Category: News, Awards and Industry Recognition

By Glen Williams, CEO, Cyberfort

When the United States and Israel launched coordinated strikes against Iran on 28 February 2026, the response was not limited to missiles and military assets. According to CloudSEK, more than 60 Iranian aligned hacktivist groups activated on Telegram within hours. The company described it as the largest single event mobilisation of this ecosystem ever recorded.

The target was not military bases. Instead, it was infrastructure used by civilians.

CloudSEK reports that more than 40,000 US industrial control systems are reachable on the public internet, many protected by default or no credentials. Data from Forescout and Shodan in 2024 also counted over 40K exposed ICS devices in the United States. These systems help run water plants, electricity networks and fuel operations.

Is Cybercrime The New Warfare?

The report concluded, “The barrier to ICS disruption is no longer technical. It is motivational. And the events of 28 February 2026 have provided motivation to 60+ groups simultaneously.”

This raises the question: is the digital world becoming the modern day battlefield? The World Economic Forum spoke about this in a 2017 article and these words are still relevant today. They said, “Sure, cyberwar is better than a kinetic or physical war in many ways, but it could also make war worse. Unless it’s very carefully designed, a cyberattack could be a war crime.”

They continued, “Well, you could go the old fashioned way — call in some airstrikes or send troops to blow up the building — but this would be an open declaration of war, worsening tensions. It would also be a political disaster if your troops or even drones were captured.

“Now, there is another way: you could launch a cyberattack against the facility. This is more invisible and therefore less risky. It’d take too long to directly hack into the facility’s secure network, but you’ve already created an email virus that can knock out the town’s energy grid, which would take out the base.”

An interesting question and topic here. With the rest of the world moving digital, it would only make sense why this is being considered, and many say it has already been the case for decades.

Mike Maddison, CEO of Global Cybersecurity Company NCC Group:

Cyber activity in the Middle East

“The current conflict in the Middle East is proof that cyber operations have become fully integrated with military strategy. Israel and the US have combined cyber attacks with physical strikes to contribute to Iran’s communications blackout. Overall, the majority of cyber activity tied to the Israel–Iran conflict consists of DDoS attacks, website defacements, exaggerated breach claims, and widespread AI‑driven misinformation. This activity is high in volume but low in impact, rather than being materially disruptive.

“The breadth of global supply chains means that while Iran’s cyber capabilities are focused on Israel, the US and the Gulf-region, global companies still need to be vigilant. Supply chains and widely connected digital infrastructure face a realistic risk of disruption or being caught in an information war.”

GPS jamming

“The use of GPS jamming in the Middle East is a timely reminder of the fragility of our reliance on satellite navigation systems. All Global Navigation Satellite System (GNSS) platforms share a critical vulnerability – their signals are inherently weak and susceptible to targeted jamming. This situation underscores the urgent need for robust security investment to safeguard critical national infrastructure.

“The maritime sector remains a high value target due to the scale of disruption a successful attack can cause. As threats evolve, the industry must shift from reactive defence to proactive resilience strategies. Alternative technologies like Long Range Navigation (LORAN) or emerging quantum-based systems offer promise, but neither has yet been delivered at scale. Until then, resilience must come from layered defences and strategic foresight.”

Experts Share Their Thoughts On Cybercrime As The New Battlefield

More experts answer the question…

Our Experts:

  • Jorge Monteiro, CEO, Ethiack
  • Glen Williams, CEO, Cyberfort
  • Paulo Cardoso do Amara, Former CIO and NATO Scientific Advisor on Cybersecurity
  • Jack Alexander, Senior Threat Intelligence Analyst, Quorum Cyber
  • Joseph M. Saunders, Founder and CEO, RunSafe Security
  • Adam Darrah, VP of Intelligence, ZeroFox
  • Kaveh Ranjbar, Co-Founder & CEO, Whisper Security
  • Alexander Niejelow, CEO, Cyber Advisory, Hilco Global
  • Syed Asif Ali, Founder & Digital Media Strategist, Point Media
  • Brian Long, CEO and Co-founder, Adaptive Security
  • Cindy Murray, Chief Information Security Officer (CISO) & Systems Architect, Murray Digital

Jorge Monteiro, CEO, Ethiack

“A wide range of hackers, from cybercriminals to state actors, have fully weaponised AI. On the digital battlefield, threat actors no longer just use AI tools, but instead deploy fully autonomous malware that probes and exploits vulnerabilities in IT systems, even evolving its approach with minimal human input.

“The real-world impact of this AI-enabled cyber threat is an order of magnitude greater than anything seen before – as it can impact entire economies, not just individual organisations. In 2025, an attack on the British carmaker Jaguar Land Rover sent UK car production crashing to its lowest level in 70 years and knocked nearly 0.2% off the UK’s GDP.

“With conflict again raging in the Middle East, there is a risk of more such disruption in 2026: not just from data loss and extortion, but operational paralysis across entire industries.

“To keep pace, organisations must move away from periodic testing of their cyberdefences to adopt continuous, AI-driven security validation. Ethical, autonomous AI tools will become mainstream as enterprises realise they need the same automation and adaptability as that being used to attack them.

“Frameworks like DORA and NIS2 will accelerate this shift toward continuous assurance, and while AI will dominate the front line, human cybersecurity professionals won’t disappear. In our work, AI agents and ethical hackers routinely uncover different classes of vulnerabilities, and only together do they form a complete defence.

“2026 will see the fastest learners, who empower AI to help them find and fix weaknesses before criminals can exploit them, forge ahead. In a year defined by autonomous AI-led attacks, the greatest risk will be standing still.”

Glen Williams, CEO, Cyberfort

“Cyber conflict is no longer a future concern. It is already a core component of modern warfare. When geopolitical tensions rise, the digital domain is often the first-place retaliation appears. What we are seeing now is a clear example of that shift. Cyber operations can disrupt infrastructure, spread misinformation and undermine confidence without a single physical strike.”

“AI is accelerating this trend further. It lowers the barrier to entry for threat actors, automates reconnaissance and allows attacks to be launched at greater scale and speed. That means nation state groups and other threat actors can target energy networks, financial services, communications systems and government infrastructure more efficiently than ever before.”

“The question is not simply whether the US is prepared. It is whether any country is truly prepared for the pace and complexity of modern cyber conflict. The UK faces the same reality. As a highly connected digital economy with globally significant financial services, defence capability and critical infrastructure, the UK remains an attractive target for both state backed groups and opportunistic attackers. Defensive strategies built around traditional security controls are struggling to keep up with highly adaptive, AI assisted adversaries.”

“What this moment underlines is that cyber resilience must now be treated as national security infrastructure on both sides of the Atlantic. Governments and critical industries must assume that digital systems will be targeted during geopolitical crises. Preparation means stronger public private collaboration, continuous threat intelligence sharing and infrastructure designed with resilience at its core rather than as an afterthought.”

Paulo Cardoso do Amara, Former CIO and NATO Scientific Advisor on Cybersecurity

“The digital world grows in importance at the same pace as the dependence that both organisations and citizens place upon it. What once began, in the late 1980s, as a modest infrastructure for sending emails, sharing files, and participating in a few discussion forums has evolved into the nervous system of modern society.

“Interestingly, malware appeared almost as soon as the internet itself became useful. Since around 1988, malicious software has been a persistent reality of the digital ecosystem. In other words, vulnerability was born alongside connectivity and, today, the very dependence on digital systems has become a strategic attack surface.

“Yet it would be simplistic to claim that the digital world alone constitutes the modern battlefield. In reality, it is merely one dimension of a broader strategic landscape. The foundations of this multi-dimensional conflict can be traced back to the 1980s with the articulation of what analysts later called Fourth Generation Warfare.

“In this form of conflict, battles are not fought exclusively with tanks and missiles but across several arenas simultaneously, including economic pressure, intelligence operations, information influence, and political maneuvering. Conventional warfare still exists, of course, as the conflicts in Ukraine and tensions involving Iran clearly demonstrate. But these kinetic engagements now coexist with subtler forms of confrontation where perception, disruption, and influence become decisive.

