Library Header Image Library Header Image

Cyber at the Top Cyber Resilience in Action


Posted on by Hugh Thompson

As a parent of five kids, every single day I take for granted that when one of them picks up a phone, there will be a signal, that the network will be there, and that the call will go through. Most of us make that assumption. And that invisible, unspoken trust we place in the systems around us is exactly what is at stake when we talk about cyber resilience. 

I recently had the chance to sit down with Emma Smith, Group CISO at Vodafone, for an interview on theCyber at the Top podcastEmma is a leader who has spent over two decades in cyber, from steering a UK bank through the financial crisis to protecting telecommunications infrastructure across 15 countries. Her perspective on cyber resilience is forged from experience leading an internal security team of over 900 people, and it offers advice for every CISO and aspiring security leader thinking about what cyber resilience really looks like in practice. 

Resilience is not a destination

NIST defines cyber resiliency as “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.” Emma expanded that definition into her own organization’s terms: “We assume we’re never finished. We’re never complacent about the risks we face. We’re always learning and improving.”

By those definitions, resilience is less of a project with a completion date and more of a way of operating. For a telecommunications company that is part of critical national infrastructurewith24/7 operations that support emergency services, businesses, and individuals at their most vulnerable moments, there is no room for complacency. A significant disruption could cascade across sectors.

Why controls don’t always stick (and what to do about it)

Many organizations know what controls they need, but they still struggle to make them stick. According to Emma, knowing what the controls are is just the first step. Knowing how a control reduces risk helps you prioritize. But the harder part is making sure it’s configured correctly, ensuring coverage across the organization, and keeping pace with new technologies and new vulnerabilities. It’s not just a one-time deployment but continuous engineering.

Emma cautioned that many security programs front-load the energy and then see the momentum fade. Resilience requires continuous operations, continuous response, and a team with genuine curiosity. You need people who want to ask questions and push the boundaries instead of maintaining the status quo.

Transformation starts with people

When I asked Emma what actions had the biggest impact on Vodafone’s security transformation, she told me that people were the most important factor. Underneath any operating model is culture. At Vodafone, everyone is on the mission to build resilience together. They do what they say they’re going to do and are transparent about problems or asking for help with needed.

The security team has worked hard on transparency, up to the board and external stakeholders. Emma attends budget meetings across major parts of the business, ensuring capital is flowing to the priorities they’ve aligned on. Every two years, each country runs a cyber simulation with the executive team. Engaging with the board and senior leadership shows that the security team will deliver on its promises.

What to measure

For years, cybersecurity has struggled with metrics. It can be hard to say what “better” looks like in practice. Measuring blocked attacks feels satisfying, but it reveals little about how well your controls are working.

According to Emma, Vodafone has taken a more sophisticated approach. They measure:

  • Scale of impact: Are we reducing the footprint of events over time?
  • Speed of recovery: Not just time to respond, but time to truly recover and learn.
  • Post-incident reviews: Going deep, every time, as a priority — not an afterthought.
  • Repeat incidents: Zero tolerance for the same failure mode twice.

The same measures are applied across every country, creating transparency and healthy accountability. By comparing country level performance, telling stories of learning, and using decision matrices to clarify who owns what, Vodafone has built resilience into its operating rhythm.

How to get started

I always finish the interview asking guests for one thing they’d tell a CISO just starting out. Emma shared this final advice: “Don’t admire the problem for too long. Understand it and start to take action. Try things, and if it doesn’t work, adapt and change.”

She also included some extra advice that I think gets overlooked in our field: “Take care of yourself and your team. Build a network. Ask for help. Lean into humility. The personal resilience of a security leader directly shapes the organizational resilience of everything they protect.”

Telecommunications infrastructure holds up emergency calls, business continuity, and important moments between families and friends. The lesson for all of us is that resilience is about building organizations that learn, adapt, and keep earning trust, even when things go wrong. The work is never finished, and that's exactly the point.

To listen to our full conversation, watch the video here.

Contributors
Hugh Thompson

Executive Chairman & RSAC Conference Program Committee Chair, RSAC

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSAC™ Conference, or any other co-sponsors. RSAC Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs