We recently held a webinar focusing on the topic of “Transformation, AI and Automation at Scale, Cyber Resilience & Strategic Delivery”, exploring the critical success factors behind enterprise-wide transformation and what it takes for organisations to build cyber resilience in today’s fast-paced IT landscape.

To lead the session, we were joined by former Group CIO John Lockett, who has over 25 years’ experience leading transformation across FTSE 100 organisations, including British Gas Transco and Serco. With extensive first-hand experience navigating cyber incidents, large-scale transformation programmes and board-level decision-making, there was no one better placed to guide the discussion.

The webinar proved highly engaging, with lively discussions between John and attendees around the challenges of AI implementation, cyber maturity and organisational resilience. Having managed several significant cyber incidents during his career, John shared valuable insights and lessons learned, alongside practical actions organisations can take to use AI responsibly and strengthen their cyber readiness.

If you were unable to attend, we’ve summarised the key talking points and actionable insights below to help you understand how cyber resilience and AI implementation can support strategic delivery.

Speed Is Critical

When a cyber incident occurs, an organisation’s cyber maturity is not defined by the sophistication of its tools, but by how quickly and decisively it responds.

Drawing on his experience leading organisations through major incidents, John emphasised that the first few hours are critical. In one incident, he made the decision to shut down systems across Europe within an hour of becoming aware of a threat. This was done without full certainty, but with clear accountability.

He explained:

“I didn’t ask for permission. I just did it. Speed is really important. Whenever anything like this happened, I can’t stress enough how important speed is. You’ve really got to make decisions quickly.”

This ability to act decisively is only possible when leaders are empowered in advance, through rehearsed scenarios, delegated authority and an acceptance that waiting for full clarity can be a risk in itself.

The Human Firewall

When it comes to cyber maturity, people remain both the strongest defence and the greatest vulnerability. Despite advances in AI and technology, John described the “human firewall” as the most important factor in achieving cyber maturity, while also acknowledging it is often an organisation’s biggest challenge.

Many organisations over-invest in technology while under-investing in people and training. While tools can detect and isolate threats, it is culture that determines whether employees follow policies, escalate concerns and respond effectively under pressure.

John explained that real-world incidents often trigger “massive cultural change”, but stronger cyber maturity is better built through regular training, scenario-based simulations and red-teaming exercises. These activities not only identify vulnerabilities, but also raise board-level awareness, inform investment decisions and drive meaningful behavioural change. Consistency and relevance are key - annual or tick-box exercises are rarely sufficient.

Clear Ownership

The impact of a cyber incident extends far beyond IT systems, affecting customers, operations and supply chains. Yet many organisations still treat cyber resilience as solely an IT responsibility.

John highlighted that during incidents he has led, it was “not just the IT people on the call, it was the General Counsel, the UK and Europe CEO”, reflecting a growing recognition that cyber resilience is a core business issue, not just a technical one.

Delegating cyber risk exclusively to IT is no longer viable. True cyber resilience requires clear board-level ownership, supported by a strong organisational culture and engagement across all functions. Shared accountability ensures cyber risk is embedded into everyday decision-making, rather than treated as a purely technical concern.

Maturity Over Investment

One of the most common questions organisations ask is: Are we spending enough on cyber? John noted that this is difficult to answer in a constantly evolving threat landscape.

While he suggested that organisations should expect cyber investment to increase year on year, he was clear that higher spend does not automatically equate to greater maturity. Investing in the “latest and greatest” tools without the ability to integrate and operate them effectively can increase risk rather than reduce it.

John also cautioned against reactive spending driven by fear or competitor activity. Instead, organisations should view cyber investment as part of a broader technology strategy, particularly when it comes to AI. While AI can add value and drive efficiencies, it must be governed, prioritised and aligned to genuine business outcomes.

Ultimately, cyber maturity is demonstrated through practice: regularly testing systems and processes, learning from outcomes and making informed risk decisions aligned with organisational priorities.

If you’d be interested in attending one of our future events, either as an attendee or a potential speaker, you can register your interest here.