“In this sense, cyberspace is not a replacement for traditional conflict. It is an extension of it.

“Technology, meanwhile, continues to evolve at a remarkable pace, transforming both offensive and defensive capabilities. Cyberwarfare illustrates this dynamic particularly well. In this context, AI has become a powerful accelerator, amplifying the effectiveness of both attack and defense. However, the decisive factor is not technology alone. As Sun Tzu famously argued “victory belongs to those who understand the terrain and the enemy”. In the digital domain, this terrain is made of code, networks, protocols, and data flows. Mastery therefore depends less on possessing technology and more on understanding it deeply.

“Therefore, those who know how to employ technology strategically are the ones who achieve their objectives.

“From this perspective, the United States occupies a particularly strong position. A significant portion of the digital infrastructure used globally originates from American technological ecosystems. Many of the foundational layers of the internet, from hardware architectures to operating systems and communication protocols, have been developed by U.S. companies and research institutions. This technological primacy creates not only economic advantage but also strategic leverage in pure tactical terms.

“The informational dimension reinforces this position even further. Major technology companies exercise enormous influence through the platforms that mediate global communication. Social networks, search engines, and digital services shape the information environment in which billions of people operate. While these platforms can be exploited by hostile actors, the underlying algorithms and infrastructures remain largely controlled by the companies that designed them.

“Artificial intelligence amplifies this phenomenon dramatically. AI systems can analyse vast volumes of unstructured information, generate persuasive narratives, and adapt content to specific audiences. In the realm of information warfare, this capability becomes a formidable instrument for shaping perceptions. Machiavelli would likely recognise the principle immediately because power often lies not merely in force but in the ability to shape what people believe.

“Thus, artificial intelligence is rapidly becoming one of the most potent weapons in the information domain, particularly in the hands of those who control the digital platforms through which narratives circulate.

“In the language of Clausewitz “war is the continuation of politics by other means”. In the digital age, those means increasingly include algorithms, networks, and data and the United States possesses substantial tactical capabilities in this environment. Whether these capabilities translate into strategic success ultimately depends on how effectively they are employed.

“Technology, after all, provides the weapons. Strategy determines victory.”

Jack Alexander, Senior Threat Intelligence Analyst, Quorum Cyber

Cyber in modern conflict:

“In modern conflict an immediate surge in hostile cyber aggression is to be expected. No longer are wars fought exclusively via the land, air and sea but also within cyberspace. This relatively new phenomenon is known as ‘hybrid warfare’ and is designed to weaken the opponent by directly targeting Critical National Infrastructure (CNI), but can also be used to achieve other strategic goals such as, sowing disinformation and disrupting civilian business continuity.

“This is not the first time that offensive cyber targeting has been used to impact CNI alongside traditional military activity. In 2022, Russian wiperware was deployed against the European Viasat network with the intended aim of impeding Ukrainian military communications, due to the heavy usage of the platform by Ukraine. This highlights the growing normalisation of CNI targeting during times of conflict as another means of disrupting your enemy.”

How AI can be used as a force multiplier:

“The time between vulnerability discovery/disclosure and active exploitation is now as little as 15 minutes via AI powered automated active scanning of networks. Actors are leveraging AI to automate routine tasks, including script generation, attack templating and consistent messaging during extortion efforts.

“Alongside this, social engineering is no longer just phishing with better grammar it is hyper personalised. Attackers can automate Open-Source Intelligence collection to profile targets and craft highly personalised lures that mirror their role, organisation and professional relationships.”

More from News

Joseph M. Saunders, Founder and CEO, RunSafe Security

“Cyber conflict rarely begins with a declaration of war. It unfolds in a persistent gray zone where nation-states and their proxies map networks, test defenses, and pre-position themselves inside critical infrastructure for future leverage. We’re seeing this play out in real time with Iran’s response to the US-Israel strikes.”

“AI has fundamentally changed the cost equation for attackers. Nation-state actors can now move faster, generate more convincing intrusion campaigns, and probe more targets simultaneously than ever before. When you combine that with pre-positioned access in critical infrastructure, like the persistent footholds we’ve seen from groups like Volt Typhoon, you have the ingredients for a very consequential attack.”

