Team of three looking at laptop

How to unlock confidence in your operational resilience

Photographic Portrait of Gavin Cartwright
Gavin Cartwright

Partner, Consulting, Ernst & Young LLP

8 minute read 17 Nov 2025
Related topics
Cybersecurity
TMT
Consulting
Technology risk
Risk

TMT organisations face growing threats to business continuity and must adapt accordingly in light of growing cybersecurity threats.

In brief 

  • Cyber attacks and growing regulatory pressures such as the UK Telecommunications Security Act (TSA), highlight the need for operational resilience in TMT.
  • A broader and more proactive approach is needed to maintain operational resilience and grow business value.
  • TMT leaders should take six key steps to build and test operational resilience and embrace emerging technologies in doing so. 

How EY can help

  • Cybersecurity

    Discover how EY's cybersecurity team can help safeguard your business, allowing you to focus on what you do best -- delighting your TMT customers. Learn more.

    Read more

Recent global disruptions, whether from cybersecurity breaches, technology failures or supply chain incidents, have underscored the urgent need for technology, media and entertainment and telecommunications (TMT) companies to reassess and improve their operational resilience. 

 

Operational resilience is an organisation’s ability to prevent, withstand, recover and learn from disruptions. This means identifying the most critical functions and having flexible processes in place to support them during a crisis. Whilst traditional security focuses on confidentiality, integrity and availability, operational resilience emphasises business continuity. Within the TMT sector, operational resilience plays a crucial role in maintaining customer trust, market stability and business value. In addition, regulation such as the UK TSA is requiring telcos to meet new operational standards. 

 

It is clear that building operational resilience is not solely a technology issue but requires a holistic cross-business approach involving key decision-makers. 

 

The benefits of operational resilience can be far reaching. The 2025 EY Global Cybersecurity Leadership Insights Study found that cybersecurity is not just a cost or risk mitigator; it’s a strategic value creator that can contribute up to 20% of value in each organisation-wide strategic initiative it is involved in.1 This supports the view that an integrated approach to operational resilience can be a business enabler, unlocking growth and innovation. This perspective is especially relevant for the TMT sector, where digital transformation, regulatory demands and innovation cycles mean that operational resilience is a strategic asset. The UK appears to be more vulnerable than its global peers, with just 63% of UK TMT companies surveyed in the 2025 EY Global Cybersecurity Leadership Insights Study reporting no data breaches compared with 76% globally.2

1

Chapter 1

Drivers for change

Multiple factors are increasing the importance of operational resilience as both a protector and creator of business value. 

Whilst operational resilience has long been a focus for UK TMT companies, whose critical infrastructure acts as the digital backbone of the country, it is now becoming increasingly relevant to organisations across all sectors. Behind the headlines about cyber attacks and IT failures, there are three broader factors pushing operational resilience up the agenda: 

1. Regulation

Governments and their regulators are increasingly concerned about organisations’ ability to provide critical services amid sophisticated cyber attacks, widespread reliance on third-party technology providers, complex global supply chains, the impacts of geopolitical events and climate change. This has led to new regulations, particularly concerning critical infrastructure. For example, in the TMT sector, the introduction of significant new rules like Network and Information Security Directive 2 (NIS2) in Europe, the TSA and the upcoming UK Cyber Security and Resilience Bill, is placing additional demands on telcos to prevent and identify risks, as well as remedy any adverse effects. 

Recent evidence suggests that the focus is broadening. In October 2025, HM Government sent a letter to all FTSE 350 companies, with three specific requests: to make cyber risk a board-level priority, to sign up to the National Cyber Security Centre (NCSC) early warning scheme and to ensure organisations implement key cyber protections throughout their supply chains.3

2. Budgetary pressures

Whilst threats are rising, budgets are shrinking. The 2025 EY Global Cybersecurity Leadership Insights Study found that cybersecurity budgets as a percentage of annual revenue have decreased over the last two years, from 1.1% to 0.6%.4 This is making it crucial for organisations to examine how each pound spent can deliver maximum protection and resilience. Operational resilience is not only a cost but can also add value, particularly when aligned with business objectives. The Insights Study also found that cybersecurity adds a median of US$36m in value to each strategic initiative it supports.5 Yet the same study found that 40% of respondents from the UK TMT sector believe that it is difficult for their cybersecurity function to articulate their value beyond risk protection.6

3. Integration

Standalone technology solutions are not enough; better integration, governance and ownership at the C-suite level is key. In our latest research, only 40% of respondents were satisfied or very satisfied with the C-suite integration of cybersecurity into key business decisions.7 This shows a growing awareness of the need to move from traditional, more siloed security concerns to thinking about protection and impact across end-to-end key processes and decision-making.

