Ep. 31: The Convergence of Cyber and Tech Resilience: Staying Ahead in a Connected World

Full transcript

David Stainback: Hello everyone, and welcome to this episode of Emerge Stronger Through Disruption. I'm Dave Stanback, co-leader of PwC’s Global Centre for Crisis and Resilience, or GCCR for short. And I'm coming to you today from Atlanta, Georgia. In our podcast series my GCCR, co-leader, Bobbie Ramsden-Knowles, and I aim to explore the challenges facing businesses in this environment of constant crisis and change, and discuss how successful business leaders can emerge stronger through disruption.

We're now in the second episode of the GCCR Summit series, in which we focus on major topics of our crisis and resilience leaders from around the world that were discussed at our PwC Global Summit. I'm delighted to be hosting today's discussion on the convergence of cyber and technology resilience, a topic that's shaping how organisations prepare for and respond to disruption.

Joining me today are two of my colleagues and resilience leaders, Dan Chaprut, and Shawn Lonergan. Dan, Shawn, great to have you here.

Shawn Lonergan: Thanks, Dave.

Dan Chaprut: Great to be here. I'm Dan Chaprut, a partner based in Boston, focused on tech resilience, and I'm joined by my colleague and good friend Shawn Lonergan, a cyber partner who leads operational resilience practice.

Shawn Lonergan: Thanks Dave and Dan, thrilled to be part of the discussion. I'm really excited about this topic 'cause it highlights something different we're seeing happening in the market, the rapid convergence of cyber and technology resilience. It's no longer enough to manage these as separate disciplines. They've become foundational to operational resilience, business continuity, and even regulatory compliance.

David Stainback: Can you expand on that shift you're seeing Shawn?

Shawn Lonergan: Sure. For years, cyber resilience and technology resilience run on parallel tracks. One focus on protecting against threats and the other on recovery and continuity. But today, organisations are recognising that you can't recover from what you can't defend, and you can't defend what you can't recover. These are now two sides of the same coin.

Dan Chaprut: That's right. And in practice we're seeing organisations move toward a single source of truth for resilience, connecting data across business services, tech assets, third parties, and even legal entities. That means breaking down silos between cyber, IT, and operations to create real time visibility across controls, dependencies, and recovery posture.

David Stainback: This convergence raises a critical question. So as organisations build more integrated resilience programmes, how well are they managing the dependencies beyond their own walls? Because resilience doesn't stop at the enterprise boundary, it extends to every vendor, partner and platform, particularly in their technology ecosystem, right?

Shawn Lonergan: Yes, the dependency web has definitely gotten tighter. Cloud platforms, embedded security tools, payment processors, they're all interconnected. When one goes down, it can have a cascading impact across the ecosystem. A cloud misconfiguration today can look like a cyber incident tomorrow.

Dan Chaprut: Agreed, firms are realising they have critical exposure to vendors they don't even directly contract with.

Think of core infrastructure players, SaaS providers, or embedded cybersecurity tools that thousands of firms rely on. When one of those goes down, everyone feels it.

Shawn Lonergan: Exactly. The outages we've seen with a number of large and well-established technology providers and others have highlighted that fourth party and concentration risks are real.

Increasingly, we're seeing institutions connect joint testing, share resilience data, and even collaborate on incident simulations with key vendors. We've been working with more and more hyperscalers, for example, and they've been exercising directly with the owners of shared data centers, conducting tabletop testing to understand the people, the processes, and ultimately develop confidence on DC owner's ability to recover from a disruption.

And this is on top of their own existing vendor due diligence programmes.

Dan Chaprut: While this is promising, there is still a gap. There's no consistent framework for how third-party joint testing should work, or how to contract for shared resilience outcomes.

The industry is trying to figure this out in real time.

David Stainback: So, given the pace at which the area is evolving, how can organisations put it all into action?

Shawn Lonergan: Well, it begins with understanding your dependencies end to end. You can't protect or recover from what you can't fully map.

Dan Chaprut: Exactly. The leading firms are taking a layered approach, mapping Critical Business Services, testing scenarios across cyber and tech failure modes, and integrating those results into strategic decision making.

Shawn Lonergan: It's interesting. Ransomware remains one of the most tangible stress tests of resilience. We're seeing companies invest in immutable backups, data vaulting, and the ability to restore bare metal infrastructure when everything else fails. Those investments can make the difference between a two-day and a two-week outage.

Dan Chaprut: AI is a second big component in transforming resilience. There's huge upside potential, but AI also introduces dependencies we're only beginning to understand.

Shawn Lonergan: One of the most interesting dynamics, for example, is that people in the business continuity plan are increasingly becoming digital agents. If a recovery plan assumes AI driven systems are operating correctly, but they fail or behave unpredictably, that can actually create a new risk to resilience.

Dan Chaprut: But on the upside, working with organisations exploring how AI can simulate disruption at scale, running thousands of hypothetical outage scenarios in minutes, that kind of predictive capability can change how we can plan and test resilience.

David Stainback: That's fascinating. So, I'm hearing both upside and potential risk associated with AI adoption in this space, but clearly that's where everyone's heading.

Dan, are you beginning to see organisations leveraging AI for testing and recovery at this point? Any examples you wanna share?

Dan Chaprut: Actually, yeah, we've seen some low hanging fruit through quick expansion of testing, scenario libraries using existing plans, outage history, and global trends as a dataset. More interesting though is the increased use of AI ops platforms to bolster self-healing capabilities without a human in the loop.

However, the jury is still out on regulatory expectations in this space.

Shawn Lonergan: Absolutely. Regulatory readiness is part of the story here. DORA out of the EU has been a wakeup call for many. The organisations that have prepared early for how they're

realising the competitive benefits of resilience from faster client onboarding, smoother assurance reviews, and better alignment with their third parties has been tangible.

One of the big lessons out of the Digital Operation Resilience Acts compliance is that resilience is not just a compliance activity pertaining to regulations here. It really needs to be embedded to how the organisation operates. The firms that approach it strategically have gained clear visibility into critical dependencies and stronger third-party governance, and that is now giving them a competitive edge in market.

Similarly, the EU also has been pushing forward NIS 2, as well as the Cyber Resilience Act, which really expand on some of the expectations that DORA had across other sectors within the critical infrastructure space. US companies should view this as an opportunity to also see where US regulators are heading in this space and how they can start thinking through how to embed resilience and AI governance into their core operating model.

David Stainback: You both touched on some really tangible examples of how resilience is being built today. It sounds like AI and regulatory readiness are both very interesting topics and we're gonna, as a result, deep dive into some more of that and some upcoming podcast episodes as well. But looking ahead, what do you see as the next frontier?

Where does resilience go from here?

Dan Chaprut: Yeah, good question, Dave. Looking ahead, resilience is only going to become more and more integrated across functions, geographies, and even regulatory domains. We're already seeing cross sector frameworks emerge that tie together cyber, tech, and operational risk in new ways.

Shawn Lonergan: Yes, and regulation will keep evolving. Beyond DORA, we're watching how the European supervisory authorities implement NIS 2, as well as the Cyber Resilience Act, and even the AI Act, all of which are changing how organisations think about risk, resilience, and compliance. The pace of change is accelerating.

Dan Chaprut: We'll also see a growing focus on measurement - moving from compliance checklists to quantifiable resilience outcomes. Boards are starting to ask: what's our true time to recover? How resilient are our third parties? What's the actual cost of downtime in business terms?

Shawn Lonergan: Exactly. Resilience will shift from a defensive posture to a source of competitive advantage. Firms that can respond faster, maintain customer trust, and use technology intelligently during disruption will win in the market.

Dan Chaprut: If there's one takeaway for me, it's that resilience is no longer an insurance policy, it's a growth enabler. The organisations that connect cyber, tech, and operational resilience will be the ones that emerge stronger, faster, and more trusted.

David Stainback: That's right, Dan, and our most recent Global Crisis and Resilience survey confirmed that, you know, this integrated approach is key and those organisations that have moved to that more integrated model from a programme standpoint are significantly further ahead than those that remain in silos.

We also learned that resilience is becoming a truly strategic imperative. As 89% of the organisations told us that resilience is one of their most important strategic priorities. So, agreed, no longer an insurance policy. It's becoming part of strategy, and there's opportunity that can come out of resilience from a competitive advantage standpoint.

Shawn Lonergan: Dave, that's exactly right. Resilience today is about foresight, not hindsight, anticipating disruption before it hits and using it to build confidence with customers, regulators, and the market.

David Stainback: I want to thank you both. This has really been a great discussion and I also wanna thank our listeners for joining our GCCR Summit series. I hope you're enjoying it so far.

In our upcoming episodes of Emerge Stronger Through Disruption, we'll continue our GCCR Summit series and delve deeper into hot topics, including operational resilience, the role of tech and AI in resilience and resilience regulations. You can find more insights and resources on our PwC GCCR website and be sure to connect with me, Dan, and Shawn on LinkedIn, and subscribe to Emerge Stronger through Disruption wherever you get your podcasts.

Until next time, stay resilient and be prepared for whatever challenges come your way.

© 2025 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.