“Power grids, water systems, and communications networks are key targets for effects and to achieve outcomes of consequence, but much of this infrastructure was never built to absorb nation-state aggression. The US has world-class offensive cyber capabilities, but our defensive posture for industrial systems remains dangerously inconsistent. Every kinetic action, like the US-Israel strikes on Iran, now has an immediate digital echo. The digital world and the physical battlefield have merged, making cyber resilience the new deterrence.”

Adam Darrah, VP of Intelligence, ZeroFox

“Yes, and it has been since at least what is referred to as the “Arab Spring” or “Arab Awakening”. The digital battleground has encompassed and continues to include social media, mis- dis- and mal-information campaigns, offensive cyber operations that can shut down a country’s energy, military, or other systems. The digital space is where espionage, intelligence, marketing, civil society, shopping, politics, charity, convenience and war all converge. Adversaries do not see a sacred space that is off limits in war, peace, or intelligence collection.”

Is the US prepared?
“Yes. The United States has invested heavily in cyber defense capabilities and deterrence, and any actor considering cyber operations against US systems should assume there would be significant consequences. There is also a lot to unpack when discussing claims of a “surge” in Iranian-aligned cyber activity targeting US critical infrastructure, particularly when AI is described as a force multiplier for threat actors.

The US has adopted what is known as strategic ambiguity when it comes to what constitutes an act of war, probably to disincentivize adversaries to test red lines and ultimately deter conflict. Current administration officials have stated recently that any cyber attack against critical digital infrastructure could be considered an act of war.

When discussing “critical infrastructure”, it’s important to be precise. The US views as a matter of policy that any cyber-attacks against critical infrastructure such as water, sanitation, electricity and other critical systems could be considered precursors to an armed attack against the US homeland.”

Kaveh Ranjbar, Co-Founder & CEO, Whisper Security

“Calling this a “new battlefield” misses the point. Cyber has been the battlefield for years. The strikes make the news. The retaliation is already running.

“What’s happening now isn’t a surprise. Iranian-aligned groups have infrastructure ready to go: domains registered months ago, hosting relationships that predate any specific operation. Tension spikes, infrastructure activates. We’ve watched this pattern repeat since at least 2020.

“The real question isn’t whether the US is “prepared.” It’s whether anyone can see the infrastructure before it fires. Most attribution happens after the damage. By then you’re writing incident reports, not preventing incidents.

“AI makes both sides faster. Attackers spin up variants. Defenders try to map infrastructure at scale. Right now, offense is cheaper.”

Syed Asif Ali, Founder & Digital Media Strategist, Point Media

“Cyber conflict is increasingly becoming a parallel layer of modern geopolitical tension. It doesn’t replace traditional warfare, but it gives states and aligned groups a way to create disruption without the visibility or escalation of conventional military action.

“What makes this environment particularly challenging is how dependent modern economies are on digital infrastructure. Financial systems, logistics networks, cloud platforms, and communications all rely on software layers that can be probed or disrupted remotely. When those systems are targeted, the consequences can ripple far beyond the original point of attack.

“The growing role of AI also changes the equation. It allows threat actors to analyze systems faster, automate reconnaissance, and scale attacks more efficiently than before. That doesn’t mean AI creates entirely new risks, but it accelerates existing ones.

“Preparedness therefore becomes less about a single defensive tool and more about resilience. Governments and organisations need systems designed to detect anomalies early, isolate problems quickly, and recover operations without widespread disruption.

“In practical terms, cyber conflict has already become part of the strategic landscape. The question is less whether it will be a battlefield, and more whether institutions are building the resilience required to operate in that reality.”

Brian Long, CEO and Co-founder, Adaptive Security

“The digital world is absolutely becoming a modern battlefield. Governments and criminal groups now use cyber operations alongside traditional military activity because they can disrupt systems, gather intelligence, and influence public perception without firing a shot.

“We are already seeing the scale of this shift. The World Economic Forum has cited estimates that put the global cost of cybercrime at $10.5 trillion annually. That is the scale of a major global economy, and it shows why cyber conflict has become a serious part of modern geopolitical competition.

