliance should enable resilience, not mask as it, he argues. “Systems, controls and people must be continuously evaluated against live threats and operational stress, not frozen in time by an annual audit cycle.
“This starts with validating the baseline. Mapping critical business services, stress-testing whether documented controls actually function under pressure, and integrating HRM telemetry into day-to-day operations, where it can meaningfully inform response and control design.
“Once these baseline weaknesses are visible, organisations must shift from passive assurance to active defence through continuous monitoring. Supply‑chain risk must be scrutinised to the same level as internal controls, whereas human risk controls should now be targeted yet adaptive to context.
“Finally, organisations must institutionalise continuous assurance. Audit outcomes should be directly linked to threat‑led improvement activity, closing the gap between governance and lived operational risk. Compliance should always be treated as the floor, never the ceiling, of cyber maturity.”
He concludes: “Boards want fewer surprises and faster recovery. The organisations that succeed in this will be those that operationalise resilience and can demonstrate it month‑to‑month, not just at audit time.
