As the UK Government recently unveiled a £210m Government Cyber Action Plan, openly acknowledging that cyber risk across public services remains “critically high,” the focus of national cyber policy has decisively shifted from compliance to capability. The multi‑year plan, published alongside the Cyber Security and Resilience Bill, emphasises live risk visibility, faster response and demonstrable operational resilience; an implicit admission that traditional audits and certifications have failed to prevent disruption across critical services.

However, while public sector leaders are being urged to prove real‑world readiness, many private sector boards continue to treat a clean cyber audit as proof of security. This disconnect is leaving organisations dangerously exposed, as attackers increasingly bypass technical controls by exploiting human behaviour weaknesses that no audit was ever designed to measure.

“Audit sign‑off can create an illusion of confidence,” says Richard Puckey, Head of Compliance at Espria. “True resilience is about whether your organisation can detect, contain and out‑manoeuvre an attacker today, not whether you passed an assessment last quarter.”

“In 2026, an organisation can be fully compliant with ISO 27001 and still be critically exposed to social engineering attacks. Attackers have largely shifted from exploiting technical vulnerabilities to exploiting human behaviour. If your security strategy doesn’t account for how your people act under pressure, an audit alone provides little real protection.”

“Compliance remains a necessary baseline, but it is only a snapshot in time, not a living, continuously tested capability. The Government’s own approach reinforces this reality by prioritising multi‑year programmes focusing on measurable improvement and real-world incident readiness, not just paperwork.”

“High‑profile breaches continue to impact organisations holding valid certifications at the time of compromise, because audits confirm that a policy exists, not that it performs under stress. Government and industry messaging is converging on the same conclusion: cyber resilience means preparing, detecting, responding and learning in a continuous cycle, not resting on an annual attestation.”

Puckey argues that the majority of successful cyber incidents still hinge on human decision-making.

“We have to stop treating human error as an unavoidable accident and start treating it as a manageable business risk. From deepfake‑assisted social engineering to business email compromise, attackers exploit urgency and trust to bypass otherwise effective security controls. Managing human behaviour as a measurable risk domain is now essential to closing the resilience gap. This is as much a cultural and architectural challenge as it is a technical one.”

“Technology stacks have matured, but attackers increasingly ‘hack people’ rather than systems. Human Risk Management (HRM) brings human behavioural exposure into the same operational risk framework as patching or identity, allowing leaders to quantify exposure and reduce risk accordingly.”

Puckey continues by outlining how boards can be supported in moving from audit-ready to attack-ready, aligning governance and cybersecurity into a cohesive, maturity-led company architecture.

“Compliance should enable resilience, not mask as it. Systems, controls and people must be continuously evaluated against live threats and operational stress, not frozen in time by an annual audit cycle.

“This starts with validating the baseline. Mapping critical business services, stress-testing whether documented controls actually function under pressure, and integrating HRM telemetry into day-to-day operations, where it can meaningfully inform response and control design.

“Once these baseline weaknesses are visible, organisations must shift from passive assurance to active defence through continuous monitoring. Supply‑chain risk must be scrutinised to the same level as internal controls, whereas human risk controls should now be targeted yet adaptive to context.”

“Finally, organisations must institutionalise continuous assurance. Audit outcomes should be directly linked to threat‑led improvement activity, closing the gap between governance and lived operational risk. Compliance should always be treated as the floor, never the ceiling, of cyber maturity.”

Puckey concludes, “Boards want fewer surprises and faster recovery. The organisations that succeed in this will be those that operationalise resilience and can demonstrate it month‑to‑month, not just at audit time.