“Artificial intelligence is accelerating this trend. Attacks that once required specialised skills can now be launched with inexpensive tools and publicly available data. With just a few seconds of audio or a handful of public information, attackers can generate convincing voice clones, deepfake videos, or highly personalised phishing messages.

“These attacks are also expanding beyond email. Increasingly they happen through phone calls, text messages, and video meetings where people naturally trust what they hear and see. AI allows attackers to run these campaigns at enormous scale and target thousands of people at once.

“At the same time, critical infrastructure has become a major target. Energy systems, financial networks, and supply chains are attractive because disruptions there have immediate real-world consequences. Researchers at the Oxford Internet Institute found that, on one platform alone, more than 35,000 open-source deepfake generators had been downloaded nearly 15 million times since 2022. That shows how quickly these tools are spreading. We are also seeing deepfakes used to impersonate leaders and spread misinformation during moments of geopolitical tension.

“For organisations, cyber resilience is no longer just a technical problem. Most successful breaches still begin with social engineering, which means attackers are manipulating people, not just systems. Companies now need to prepare their workforce for AI-driven deception the same way they prepare their networks for malware.”

Cindy Murray, Chief Information Security Officer (CISO) & Systems Architect, Murray Digital

“Let’s just be honest about this. Cyber is not the new battlefield. It has been the only active warzone for a decade and the premise of the question is exactly why the US is losing. The recent strikes just proved our enemies know exactly how vulnerable our infrastructure is. The Iranian surge is simply a live stress test of a completely incompetent system.

“The problem is not the hackers. The problem is our own bloated architecture. We are protecting a twenty year old grid with bandaids. You can’t put a deadbolt on a screen door and call it secure. If you do not engineer your defense directly into the universal inference layer you are just asking for a breach.

“We are unprepared because Washington refuses to tear out their legacy sprawl. They are fighting an automated war using a bureaucratic checklist. A checklist is just a map for the enemy.”

Read the article on teiss here: https://techround.co.uk/news/experts-cyber-warfare-new-battlefield-modern-conflict/

By Glen Williams, CEO, Cyberfort

There is a phrase that should concern every board member and security leader operating in today’s threat landscape: “We’re covered.”

It sounds reassuring. It implies preparedness. In reality, it often signals the opposite.

Cyber-insurance has matured rapidly over the past decade into a legitimate and important component of organisational risk management. Policies now routinely cover business interruption losses, legal and regulatory costs, incident response support, ransom negotiations and reputational recovery. For organisations hit by a significant breach, that financial cushion can be genuinely significant.

But somewhere along the way, too many organisations began treating the policy as a proxy for the security strategy itself. Buying cyber-insurance cover became the endpoint rather than the backstop. And that confusion is now creating a dangerous gap between perceived protection and actual resilience.

Insurance covers the aftermath

A payout, however substantial, cannot restore trust with customers overnight. It cannot reverse reputational damage. It cannot undo the operational disruption of a manufacturing plant grinding to a halt, a logistics network going dark, or a hospital losing access to patient records. And it absolutely cannot stop an attacker who has already found their way in.

The financial mechanics of insurance have never been designed to do those things. They exist to absorb economic shock after an incident, not to reduce the likelihood of one occurring.

What drives likelihood is resilience. And resilience is something most insurance policies neither measure nor reward, at least not yet.

What insurers are actually asking for

The cyber-insurance market has changed significantly. A few years ago, insurance companies were issuing policies based on relatively lightweight questionnaires, broad assumptions about controls and limited scrutiny of what organisations had actually deployed. That era is closing.

Underwriters today want evidence. They want to see demonstrable incident response capability, not a document that has never been tested. They want visibility into backup maturity and recovery timelines. They want governance structures, identity and access management, third-party risk controls and, increasingly, proof of continuous monitoring and detection capability.

The question insurers are quietly beginning to ask is no longer simply “do you have controls in place?” It is “can you prove your environment is defensible and recoverable?” Those are meaningfully different questions, and many organisations are not yet equipped to answer the second one convincingly.

