The next cyber crisis may not arrive as a single event

One of the more subtle shifts taking place in cyber security is not about technology. It is about time.

For years, organisations have largely approached cyber resilience through the lens of incidents. An attack occurs. Systems are disrupted. The response plan is activated. Recovery begins. Lessons are learned.

This model has served organisations reasonably well for a long time because many cyber threats followed a similar pattern. Whether it was ransomware, data theft, or opportunistic compromise, the focus was often on a discrete event with a relatively clear beginning, middle, and end.

Increasingly, however, that model is becoming less representative of the threats many organisations face.

One of the recurring themes emerging from government agencies, intelligence services, and cyber security leaders is that sophisticated adversaries are often operating on entirely different timescales.

Rather than executing isolated attacks, they are conducting campaigns.

That distinction matters more than it might initially appear.

An incident is something that happens to an organisation.

A campaign is something that happens around it.

Campaigns can unfold over months or years. Objectives can evolve. Access can be established long before it is needed. Activity can pause and reappear. Multiple organisations may be targeted simultaneously as part of a broader strategic objective.

From the perspective of the defender, this creates a very different challenge.

The conflict in Ukraine has provided several examples of how cyber activity can form part of a wider geopolitical campaign rather than a single event. Similarly, public reporting around state aligned activity targeting critical infrastructure and strategic sectors has demonstrated how adversaries may focus on gaining access and positioning themselves long before any visible disruption occurs.

In these situations, the absence of immediate impact can create a false sense of security.

Many organisations still measure success by whether they have experienced a major incident. Yet some of the most significant nation state campaigns uncovered in recent years were characterised by persistence rather than disruption.

The objective was not necessarily to trigger an immediate crisis.

The objective was to create options for the future.

That reality challenges many assumptions that underpin traditional cyber resilience planning.

Incident response frameworks are often designed around containment and recovery. A threat is identified, the organisation responds, systems are restored, and operations return to normal.

But what happens when the activity is not isolated?

What happens when an adversary returns repeatedly?

What happens when the organisation itself is not the primary target but forms part of a wider supply chain, sector, or strategic ecosystem?

These are increasingly the kinds of questions security leaders are being asked to address.

One of the more interesting observations from discussions at The-C2 this year was how often organisations continue to prepare for technical events while underestimating strategic campaigns.

This is understandable.

Technical incidents are easier to visualise. They generate alerts, trigger response plans, and create measurable impact. Campaigns are less visible. They emerge gradually through patterns, intelligence reporting, geopolitical developments, and subtle shifts in adversary behaviour.

As a result, organisations can become highly proficient at responding to incidents while remaining less prepared for the environments that produce them.

The difference is not simply operational. It is also strategic.

A ransomware incident may require technical recovery.

A long term campaign may require sustained organisational resilience.

That includes maintaining leadership focus over extended periods, adapting security priorities as intelligence evolves, and recognising that recovery is not always a clearly defined endpoint.

In practice, some of the most resilient organisations are already beginning to adjust their thinking.

Threat intelligence is becoming less focused on identifying individual indicators and more focused on understanding adversary objectives. Crisis management exercises increasingly incorporate geopolitical scenarios rather than purely technical failures. Security teams are placing greater emphasis on persistence, resilience, and operational continuity alongside traditional detection and response capabilities.

Perhaps most importantly, there is growing recognition that resilience is not simply about surviving disruption.

It is about sustaining effective operations during uncertainty.

This has implications for boards as well.

Many board discussions still frame cyber security around the probability of individual incidents. How likely is an attack? What would the financial impact be? How quickly could systems be restored?

These remain important questions.

However, they do not always capture the nature of strategic cyber risk.

Boards increasingly need to consider how geopolitical developments, adversary intent, supply chain exposure, and long term campaigns influence organisational resilience over time.

The challenge is not becoming experts in threat intelligence. It is understanding that some risks cannot be measured solely through the lens of isolated events.

The most effective boards are beginning to ask different questions.

How would the organisation operate if threat activity persisted for months rather than days?

What assumptions underpin current response plans?

Which business functions are most sensitive to prolonged disruption or uncertainty?

And how quickly can priorities adapt if the threat landscape changes?

These conversations often reveal a broader truth.

The organisations that perform best during major cyber crises are rarely those that prevent every intrusion. They are the ones that recognise early that resilience is an ongoing capability rather than a recovery process.

They understand that security is not simply about defending systems.

It is about maintaining confidence, decision making, and operational effectiveness during periods of sustained pressure.

In many ways, this reflects a wider shift taking place across cyber security.

As geopolitical tensions rise, supply chains become more interconnected, and adversaries pursue increasingly strategic objectives, the distinction between incidents and campaigns becomes harder to ignore.

For cyber leaders, that means preparing not only for the attacks they can see, but also for the environments that make those attacks possible.

Because the next significant cyber challenge may not arrive as a single event.

It may arrive as a campaign that has already been unfolding for some time before anyone realises it.