2

Chapter 2

Taking a proactive, holistic approach

As cybersecurity threats multiply, the whole business must work together to ensure operational resilience.

The past 12 months have seen major, high-profile outages across sectors as diverse as aviation, retail and TMT. Many of the most high-profile incidents have highlighted how interdependence, across organisations, supply chains and technology ecosystems, – can accelerate and deepen disruption. Any resilience plan that fails to consider such relationships is unlikely to be effective. 

Confidence in operational resilience also means knowing what needs protecting most. Understanding which business units, products, or factories are most critical from a financial or trust perspective allows them to be prioritised for resilience planning. This approach may also reveal a disconnect between IT and tech teams and business and product owners, emphasising the need for better communication and alignment. 

The 2025 EY Cybersecurity Study: Bridging the C-suite Disconnect examined the gulf between the importance of cybersecurity and the relative lack of influence chief information security officers (CISOs) have in the C-suite, with 59% of global respondents saying that the cybersecurity function is not consulted when strategic decisions are made.8 This highlights the need for operational resilience to be a Board-level issue and built into corporate governance. 

More proactive measures, such as simulations, rehearsals and regular assessments of critical systems, are required to ensure relevance and effectiveness. Making operational resilience more visible through the use of key metrics and dashboards can increase awareness and add value.  

Operational resilience should not be left to the technology team alone, but should involve risk management, business continuity, physical security and other relevant teams. Effective risk management means not only identifying significant risks, but also assigning ownership and tracking actions to mitigate them, with transparent reporting to leadership. In terms of cost pressures, recent high-profile outages affecting millions of customers worldwide may focus minds and expand budgets. 

3

Chapter 3

Six steps to strengthen operational resilience

How to take action to build confidence.

All major TMT organisations have operational resilience plans in place, but the question is whether they are confident in those plans and if that confidence is justified. Below are six practical steps, each with a supporting question, designed to challenge organisational thinking and cut through complexity. 

 1. Carry out a detailed assessment to identify the critical assets and architecture that make up your minimum viable business. 

Do you know what systems and data need to stand up first to restore systems following an incident? 

2. Analyse your IT/cloud architecture, including key technology vendor reliance and consider how it will withstand the latest threats and regulatory demands. 

 Do you know the most likely entry points an attacker may use to gain access (including via third parties)? 

3. Run a resilience simulation to exercise one or more real-life scenarios and assess how prepared and timely your response is. 

Have you tested your response and recovery plans to understand how your organisation and critical suppliers will perform in a real-time incident simulation? 

4. Conduct a deep dive into supply chain risks and end-to-end supply chain resilience for key operations. 

Do you know the most critical points of your supply chain, and which parts of it play a crucial role in key business operations? 

5. Understand existing recovery capabilities, coverage, speed of recovery, type and location of back-up, etc. 

How do you test backup and recovery capabilities? Are they fit-for-purpose in returning your business to operation in acceptable timeframes? 

6. Develop key incident response playbooks, providing clarity of responsibilities during some of today’s more likely tech and cyber incidents. 

Do you have a well-understood and documented playbook for likely cyber/IT incidents? Are people clear on their responsibilities and roles? 

These steps and questions will help TMT leaders assess and build confidence in their operational resilience. This can also help inform the development of comprehensive business continuity plans, supported by regular testing, employee training and continuous monitoring. 


Summary

A combination of digital threats and significant new regulations in the TMT sector means companies need to embed operational resilience across their organisations. With budgets under pressure, companies must embrace innovation, prioritise investment and coordinate activities to avoid any potential weaknesses. 

How can we help you shape your business with confidence?

Please complete a contact us form if you would like to speak to our  Tech, Media and Telecoms team.

Contact us

Related articles

How can cybersecurity go beyond value protection to value creation?

The 2025 EY Global Cybersecurity Leadership Insights Study found that CISOs account for US$36m of each strategic initiative they are involved in. Read more.

Richard Watson + 1

    About this article

    Photographic Portrait of Gavin Cartwright
    Gavin Cartwright
    Partner, Consulting, Ernst & Young LLP
    Helping clients understand and manage the impact of cyber risks. Cybersecurity leader. Semi-retired footballer and football coach. Enjoys kayaking.
    Related topics
    Cybersecurity
    TMT
    Consulting
    Technology risk
    Risk

    EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.