Category: News, Awards and Industry Recognition

By Glen Williams, CEO, Cyberfort

There is a phrase that should concern every board member and security leader operating in today’s threat landscape: “We’re covered.”

It sounds reassuring. It implies preparedness. In reality, it often signals the opposite.

Cyber-insurance has matured rapidly over the past decade into a legitimate and important component of organisational risk management. Policies now routinely cover business interruption losses, legal and regulatory costs, incident response support, ransom negotiations and reputational recovery. For organisations hit by a significant breach, that financial cushion can be genuinely significant.

But somewhere along the way, too many organisations began treating the policy as a proxy for the security strategy itself. Buying cyber-insurance cover became the endpoint rather than the backstop. And that confusion is now creating a dangerous gap between perceived protection and actual resilience.

Insurance covers the aftermath

A payout, however substantial, cannot restore trust with customers overnight. It cannot reverse reputational damage. It cannot undo the operational disruption of a manufacturing plant grinding to a halt, a logistics network going dark, or a hospital losing access to patient records. And it absolutely cannot stop an attacker who has already found their way in.

The financial mechanics of insurance have never been designed to do those things. They exist to absorb economic shock after an incident, not to reduce the likelihood of one occurring.

What drives likelihood is resilience. And resilience is something most insurance policies neither measure nor reward, at least not yet.

What insurers are actually asking for

The cyber-insurance market has changed significantly. A few years ago, insurance companies were issuing policies based on relatively lightweight questionnaires, broad assumptions about controls and limited scrutiny of what organisations had actually deployed. That era is closing.

Underwriters today want evidence. They want to see demonstrable incident response capability, not a document that has never been tested. They want visibility into backup maturity and recovery timelines. They want governance structures, identity and access management, third-party risk controls and, increasingly, proof of continuous monitoring and detection capability.

The question insurers are quietly beginning to ask is no longer simply “do you have controls in place?” It is “can you prove your environment is defensible and recoverable?” Those are meaningfully different questions, and many organisations are not yet equipped to answer the second one convincingly.

For businesses that cannot demonstrate genuine operational resilience, the implications are tangible; higher premiums, reduced coverage limits, more restrictive policy exclusions and in some cases, rejected claims where the insurer determines that basic controls were absent.

The compliance trap

Much of the problem stems from how organisations still approach cyber-security. The dominant mindset in many businesses remains compliance led. Have we achieved the relevant certifications? Have we filled in the annual questionnaire? Have we renewed the policy? Box ticked.

What that mindset consistently fails to ask is the more important operational question: could we continue functioning if we were attacked tomorrow?

Compliance and resilience are not the same thing. Passing an audit demonstrates that, at a point in time, documented controls existed. It says very little about whether those controls would hold under pressure, whether staff would know what to do in a crisis, or whether systems could be recovered at the speed the business actually requires.

The organisations that discover these gaps most painfully are those that find them during an incident rather than before.

The human layer remains the weakest point

One of the persistent realities of modern cyber-risk is that the most sophisticated technology stack in the world can be bypassed by remarkably simple means. Attackers do not always need advanced tooling. Sometimes they need someone to hold a door open, a member of staff to click a plausible-looking email, or a supplier with legitimate access and poor credential hygiene.

The human and operational layer of risk remains stubbornly underestimated. Tailgating, impersonation, social engineering, compromised third-party access, and weak verification processes. These are the vectors that continue to feature in significant incidents, not because they are new or sophisticated, but because they exploit trust, routine and the natural tendency of people to prioritise helpfulness over scepticism.

Insurance provides no meaningful protection against these vectors. Only operational rigour does.

Recovery is now a board-level question

The conversation in most boardrooms has shifted from whether a breach might happen to what would happen if it did. That shift in framing is healthy, but it demands a corresponding shift in investment and preparation.

Boards are now asking how quickly systems could be recovered, what a period of downtime would cost, which data and processes are genuinely critical and whether the business could continue trading through an incident. These are not questions that insurance answers. They are questions that resilience planning answers.

Cyber-resilience has become as much a business continuity issue as a technology issue. Recovery speed, containment capability, crisis communications, operational fallback: these capabilities need to be built, tested and embedded before an incident occurs, not assembled under pressure in the middle of one.

Confusing policies with protection

None of this is an argument against cyber-insurance. It remains an important layer of protection and a sensible component of any risk management programme. For businesses operating at scale, or in regulated sectors, it is increasingly non-negotiable.

But it should be understood clearly for what it is: a financial backstop, not a strategy. It is the last line of defence, not the first. It will solve some of your problems, but not all.

The organisations best positioned today are not those with the largest policies. They are the ones that have genuinely understood where their risk sits across people, processes and data; that have built demonstrable operational resilience; and that can show insurers, customers and regulators alike that they are materially harder to disrupt than their peers.

In a threat landscape where the question is no longer ‘if’ but ‘when’, the most dangerous words a business leader can say are still “We’re covered.”