For businesses that cannot demonstrate genuine operational resilience, the implications are tangible; higher premiums, reduced coverage limits, more restrictive policy exclusions and in some cases, rejected claims where the insurer determines that basic controls were absent.

The compliance trap

Much of the problem stems from how organisations still approach cyber-security. The dominant mindset in many businesses remains compliance led. Have we achieved the relevant certifications? Have we filled in the annual questionnaire? Have we renewed the policy? Box ticked.

What that mindset consistently fails to ask is the more important operational question: could we continue functioning if we were attacked tomorrow?

Compliance and resilience are not the same thing. Passing an audit demonstrates that, at a point in time, documented controls existed. It says very little about whether those controls would hold under pressure, whether staff would know what to do in a crisis, or whether systems could be recovered at the speed the business actually requires.

The organisations that discover these gaps most painfully are those that find them during an incident rather than before.

The human layer remains the weakest point

One of the persistent realities of modern cyber-risk is that the most sophisticated technology stack in the world can be bypassed by remarkably simple means. Attackers do not always need advanced tooling. Sometimes they need someone to hold a door open, a member of staff to click a plausible-looking email, or a supplier with legitimate access and poor credential hygiene.

The human and operational layer of risk remains stubbornly underestimated. Tailgating, impersonation, social engineering, compromised third-party access, and weak verification processes. These are the vectors that continue to feature in significant incidents, not because they are new or sophisticated, but because they exploit trust, routine and the natural tendency of people to prioritise helpfulness over scepticism.

Insurance provides no meaningful protection against these vectors. Only operational rigour does.

Recovery is now a board-level question

The conversation in most boardrooms has shifted from whether a breach might happen to what would happen if it did. That shift in framing is healthy, but it demands a corresponding shift in investment and preparation.

Boards are now asking how quickly systems could be recovered, what a period of downtime would cost, which data and processes are genuinely critical and whether the business could continue trading through an incident. These are not questions that insurance answers. They are questions that resilience planning answers.

Cyber-resilience has become as much a business continuity issue as a technology issue. Recovery speed, containment capability, crisis communications, operational fallback: these capabilities need to be built, tested and embedded before an incident occurs, not assembled under pressure in the middle of one.

Confusing policies with protection

None of this is an argument against cyber-insurance. It remains an important layer of protection and a sensible component of any risk management programme. For businesses operating at scale, or in regulated sectors, it is increasingly non-negotiable.

But it should be understood clearly for what it is: a financial backstop, not a strategy. It is the last line of defence, not the first. It will solve some of your problems, but not all.

The organisations best positioned today are not those with the largest policies. They are the ones that have genuinely understood where their risk sits across people, processes and data; that have built demonstrable operational resilience; and that can show insurers, customers and regulators alike that they are materially harder to disrupt than their peers.

In a threat landscape where the question is no longer ‘if’ but ‘when’, the most dangerous words a business leader can say are still “We’re covered.”

Read the article on teiss here: https://www.teiss.co.uk/news/covered-but-not-protected

By Glen Williams, CEO, Cyberfort

Neurodiversity is no longer a niche workplace issue. It is part of the reality of modern teams, modern leadership and modern performance. For HR and business leaders, that presents a clear opportunity. Organisations that create environments where different thinking styles can do their best work, will have the ability to widen their talent pool, improve decision making and build more resilient teams. The outcome is not simply a more inclusive culture, but a more capable one.

The CIPD estimates that around one in five people are neurodivergent in some way. Many will never disclose a diagnosis to their employer. If hiring and management processes only work for people who fit a narrow, outdated definition of how a strong candidate should communicate, collaborate and perform under pressure, organisations risk missing exceptional talent. In a labour market where skills are scarce and competition is high, that becomes a commercial issue.

I lead a cybersecurity business, where complex problem solving, accuracy and judgement are critical. But this is not unique to technology or security. Any organisation that depends on analysis, creativity, sustained concentration or precision can benefit from neurodivergent talent, provided it designs work in a way that allows people to thrive. The focus should not be on labels. It should be on capability.

