At Davos, the World Economic Forum 2026, the Prime Minister of Canada, Mark Carney, delivered a masterclass in storytelling with a powerful speech that felt less like commentary and more like a warning flare.
Not because it was dramatic but because he was sharing something rare – honestly.
Carney described a world where the familiar assumptions of order and predictability are breaking down, a world defined by rupture, not transition. He spoke about power, leverage, and the uncomfortable reality that “compliance will not buy safety.”
And as I listened, I nodded my head in agreement and couldn’t shake the thought…
This is cybersecurity’s story too.
Not as a metaphor. As a mirror.
The Cyber Parallel: Rules Don’t Protect You When Reality Changes
For years, many organisations have approached cybersecurity as a rules-based system. For example, if we follow the right standards, tick the right boxes, buy the right technology, we’ll be safe.
But in cyber, as in geopolitics, the world has shifted.
Threats don’t respect your policies. Attackers don’t care about your intent. And compliance doesn’t stop disruption!
In 2026, cyber is no longer a technical problem in the IT department. It’s a leadership test under pressure – one that exposes whether your organisation can still function when certainty disappears and a cyber attack hits.
Cyber isn’t Risk, it’s Leverage
Woven throughout Carney’s speech is the idea that power is changing hands faster than people realise, that leverage is being used strategically, and that the cost of dependence is rising.
That’s exactly how cyber works.
A major cyber attack isn’t just “a breach.” It’s a leverage event:
- Leverage over your time
- Leverage over your reputation
- Leverage over your operational ability
- Leverage over your decision-making
And guess what the most dangerous part of this is? It’s that by the time leaders recognise the leverage shift, choice is often already gone.
The Trust-Collapse Horizon
Carney also pointed to a reality where the stories we’ve relied on – the assumptions, the rituals, the predictable structures – no longer hold.
Cybersecurity is approaching the same moment, accelerated by AI, but AI isn’t just increasing the volume of attacks. It’s compressing the time leaders have to:
- Verify truth
- Establish authority
- Decide outcomes
We’re moving toward a trust-collapse horizon, where organisations can’t prove what’s real fast enough to prevent high-impact fraud, disruption, or cascading failure.
In other words, the problem isn’t only malware. It’s uncertainty at machine speed.
Why the Traditional Security Stack is Now a Liability
Most organisations still build security from the bottom up:
infrastructure → technology → governance → people.
Which sounds logical, until a real cyber attack happens. Why? Well it’s because cyber attacks don’t collapse at the level of technology, do they?
They collapse upward through people:
- Delayed decisions
- Unclear authority
- Siloed communication
- Truth degraded by fear, optimism, and incomplete information
That’s why I believe it’s time to change the model.
Cyber resilience isn’t something you buy at the bottom of the security stack and hope it makes its way up to the boardroom. It must be designed from the top down.
The Cyber Resilience Doctrine: Preserving Choice
Carney’s message at Davos was, at its core, about agency – about refusing to drift into a world where decisions are made for you.
In cyber, that’s the whole game.
Cyber resilience is preserving choice when failure occurs. Not because failure is acceptable but because disruption is no longer rare.
Preserving choice means that when a cyber attack hits, leaders are not cornered into one reactive path because time, truth, and control have collapsed. They can still choose:
- Isolate vs stay operational
- Disclose early vs wait
- Contain vs recover
- Absorb vs negotiate
- Protect data vs protect service continuity
Those choices don’t exist by accident. They exist because leadership has designed them, and tested them in advance.
The Real Work isn’t Technical – it’s Structural
Carney also spoke about strategic autonomy and building strength at home while forming new coalitions that reflect reality.
Cyber resilience requires the same maturity, and to a certain extent courage.
It means building strength internally, but also recognising a hard truth: no organisation survives cyber disruption alone. Your resilience is shaped by your partners/ suppliers, your cloud dependencies, your incident response support, and the relationships you’ve built before the crisis hits.
In cyber, collaboration isn’t a “nice to have.” It’s a survivability control.
And it’s not theoretical. The organisations that recover fastest aren’t always the ones with the most technology. They’re the ones who’ve rehearsed reality. They’re the ones that have run crisis simulations, tested decision pathways, held tabletop exercises with executives and the board, and built muscle memory under pressure. They’ve pre-agreed thresholds for shutdowns and disclosures. They’ve secured retainers with incident responders and forensics teams who can be on call when minutes matter. They’ve designed recovery as a capability, not as hope.
Don’t get me wrong, better cybersecurity technology is vital, as is better engineering, and systems that fail less often. But, the differentiator, especially now, in the age of AI, is whether your organisation can still make high-quality decisions once truth is degraded and time is compressed.
And here’s the uncomfortable part.
In cyber, truth doesn’t only degrade because cyber attackers distort it. It degrades internally too.
Cover-ups happen. Risks get softened. The reality gets buried, not always by the cybersecurity team, but sometimes by the leaders they report to. Recommendations get downgraded, delayed, or quietly ignored because they’re inconvenient, expensive, or politically difficult.
Ask any experienced CISO and you’ll hear a version of the same story – they present a list of critical recommendations, but they’re only able to execute a fraction, sometimes less than a quarter at best. The rest depends on other departments with different incentives, different priorities, and often no direct accountability for the outcome. Yet when something goes wrong, the CISO is still the one held responsible, and their job is on the line.
The CEO and board are often unaware.
This is why resilience cannot be solved through technology alone. If authority is fragmented, incentives are misaligned, and bad news is punished or suppressed, the organisation isn’t secure.
It’s performative security, and under pressure, performance collapses.
That’s why technology is not the answer to this problem.
What Comes Next
As The Guardian quite rightly said the other day, Carney made a statement that should echo beyond geopolitics – nostalgia is not a strategy.
Neither is cyber nostalgia.
We can’t keep responding to a current threat landscape with an outdated model of cybersecurity. We can’t keep stacking technology and calling it cyber resilience. And we can’t keep pretending cyber is “operational” when it increasingly determines strategy, valuation, continuity, and trust.
Cybersecurity is buckling under the weight of what we’ve normalised – endless complexity, constant urgency, and the expectation that the people within it can absorb infinite risk without breaking. They can’t. Burnout is rife. Turnover is rising. Talent is waning. And the truth is, in cyber, we’re not getting what we need – we’re getting what we’re willing to tolerate.
That’s why I’m writing my next book.
It’s for leaders (CEOs, boards, founders, politicians etc) because the stakes are now brutally personal. A serious cyber attack can cost you your business, your valuation, your customers, your bonus, and in some cases your job. It can trigger regulatory scrutiny, litigation, and reputational damage that doesn’t fade when systems recover.
And it’s for the cybersecurity professionals who are done carrying impossible accountability without real authority, and who want the leadership support they need to actually do the job they’re great at.
More soon.
Now I Want to Hear from You
What do you think I’ve missed here, and where do you see organisations failing first when a cyber attack hits? Is it technology, governance, leadership or something else?
Join in the conversation on LinkedIn and et me know in there, in the comments.
Photo credit: “World Economic Forum 2026 Annual Meeting” by World Economic Forum, CC BY-NC-SA 2.0