Read the article on teiss here: https://www.teiss.co.uk/news/covered-but-not-protected

By Glen Williams, CEO, Cyberfort

Neurodiversity is no longer a niche workplace issue. It is part of the reality of modern teams, modern leadership and modern performance. For HR and business leaders, that presents a clear opportunity. Organisations that create environments where different thinking styles can do their best work, will have the ability to widen their talent pool, improve decision making and build more resilient teams. The outcome is not simply a more inclusive culture, but a more capable one.

The CIPD estimates that around one in five people are neurodivergent in some way. Many will never disclose a diagnosis to their employer. If hiring and management processes only work for people who fit a narrow, outdated definition of how a strong candidate should communicate, collaborate and perform under pressure, organisations risk missing exceptional talent. In a labour market where skills are scarce and competition is high, that becomes a commercial issue.

I lead a cybersecurity business, where complex problem solving, accuracy and judgement are critical. But this is not unique to technology or security. Any organisation that depends on analysis, creativity, sustained concentration or precision can benefit from neurodivergent talent, provided it designs work in a way that allows people to thrive. The focus should not be on labels. It should be on capability.

Understanding strengths without falling into stereotypes

It is important to approach neurodiversity carefully. It is not a single profile and it does not map neatly onto job roles. Even within the same diagnosis, there is huge variation. The aim is not to stereotype or assume strengths. The aim is to recognise that organisations perform better when they make room for different cognitive approaches rather than rewarding one narrow model of professionalism.

In high pressure and technical environments, certain strengths often emerge. Some people can sustain deep focus for extended periods when working on tasks that engage them. When supported properly, that can translate into exceptional output and consistency in complex work. Some individuals have outstanding attention to detail, which is invaluable in roles that depend on spotting patterns, anomalies or risks.

Another commonly overlooked strength is direct communication. Some neurodivergent individuals communicate literally and clearly. In the right environment, this can improve performance because ambiguity is reduced and assumptions are challenged early. What may be misinterpreted as bluntness is often precision. In organisations where unclear communication is a major cause of inefficiency, precision is an advantage.

Designing work for performance, not exceptions

Many organisations still approach neurodiversity through the lens of individual adjustment, making one off accommodations for a small group of people. While well intentioned, this can create friction. Managers can feel they are being asked to make special arrangements, and employees can feel singled out.

A more effective approach is to start with the workplace itself. Ask what great work requires and what gets in the way. Then design roles, expectations and workflows accordingly. This shifts the focus away from looking to “fix individuals” and towards creating an environment where different people can perform well.

For some roles, this means protecting time for deep work and reducing unnecessary interruptions. For others, it means clarity around priorities and outcomes. In some cases, it involves structuring work into defined packages with clear deliverables rather than expecting uniform output every day. Some people do their best work in intense periods of concentration followed by recovery time. If the only accepted model is steady daily output, high performers can be misjudged as inconsistent when the real issue is misaligned work design.

This is not indulgence. It is effective workforce planning. It also benefits everyone, not just neurodivergent employees.

Rethinking recruitment to avoid losing talent

Recruitment is one of the most common points at which organisations lose neurodivergent candidates, often without realising it. Exclusion is rarely intentional. More often, it happens through outdated hiring practices that prioritise performance in interviews over evidence of capability.

For example, interviews frequently reward confidence, speed and social cues. Those qualities are not reliable indicators of job performance. Small changes can significantly improve fairness and effectiveness. To make interview processes accessible for neurodivergent candidates  organisations should be explicit about what candidates can expect from the process, which can include sending interview questions to candidates in advance of any interview. Hiring managers should use clear, direct questions that invite evidence rather than hypothetical scenarios. The approach should be to treat interviews as structured conversations, not tests designed to catch people out.

Silence should be allowed. Some people need time to process and formulate strong responses. Eye contact and body language should not be treated as proxies for competence. Time should be used well. If a CV has already been reviewed, asking a candidate to repeat it adds little value.

Where possible, skills-based assessments should play a greater role. Practical exercises and work sample tests often provide a more accurate picture of capability and reduce the noise created by interview performance. They also tend to be fairer for all candidates, not just those who are neurodivergent.

Moving from disclosure to curiosity

One of the most powerful shifts organisations can make is moving away from disclosure led support towards curiosity led leadership. Rather than waiting for individuals to disclose a diagnosis, leaders should normalise asking a simple question such as: ‘how do you like to work at your best?’

This opens up conversations about communication preferences, working patterns, meeting styles and feedback without requiring labels. It also supports people who are undiagnosed, unsure or private. The result is a workplace that is better designed for everyone, not just those who feel able to speak up.

The cost of standing still

The business risk of failing to adapt is real. The National Autistic Society highlights that only around three in ten autistic adults are in work. That statistic points to a significant pool of untapped capability. It also highlights how much talent is filtered out by systems that were designed for a workforce of the past.

There is also a retention risk. As awareness grows, more people will articulate what they need to do their best work. If organisational culture treats reasonable adjustments as an inconvenience or advantage seeking, engagement will suffer and talent will leave. Often, leaders will never know what they lost, only that performance declined and hiring became harder.

