In so doing, cyber-resilience ultimately enhances customer trust, and reduces the financial, reputational and compliance impact of threats. From a critical infrastructure (CNI) perspective, it’s also vital to the UK’s economic and social stability, and even public health.

Resilience sits at the heart of any effective cybersecurity strategy. It minimises the opportunities for threat actors to cause damage, and ensures business continuity in even the worst-case scenario. In so doing, cyber-resilience ultimately enhances customer trust, and reduces the financial, reputational and compliance impact of threats. From a critical infrastructure (CNI) perspective, it’s also vital to the UK’s economic and social stability, and even public health.

That’s why the incoming government is pushing ahead with long-overdue plans to update the UK’s NIS Regulations 2018. Whatever form these plans eventually take, any attempt to enhance the cyber-resilience of UK organisations must start in the boardroom.

Long overdue

The Labour government’s Cyber Security and Resilience Bill recognises the huge strain cyber-threats are placing on UK organisations, especially those in CNI sectors. Among the most egregious security breaches of the past 12 months were an attack on a Ministry of Defence (MoD) payroll provider by suspected Chinese state actors. That led to the compromise of 270,000 records belonging to nearly all members of Britain’s armed forces. Another attack, this time by financially motivated Russian ransomware actors, took out a key NHS pathology supplier. It caused over 10,000 acute outpatient appointments and nearly 2,000 elective procedures to be cancelled, urgent calls for blood donations, and other potentially life-threatening disruptions.

The government claims its new law will force improvements in cyber-resilience across key sectors, including their suppliers, in the hope that such incidents will become rarer. Among its proposals is an extension to the scope of the pre-Brexit European rules laid down in the NIS Regulations 2018, bringing more sectors and suppliers into play. Currently, only five sectors and some digital service providers are required to implement “appropriate technical and organisational measures” to manage risks and prevent, minimise and report incidents.

The bill also aims to “put regulators on a stronger footing” to ensure proper cyber-risk mitigation measures are being implemented. This includes “cost recovery mechanisms” to ensure such regulators have the resources they need to proactively investigate. There are currently 12 such regulators, or “competent authorities”. Finally, the government will mandate incident reporting, including ransomware breaches, in order to collect more accurate data on the scale of the challenge and provide early warning of threat campaigns.

Where organisations are failing

These proposals still fall some way short of the NIS 2 regulations now in force across Europe, but they will be welcomed by many. The truth is that, even though cybersecurity budgets are rising in most organisations, cyber-resilience is getting harder. That’s partly because the typical corporate cyber-attack surface continues to expand thanks to a proliferation of IoT devices, cloud adoption, and remote work.

Many organisations struggle to effectively identify and track emerging threats due to insufficient threat intelligence, leaving them vulnerable to exploitation. Outdated software with known vulnerabilities, combined with inadequate access controls, creates additional entry points for attackers. And limited incident response capabilities and the lack of attention to human factors, such as social engineering, are also contributing to the crisis.

Another reason why cyber-resilience is lacking relates to outdated boardroom perceptions of cyber, and poor CISO relations. Our research reveals that in a third of companies, cyber is still treated as part of IT rather than business risk. In fact, most (80%) CISOs claim that their board would only be incentivised to act decisively on business risk if a breach occurred. When that happens, companies usually invest reactively in point solutions that don’t fix the underlying cause of incidents. In a worst-case scenario, they create more work for stretched security teams.

This lack of board engagement in cyber is manifest in another crucial way. Some 79% of CISO claim to have felt pressure to downplay the severity of cyber risks facing their company. Over two-thirds say this is because they are seen as being “repetitive” or “nagging”, or overly negative. A third even claim they have been dismissed out of hand.

What needs to happen

Uninterested and disengaged boards tend to agree only to bare-minimum security budgets, while eschewing more holistic long-term strategy like security by design. As a result, vital investments aren’t made, products and services are designed with little CISO input until it’s too late, and resilience inevitably suffers in the long run. So how can we fix this?

First, CISOs need to speak a language their board understands. That means using plain language, free from technical jargon, focusing on clear business risks and using relevant metrics. A security platform that delivers a single source of truth about cyber risk in easy-to-consume executive dashboards would help here—with regular updates and even security training for board members ensuring business leaders are well-informed. CISOs must also develop clear, comprehensive and regularly updated security policies that align with industry standards and legal requirements. They should cover everything from data protection and incident response to employee roles and responsibilities in maintaining security.

Boards must also play their part. Regulations like NIS 2, DORA and SEC reporting rules are starting to demand more accountability for and awareness of cyber from senior leaders. It would be great to see something similar included in the forthcoming UK legislation. Boards must realise that it’s in their strategic interest to enhance cyber resilience. At a bare minimum, important digital transformation projects will not deliver the growth they promise unless built on secure foundations.

The Cyber Security and Resilience Bill may only cover CNI, but organisations of all sizes and sectors need to get better at resilience. CISOs know best how to achieve this. But only by closing the boardroom credibility gap will they finally be heard.