Organizational resilience: Why cybersecurity needs more than just technology

One statement from the conference really stuck with me: The attacker only needs to succeed once, while the defender must succeed every time.

This asymmetry defines cybersecurity. Attackers look for a vulnerability. Organizations must keep an eye on many potential vulnerabilities at the same time, share information, make decisions, and react quickly in an emergency.

This requires more than just contingency plans. It requires organizations that remain vigilant, take complexity seriously, share responsibility, and learn from mistakes. In our workshop, we therefore viewed resilience not as rigid resistance, but as a dynamic balance of stability, adaptability, and creative power.

This concept became particularly tangible during an interactive exercise using LEGO bricks. The participants worked on a shared task: “Build the tallest tower.” At the same time, they had to manage their own individual tasks, limited information, and shared resources. Furthermore, they were not allowed to speak to one another.

It quickly became clear that when each person simply tries to perform their own task as well as possible, the common goal is lost sight of. This is precisely the pattern many organizations recognize. Teams optimize their own responsibilities, departments secure their processes, and individual units meet their targets. Nevertheless, the overall system can remain vulnerable if communication, coordination, and a shared understanding of the situation are lacking.

The exercise highlighted how important it is to first understand the big picture. What do we want to achieve together? What resources do we have at our disposal? What information are we missing? Who sees something that others don’t yet see? And what are the consequences if I fulfill my own task 100 percent but thereby jeopardize the shared outcome? How do I communicate when words no longer help?  

This perspective is central to cybersecurity. In an emergency, it is not enough for individual departments to function perfectly. IT, leadership, communication, legal, operational teams, and external partners must work together to become capable of taking action. Resilience does not arise from individual optimization, but rather through shared understanding, experimentation, adaptation, and learning. Resilience is a team effort — no one protects critical infrastructure alone.

Another lesson learned from the exercise: Resilient organizations challenge hasty assumptions. They utilize all available resources and ask why others behave the way they do. This mindset is crucial in crises.

Cyber incidents create time pressure, uncertainty, and stress. If people then fail to speak openly, do not report risks, or hesitate for fear of being blamed, an organization loses valuable time. Communication and psychological safety thus become genuine security factors.

That’s another reason why we discussed mistakes and a culture of learning in the workshop. In Germany in particular, failure often carries negative connotations. For resilient organizations, however, it’s not about glossing over mistakes. It’s about viewing them in a nuanced way—as avoidable mistakes, mistakes caused by complexity, and intelligent mistakes. Some errors must be prevented through clear standards and checklists. Others arise in complex situations despite good preparation and are unavoidable, but they must be manageable. Hypothesis-based “intelligent errors” are even desirable and should be consciously encouraged, because they enable new knowledge to be gained in a controlled experimental setting.

The Potsdam Conference explores how we can move from reactive defense to actively shaping security, resilience, and digital sovereignty. Our workshop demonstrated that this process begins within organizations themselves. It begins where people take responsibility not only for their own tasks but also for the system as a whole.

Organizational resilience is therefore not a side issue of cybersecurity. It is a prerequisite for technical strategies to be effective in an emergency. It manifests itself in the way we communicate, make decisions, discuss mistakes, and remain capable of acting amid uncertainty.

For us at the HPI d-school, this means we create learning spaces where people can explore new ways of thinking and acting. After all, future-readiness does not arise from analysis alone. It emerges through collective action. Dealing with mistakes, communicating within teams, and acting in the face of uncertainty are skills that can be learned — here with us!