Building workplaces that let different minds excel

Neurodiversity is often framed as a moral issue. It is that, but it is also a strategic one. Organisations that succeed in the coming years will be those that stop trying to standardise people and start designing work that allows different minds to excel.

This is not about policies or slogans. It is about building workplaces that think better, adapt faster and perform more consistently under pressure. For HR and business leaders, that is not a future aspiration. It is a present-day advantage.

Read the article on The HR Director here: https://www.thehrdirector.com/features/neurodiversity/neurodiversity-reshaping-attraction-retention/

Featuring Nige Wilkinson, COO, Cyberfort

Cybersecurity regulation is changing, driven by a need to be more robust in the face of increasingly sophisticated attacks. As 2026 kicks off, what are the key regulatory changes that will impact UK businesses?

Cyber Resilience Will Be Essential

One major legislation expected in the coming year is the Cyber Security and Resilience Bill, which brings with it a new set of resilience requirements. As the Bill enters Parliament, cyber resilience will “stop being a compliance checkbox “and “become a board-level operational performance test that recognises people, ways of working and the technology needed to succeed,” says Dan Jones, senior security advisor at Tanium.

“The UK government is making it clear that ‘reasonable steps’ and after-the-fact reporting won’t fly in a world where one weak supplier can knock out hospitals, councils or entire supply chains effecting the livelihoods of families and whole communities,” he says.

Over the next year, organisations that can’t prove continuous control of their environments will be “exposed to regulators, customers, and to reality,” he warns.

A key shift, which will not feature as one bill or regulation, is “the incorporation of demonstrable operational resilience into existing legal and regulatory frameworks,” adds Martin Davies, senior audit alliance manager at Drata. “Beyond having security policies in place, firms need systems and suppliers that can withstand disruption and recover within defined tolerances. This already exists as part of the Financial Services regulatory outlook (FCA’s Operational Resilience PS21/3) and is likely to become a facet of regulatory requirements in broader sectors.”

More Companies Will Find Themselves In Scope Of Key Regulation 

As the Cyber Security and Resilience Bill comes into force, it brings with it mandatory adoption of the Cyber Assessment Framework across critical sectors. The scope of regulation expands as the definition of Relevant Managed Service Providers (MSPs) is broadened, placing more of these firms “directly in the regulatory spotlight,” says Jamie Akhtar, CEO and co-founder of CyberSmart. “This change introduces new duties around incident reporting, baseline security controls and formal assurance, meaning that both service providers and their customers must operate with far greater transparency and discipline.”

Supply Chain Risk in The Spotlight

In 2026, regulation will put supply chain risk under the spotlight, experts predict. Supply chain risk has become “hard to ignore,” says Akhtar. High-profile interventions such as the FTSE 350 cyber letter and the latest CSM v4 requirements for defence suppliers have “pushed the issue into the mainstream,” he says.

Large organisations now expect their upstream suppliers, including SMEs, to show that they have implemented basic controls and can maintain resilience in a “consistent and certifiable way,” according to Akhtar. “The bottom line is that we will see the emergence of a market that values demonstrable, continuous cyber competence over declarations of intent.”

The Cyber Security and Resilience Bill will introduce “tougher scrutiny of supply-chain security,” adds Sam Peters, chief product officer at IO. “It will require organisations to standardise supplier due diligence, risk scoring and ongoing monitoring across departments to avoid fragmented processes. Businesses will also need to link supplier controls directly to the organisation’s risk register and resilience expectations, and maintain continuous assurance evidence for high-risk suppliers rather than relying on one-off questionnaires.”

In 2026, third and fourth-party cybersecurity will come under even greater scrutiny, says Mike Smith, partner – security at TXP. “Companies that fail to meet required security levels risk losing business over the coming months as the risk for their customers is simply too high.”

Security initiatives, such as red teaming and penetration testing, and developing robust processes around reporting, “will be crucial for suppliers, ensuring their security standards stand up to external scrutiny,” he adds.

Accountability Requirements Put CISOs “In The Firing Line”

In 2026, legislation such as the UK’s Cyber Security and Resilience Bill will “radically reshape accountability for cyber breaches,” by expanding the definition of critical infrastructure and introducing mandatory 24-hour breach reporting, with escalating fines for non-compliance, says Mark Jow, technical evangelist EMEA at Gigamon.

This legal shift puts CISOs “directly in the firing line,” says Jow.

Ultimately, the legislation moves cyber resilience “decisively into the boardroom,” says Nigel Wilkinson, COO at Cyberfort. “It will no longer be credible for senior leaders to say cyber is ‘owned by IT.’ Regulators will expect clear accountability, informed oversight and proof that cyber resilience is treated like any other critical business risk.”

High-Profile Attacks Will Give The Cyber Security And Resilience Bill A Political Boost

The attacks of 2025 — and the downtime as a result — will inevitably make the Cyber Security and Resilience Bill a key focus in 2026, says Mike Upton, director of partnerships and ecosystem, e2e-assure. “Historically the attitude among critical organisations has been to hold back budget and deal with issues post-breach, with little understanding of how harmful or expensive an approach that can be.”

The Bill promises to change this by making critical organisations implement risk management and improve their cyber posture, he says. “While there’s still aspects of to be finalised, the requirements as they currently stand could still see some stakeholders baulk at the spend required to ensure compliance. If that happens, there will inevitably be a few sacrificial scapegoats to encourage other entities to fall into line.”

UK Government Could Introduce Regulatory Sandboxes for AI

In 2026, it is likely there will be developments in the UK government’s plans to introduce regulatory sandboxes for AI, says Kate Densiton, tech regulation lawyer at Bird & Bird. “In its consultation document on the sandboxes, it said evidence from pilots could lead to regulatory reforms, enabling UK businesses to adopt trusted AI. Having launched a consultation in late 2025, some legislation will be needed over the coming year to give the mandate, budget and scope for the conduct of the AI sandboxes.”

In the UK, it is still unclear what specific regulation will be implemented by the government covering AI. With so many aspects unresolved, there’s “a clear risk that AI usage by UK industry will be impacted by uncertainty,” says Densiton.

In-house lawyers must keep up to date on developments and decide how best to advise the business within the current environment, she says. “We expect the UK government to implement an incremental, narrow regulatory framework for AI in the UK, but clarity might not come until late 2026.”

Read the article on SC Media UK here: https://insight.scmagazineuk.com/regulation-predictions-key-uk-legislation-changes-coming-in-2026

By Nige Wilkinson, COO, Cyberfort

For many board directors in financial services, cyber security confidence is built on certificates, audit reports and regulatory tick boxes. The problem is that none of these things, on their own, actually prove an organisation is secure.

In recent years, regulation has pushed firms to demonstrate compliance at pace. In response, many institutions have invested heavily in frameworks, accreditations and assurance programmes that look reassuring on paper. But too often, this has created an illusion of control rather than genuine operational resilience. The result is what many security leaders now describe as ‘paper security’.

Compliance is not the same as capability

Frameworks such as ISO 27001, SOC reporting and sector specific regulatory requirements have an important role. They create common language, minimum standards and accountability. But they were never designed to prove that a business can withstand a real-world cyber attack.

Firms collect certificates, pass audits and reassure boards that security is under control, even when fundamental weaknesses remain. Accreditations are frequently delivered through narrowly scoped assessments that focus on documentation rather than behaviour, process effectiveness or real technical capability.

This is compounded by the growth of providers offering compliance led security services without the depth of expertise needed to deliver operational defence. In some cases, organisations receive assurance from firms that are not equipped to detect, respond to or recover from advanced attacks. The paperwork is correct, but the protection is thin.

Recent regulation has unintentionally reinforced this behaviour. The introduction of initiatives such as the Digital Operational Resilience Act and evolving FCA expectations around operational resilience have increased pressure on firms to demonstrate compliance quickly. The risk is that boards see regulatory alignment as the end goal, rather than a baseline from which real security maturity must be built.

The real cyber challenges financial services now face

As we move through 2026, the threat landscape facing financial services is becoming more complex, not less. Attackers are increasingly patient, well-funded and focused on exploiting operational weaknesses rather than technical flaws alone.

Supply chain compromise remains one of the biggest risks. Financial institutions are deeply interconnected with technology providers, outsourcers and partners. A single weak link can provide attackers with privileged access that bypasses traditional controls. Regulation has highlighted this risk, but many organisations still rely on questionnaires and contractual assurances rather than active oversight.

Ransomware continues to evolve, with attackers shifting focus from encryption to data theft and extortion. This puts regulatory, reputational and legal pressure on organisations simultaneously. At the same time, identity based attacks are rising, exploiting gaps in access management and user behaviour rather than software vulnerabilities.

One widely cited industry study shows that the majority of successful breaches now involve compromised credentials rather than technical exploits. This reinforces the point that documentation and policy alone do not stop attacks. Day to day operational discipline does.

Moving from paper security to operational maturity

The answer is not less regulation. It is a better interpretation of what regulation is trying to achieve. Boards need to move beyond asking whether the organisation is compliant and start asking whether it is genuinely prepared.

Operational maturity is about evidence, not paperwork. Can the organisation detect an attack quickly? Can it contain damage? Can it recover critical services under pressure. These questions cannot be answered by an audit report alone. They require testing, rehearsal and continuous improvement.

This shift also requires clarity about the role of security partners. Firms should be wary of providers that lead with certificates rather than capability. Effective security comes from teams that understand the threat landscape, can operate in real time and are accountable for outcomes, not just assessments.

Encouragingly, there is growing recognition across the sector that security must be treated as a business resilience issue rather than a compliance exercise. Regulators are increasingly focused on outcomes, not intent. That creates an opportunity for boards to reset the conversation and invest in security that works when it matters most.

Security That Works When It Matters

Compliance will always be part of financial services security. But when it becomes the primary measure of success, it creates dangerous blind spots. Paper security may satisfy auditors, but it does not stop attackers.

As regulation continues to evolve, boards have a choice. They can use compliance as a comfort blanket, or as a foundation on which to build real operational resilience. In 2026, the difference between the two will be felt most clearly when things go wrong.

Read the article on Finance Derivative here: https://www.financederivative.com/when-compliance-becomes-a-blind-spot-why-boards-are-being-misled-on-cyber-security/

By Glen Williams, Cyberfort CEO

When technology looks the same, the real differentiation comes from honesty and long-term relationships

Today, in every corner of the channel, a race is taking place. Businesses are scrambling to attach themselves to the latest technology breakthrough, the newest AI model, or the most eye-catching automation platform. There is a belief that technological novelty alone will secure the next wave of business growth.

But in truth, technology is no longer the great differentiator it once was. AI is becoming accessible to everyone. Automation is no longer a luxury but a standard expectation. The more these innovations level the playing field, the more the real advantage shifts somewhere perhaps less glamorous and far more human: trust.

Trust over technology

Trust needs to become the channel’s ultimate currency. In the noise of competing messages, escalating product complexity, and a market full of solutions that all claim to be good enough, customers are tired. They are overwhelmed by choice, confused by jargon, and increasingly sceptical that a vendor has their best interests at heart.

What they are now seeking, and what they will increasingly value, are partners who act with integrity, who guide rather than simply sell, and who view the relationship as more important than a transaction.

As a channel leader, I have watched the shift happen in real time. The organisations that continue to grow are the ones that understand that trust is not a soft value or a marketing slogan. It is the most strategic asset any partner can build.

Integrity shows up not in what a partner sells, but in how they sell it. Customers can sense the difference between someone pushing a product to hit targets and someone giving clear, expert advice, even when that advice means recommending a different solution or admitting that their own services are not the right fit. The partners who are willing to take short-term losses for long-term honesty almost always build stronger, more profitable relationships over time.

Across the channel, this gap in trust is growing. Nowhere is it more visible than in cybersecurity. Too many companies are being sold inexpensive certifications or basic tools that tick compliance boxes but offer little real protection. It creates a dangerous illusion of safety, one that leaves organisations exposed to threats capable of bringing their operations to a halt.

Many businesses may not fully understand what they are buying or what specific risks they need to defend against. When vendors oversell lightweight solutions or fail to explain their limitations, they widen the divide between perceived security and actual resilience. If the channel is not truthful about what genuinely protects a business, we will never meaningfully secure the systems, data, and assets companies depend on.

This is where the best channel partners stand apart. They are the ones willing to say, “This will not keep you safe, and here is why.” They are transparent about risks, realistic about solutions, and confident enough in their expertise to risk losing a sale to protect a customer. In an industry drowning in noise, honesty becomes a refreshing and memorable differentiator.

Integrity is the new value driver

There is no denying the impact of AI on the channel. Much like cloud computing before it, it is transforming service delivery, accelerating product development, and reshaping how partners support customers. But it is also making many offerings look increasingly similar. When technology becomes commoditised, value shifts from what you provide to how you provide it.

AI can solve many real problems for businesses. But over the last 24 months, the market has been flooded with products hastily rebranded as AI to capitalise on the hype. Too often, the technology underneath has not meaningfully changed at all. Partners and customers are left wondering whether these tools genuinely deliver intelligent capability or whether the label has been added simply to accelerate sales. This opportunistic branding only adds to the noise and deepens the trust issues already growing in the channel.

This is why the partners who will thrive in the next decade are those who weave integrity into every part of their business. They create cultures where honesty is rewarded, not penalised. They train teams not only in product knowledge but in ethical decision-making and long-term thinking. They make transparency part of their everyday language, whether discussing pricing, capability limitations, risks, or alternatives. They invest in deep expertise, certifications, systems and processes so their recommendations genuinely protect customers rather than simply helping them pass an audit.

When trust becomes central to a company’s identity, everything changes. Conversations become more open. Loyalty strengthens. Customers begin to see partners not as suppliers but as advisors, people who act in their interest, provide clarity in complexity, and anchor decisions in truth rather than trends.

The channel’s future will not be defined by who adopts the most AI, automates the fastest, or sells the most security certifications. Those things matter, but they are no longer enough. The real competitive edge now lies in relationships built on transparency, ethics, and consistency. Partners who embrace this shift will find themselves winning not because of the flashiness of their offering but because customers believe in them.

Trust may not seem glamorous, but in a landscape crowded with identical claims and interchangeable technologies, it is the most powerful strategy we have.

Read the article on IT Pro here: https://www.itpro.com/business/business-strategy/why-trust-not-tech-will-decide-the-channels-future

By Glen Williams, Cyberfort CEO

For years, cybersecurity has been filed under the responsibility of the IT department, as if resilience could be achieved through technical controls alone. Yet the greatest weakness facing UK enterprises today is not a new strain of malware but persistent overconfidence in the boardroom. Far too many senior leaders believe their organisations are fully protected, while the operational reality tells a different story. This disconnect leaves businesses exposed in ways they often discover only after an attack.

The challenge is not a lack of technology. It is the misconception at the top that cybersecurity is in hand, when credentials, processes and controls are often outdated or incomplete. This happens not because IT teams are careless, but because they are expected to deliver enterprise-grade protection with limited budgets and little involvement from the wider business. The result is a dangerous mismatch between executive confidence and actual resilience.

Why board confidence rarely reflects reality

Boards usually receive cybersecurity updates in heavily distilled form heat maps, compliance reports or certificate renewals. This creates an illusion of protection. If the business passed its annual assessment, leaders assume the organisation is secure. If an auditor issued a certificate, they believe it represents ongoing protection. Yet certificates do not stop attacks, and they are meaningless if the underlying controls are not actively maintained.

A certificate reflects a moment in time, not the evolving risk position of a complex organisation. Attackers operate continuously while many businesses validate their defences annually. This mismatch leaves leadership teams with a confidence that is rarely justified. They equate compliance with protection, despite the two being very different measures.

Within IT departments, the picture is more complicated. Teams manage legacy systems, incomplete identity controls and cloud environments that have grown faster than governance. They know where vulnerabilities sit, but without adequate investment and cross-functional alignment they cannot address them. Executives assume infrastructure is protected, but those responsible for that protection are often aware of gaps they lack the bandwidth or budget to close.

Minding the communication gaps

A recurring issue is the lack of a shared language between technical teams and business leadership. CIOs and CISOs may outline risks clearly, but by the time those risks reach the board, they are simplified in ways that remove critical nuance. This turns cybersecurity into a tick-box exercise rather than a strategic dialogue.

Another misconception is that having an IT department inherently makes the organisation safe. Cybersecurity relies on every employee, supplier, process and system being aligned to the same standards. Yet many leaders behave as if they have “purchased” safety in the way they might purchase insurance. If you cut the budget, you cut the protection.

Communication gaps worsen the problem. IT teams know when infrastructure is too old to patch or privileged accounts have proliferated, but unless leadership treats this as business-critical intelligence, the issues remain. Without a culture that values transparency, teams stop escalating concerns because they no longer expect change to follow.

Creating a culture of accountability

Resilience begins when leaders recognise cybersecurity as a shared responsibility. Technology alone will not save a business. What matters is governance, ownership and culture. Senior leaders must move cybersecurity to the top of the agenda and empower their CTOs, CISOs and IT teams to implement the processes needed to protect the organisation.

This means aligning budgets to risk, not convenience. It means embedding cyber considerations into every strategic decision, just as financial or legal risks are considered today. It also requires ensuring the technical truth reaches the board without being diluted into a reassuring summary.

The wider workforce also plays a critical role. Employees need clear guidance, practical training and consistent reinforcement. Cybersecurity cannot be left to a single team; it must be lived across the organisation.

Why the Cyber Security and Resilience Bill matters

The government’s Cyber Security and Resilience Bill is a reminder that the UK must raise its defensive posture. The Bill aims to set minimum resilience standards and strengthen supply chain protections. Supply chains remain one of the weakest entry points for attackers. Organisations can invest heavily internally only to be breached through a trusted supplier with inadequate controls.

If boards better understood what the Bill entails and what is missing from their current plans, they would be more able to empower their technical leaders. Understanding regulatory direction allows organisations to invest proactively and promotes accountability across suppliers, lifting standards across the entire ecosystem.

A call to the boardroom

Cybersecurity will only improve when overconfidence is replaced with informed responsibility. Leaders cannot assume they are protected because they have an IT team, a certificate or a budget line. Resilience demands engagement, investment and continuous dialogue. It requires CEOs and boards to treat cybersecurity as a business imperative, not a technical afterthought. Only then will UK organisations be prepared to defend themselves against the threats that evolve around them every day.

Read the article on Networking Plus here: https://networkingplus.co.uk/news-details?itemid=9364&post=the-cybersecurity-blind-spot-at-the-top-915204

Leaders from Bechtle, Cisilion, Computacenter, Cyberfort, Focus Group, Phoenix Software and Softcat weigh in

Glen Williams, Cyberfort CEO

Where does Cyberfort stand on peer-to-peer partnerships?

We work with your traditional VAR partners. Their security solutions are based on a vendor and some wraparound services, which is very different to doing pen testing, cyber consulting or secure by design work, which is what we do. In essence, we are the cybersecurity experts for some of these partners. Some of them have almost outsourced cybersecurity to us, and we almost white label it.

It’s not extensive, but we’re looking to try and grow it next year.

What’s your top tip for a successful peer-to-peer partnership?

There’s no right or wrong answer. Some people want to have one organisation to deal with. Others want to know they’re working with two companies and one’s an expert in the space. It just depends.

What I’ve seen work better is when they say, ‘this is the expert, and this is why we brought them in’ – typically that works well.

Read the full article on IT Channel Oxygen: https://itchanneloxygen.com/7-partner-leaders-on-rise-of-peer-to-peer-partnerships/3/

Glen Williams at Cyberfort argues that the real cyber-security vulnerability in businesses is leadership, not technology

For too long, many organisations have viewed cyber-security as a technical problem that sits squarely with the IT department. This belief has always been misguided, but in today’s modern threat landscape it is actively dangerous. The pace and sophistication of cyber-attacks have risen dramatically, yet many leadership teams remain detached from the operational reality of defending their organisations. Cyber-risk is now not just a technology risk, but a business risk and the C-Suite needs to treat it as such.

When leadership teams put cyber-security solely on the shoulders of IT, they inadvertently set the entire organisation up for failure. Most IT teams are already stretched thin, supporting every corner of the digital environment from infrastructure and devices to data management and software. Many operate with budgets that are already tightly allocated. Expecting them to carry full responsibility for safeguarding the business is neither fair nor feasible. 

A culture of shared cyber-security accountability can only emerge when leaders understand that cyber-resilience is woven into every aspect of the organisation, from finance and operations to human resources and procurement.

Putting cyber-risk on the boardroom agenda 

The first step is to make cyber-risk a standing agenda item at board level. Leaders must receive clear, contextualised reporting on cyber-exposure, emerging risks and the effectiveness of current controls. This reporting should be framed in terms of business impact rather than technical jargon so that conversations become strategic and informed. 

Senior leaders should ask questions, challenge assumptions and make sure that cyber-security decisions align with wider corporate objectives. In doing so, they signal to the entire organisation that cyber-security is not a back-office concern, but a core business priority.

To embed this mindset further, executives must take visible ownership of cyber-security behaviours. When leaders follow secure practices, complete training on time, and talk openly about cyber-security responsibility in staff communications, they demonstrate that cyber-security is a shared obligation that extends well beyond IT. Culture flows from the top, and employees are far more likely to take cyber-security seriously when they see leadership doing the same.

Stop chasing badges and build meaningful governance

Many organisations pour money into certifications and accreditations, believing they offer blanket protection. While frameworks such as Cyber Essentials or ISO standards have their place, they are only as effective as the strategy and partners supporting them. Accreditation without genuine operational understanding creates a false sense of security. A certificate on the wall does not stop a phishing attack, an internal breach or a misconfigured cloud service. Without the right partner to interpret, implement and maintain controls dynamically, these accreditations can become expensive tick-box exercises that lull leaders into dangerous complacency.

Effective cyber-security governance requires more than compliance. It demands clarity around roles, responsibilities and accountability across all levels of the business. Leaders should establish a governance model that connects cyber-strategy to business strategy with defined ownership for each area. This often includes forming a cross-functional cyber-security steering group which brings together representatives from IT, risk, finance, HR and operations. This group can help ensure that decision-making is balanced, informed and aligned with organisational goals rather than being driven by isolated teams.

Investment decisions should also be governed with maturity rather than panic. Many boards fall into the trap of approving new cyber-security tools whenever a new threat emerges. This reactive spending rarely leads to meaningful resilience. What is needed instead is an investment model based on risk, impact and long-term value. Leadership teams should build a clear picture of their threat profile and identify which controls genuinely reduce risk. With the right partner involved early in this process, organisations can avoid costly missteps and build a programme that enhances resilience rather than simply expanding the toolset.

The key message is simple. Responsibility for governance rests with senior leadership. IT can implement controls, but they cannot decide the organisation’s risk appetite, they cannot resolve budget constraints, and they cannot influence culture on their own. Governance becomes effective only when the board is actively involved, asking the right questions and treating cyber-security as a strategic enabler rather than a compliance requirement.

Turning cyber-security from a burden into a shared duty

The success of any cyber-strategy, however, depends on how well it is communicated across the organisation. Leadership teams play a critical role in shaping these communications so that cyber-security responsibility becomes an everyday consideration rather than an occasional reminder. Too many organisations rely on one-off training sessions or dense policy documents that fail to resonate with staff. What is needed is a continuous communication strategy that keeps cyber-security relevant and accessible.

Open dialogue should be encouraged about cyber-incidents and near misses. When employees understand that reporting suspicious activity is welcomed rather than discouraged, they become an essential layer of defence. Executives can reinforce this by sharing anonymised case studies or lessons learned from industry breaches. This makes cyber-risk tangible without creating fear. The goal is to foster a culture in which people feel informed, involved and empowered.

Communication must also address the reality of today’s hybrid and decentralised working models. Cyber-security behaviours outside the office are just as important as those inside. Staff need to understand that secure practices extend to home networks, personal devices and remote collaboration tools. Leadership should ensure that communications and policies reflect this, offering guidance that is practical and straightforward.

The long winding road to cyber-protection 

Finally, boardroom members must recognise that cyber-security is not a destination but an ongoing journey. 

Threats evolve, technology evolves and organisations evolve. Maintaining a culture of shared accountability requires consistent communication about progress, changes in risk and improvements being made. This transparency builds trust and reinforces the message that everyone has a part to play.

Organisations that build this communication culture are those that move beyond the outdated notion that cyber-security is an IT problem. Instead, they create an environment where resilience is collective, governance is embedded and investment is aligned with need rather than novelty. In a world where every organisation is a potential target, this cultural shift is not optional. It is the only sustainable path to long-term protection.

The leadership teams that thrive in this era will be those that understand their influence reaches far beyond strategy and finance. They set the tone, define priorities and model behaviour. 

By taking ownership of cyber-accountability, aligning governance with investment and communicating with clarity, they create an organisation where every individual becomes part of the defence. That is how modern resilience is built and how businesses protect not just their systems but their future. 

Read the article on Business Reporter here: https://www.business-reporter.co.uk/management/cyber-security-a-critical-concern-for-the-c-suite

Nige Wilkinson – COO – Cyberfort

The introduction of the Cyber Resilience Bill marks a defining moment in the UK’s approach to digital security. For years, regulation has focused on the most visible parts of the critical national infrastructure, but the digital economy has become far more interconnected and far more dependent on the unseen operators that keep it running.

By widening the scope to include data centres, managed service providers and a new class of critical suppliers, the bill recognises that resilience is shaped not only by the organisations at the forefront of service delivery but also by those embedded deep within the national supply chain.

This shift is an important one. Data centres and managed service providers are now fundamental to how business is conducted. They host the information that fuels decision making, the platforms that support essential public services and the systems that underpin national productivity. Yet the bill’s current definition of a critical supplier remains broad and, at present, untested.

The absence of clear consultation with the industry on what constitutes criticality leaves room for uncertainty. A data centre hosting low risk workloads could be treated in the same way as one supporting essential public services. For operators and investors alike, such ambiguity could influence future development decisions and impose new requirements that are not aligned with the risk profile of their services.

While the details of classification require further refinement, the intention behind the legislation is sound. Cyber threats increasingly exploit the gaps that exist between interconnected partners rather than focusing solely on direct targets. As organisations have matured their own defences, attackers have looked outward to the suppliers and service providers that form the operational backbone of modern businesses. 

The bill acknowledges this reality. It places supply chain resilience at the forefront of regulatory attention and emphasises that security must be consistent from end to end if it is to be effective.

Training people is easy. Securing partners is harder

Employees are often highlighted as the main vulnerability within organisations, yet they are also the most addressable. People can be trained, educated and equipped to understand the nature of evolving threats. Supply chains, by contrast, are more complex. 

They are formed of partners who do not always adhere to the same standards and who may have very different levels of maturity in their own security practices. Without shared expectations and a unified framework, individual resilience will never translate into ecosystem resilience. The new provisions for faster incident reporting and enhanced enforcement powers are therefore meaningful steps towards creating a more transparent and accountable operating environment. They encourage collaboration, raise the collective bar and help ensure that weaknesses cannot be hidden within the less visible layers of the digital infrastructure.

Resilience requires more than regulation

However, true cyber resilience cannot be guaranteed by regulation alone. It must become embedded within organisational culture. Some businesses are still not fully compliant with GDPR despite its introduction seven years ago. Compliance, by itself, does not create resilience. 

It is the minimum threshold, not the desired state. The new bill risks becoming another set of obligations that organisations react to rather than a catalyst for genuine transformation. The success of the legislation will depend on whether businesses choose to act now to strengthen their security posture or wait until the obligation becomes unavoidable.

Cyber resilience is ultimately about safeguarding the data, systems, people and partnerships that underpin both economic stability and public trust. The bill sends a clear message that resilience is no longer a matter of choice but a shared responsibility. Those who begin preparing today will be best placed to thrive in a future where cybersecurity is not an operational consideration but a fundamental requirement for sustainable growth.

UK based Cyber Security Services provider Cyberfort, today announced the appointment of Kathy Stokes as Chief Revenue Officer. Stokes brings over 25 years of sales experience in the cyber, cloud, and managed services industries, and has worked with FTSE 250 organisations, financial institutions, insurers, public sector, retail and enterprise customers to help them tackle their complex security challenges. Most recently Stokes was Head of Sales at Sapphire, driving growth through strategic partnerships and sustainable customer outcomes.

In her new role, Kathy will oversee all revenue-generating functions and will be responsible for accelerating Cyberfort’s growth trajectory, expanding the company’s market presence.

“I’m excited to be joining Cyberfort and looking forward to helping the company realise it’s growth ambitions,” said Stokes. “The cyber security, cloud and colocation services they provide are crucial to keeping businesses and public sector organisations secure, resilient and compliant. The reason I’ve joined is I see the potential to scale the companies go-to-market strategy and deliver great services to their customers who operate in market sectors where they need expert cyber security, cloud and colocation support. I’m excited to work with this talented team to unlock new revenue streams and deliver exceptional value to our customers.”

Kathy Stokes appointment comes as Cyberfort prepares for its next phase of growth as its looks to expand its service offerings and develop its market presence.

Glen Williams Cyberfort CEO commented “I am delighted to welcome Kathy to the Cyberfort team. She brings business, technical and technology market experience to help us create, manage and deliver all-encompassing cyber security services for our customers. This is an exciting next step forward as Cyberfort evolves and builds on its 20-year history of successfully delivering Cyber Security, Cloud and Colocation Services.”  

About Cyberfort

Cyberfort is an all-encompassing Cyber Security services provider. We are passionate about the cyber security services we deliver for our customers which keeps their people, data, systems and technology infrastructure secure, resilient and compliant.

For more information about Cyberfort please visit https://cyberfortgroup.com.

Cyberfort
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.