Understanding strengths without falling into stereotypes

It is important to approach neurodiversity carefully. It is not a single profile and it does not map neatly onto job roles. Even within the same diagnosis, there is huge variation. The aim is not to stereotype or assume strengths. The aim is to recognise that organisations perform better when they make room for different cognitive approaches rather than rewarding one narrow model of professionalism.

In high pressure and technical environments, certain strengths often emerge. Some people can sustain deep focus for extended periods when working on tasks that engage them. When supported properly, that can translate into exceptional output and consistency in complex work. Some individuals have outstanding attention to detail, which is invaluable in roles that depend on spotting patterns, anomalies or risks.

Another commonly overlooked strength is direct communication. Some neurodivergent individuals communicate literally and clearly. In the right environment, this can improve performance because ambiguity is reduced and assumptions are challenged early. What may be misinterpreted as bluntness is often precision. In organisations where unclear communication is a major cause of inefficiency, precision is an advantage.

Designing work for performance, not exceptions

Many organisations still approach neurodiversity through the lens of individual adjustment, making one off accommodations for a small group of people. While well intentioned, this can create friction. Managers can feel they are being asked to make special arrangements, and employees can feel singled out.

A more effective approach is to start with the workplace itself. Ask what great work requires and what gets in the way. Then design roles, expectations and workflows accordingly. This shifts the focus away from looking to “fix individuals” and towards creating an environment where different people can perform well.

For some roles, this means protecting time for deep work and reducing unnecessary interruptions. For others, it means clarity around priorities and outcomes. In some cases, it involves structuring work into defined packages with clear deliverables rather than expecting uniform output every day. Some people do their best work in intense periods of concentration followed by recovery time. If the only accepted model is steady daily output, high performers can be misjudged as inconsistent when the real issue is misaligned work design.

This is not indulgence. It is effective workforce planning. It also benefits everyone, not just neurodivergent employees.

Rethinking recruitment to avoid losing talent

Recruitment is one of the most common points at which organisations lose neurodivergent candidates, often without realising it. Exclusion is rarely intentional. More often, it happens through outdated hiring practices that prioritise performance in interviews over evidence of capability.

For example, interviews frequently reward confidence, speed and social cues. Those qualities are not reliable indicators of job performance. Small changes can significantly improve fairness and effectiveness. To make interview processes accessible for neurodivergent candidates  organisations should be explicit about what candidates can expect from the process, which can include sending interview questions to candidates in advance of any interview. Hiring managers should use clear, direct questions that invite evidence rather than hypothetical scenarios. The approach should be to treat interviews as structured conversations, not tests designed to catch people out.

Silence should be allowed. Some people need time to process and formulate strong responses. Eye contact and body language should not be treated as proxies for competence. Time should be used well. If a CV has already been reviewed, asking a candidate to repeat it adds little value.

Where possible, skills-based assessments should play a greater role. Practical exercises and work sample tests often provide a more accurate picture of capability and reduce the noise created by interview performance. They also tend to be fairer for all candidates, not just those who are neurodivergent.

Moving from disclosure to curiosity

One of the most powerful shifts organisations can make is moving away from disclosure led support towards curiosity led leadership. Rather than waiting for individuals to disclose a diagnosis, leaders should normalise asking a simple question such as: ‘how do you like to work at your best?’

This opens up conversations about communication preferences, working patterns, meeting styles and feedback without requiring labels. It also supports people who are undiagnosed, unsure or private. The result is a workplace that is better designed for everyone, not just those who feel able to speak up.

The cost of standing still

The business risk of failing to adapt is real. The National Autistic Society highlights that only around three in ten autistic adults are in work. That statistic points to a significant pool of untapped capability. It also highlights how much talent is filtered out by systems that were designed for a workforce of the past.

There is also a retention risk. As awareness grows, more people will articulate what they need to do their best work. If organisational culture treats reasonable adjustments as an inconvenience or advantage seeking, engagement will suffer and talent will leave. Often, leaders will never know what they lost, only that performance declined and hiring became harder.

Building workplaces that let different minds excel

Neurodiversity is often framed as a moral issue. It is that, but it is also a strategic one. Organisations that succeed in the coming years will be those that stop trying to standardise people and start designing work that allows different minds to excel.

This is not about policies or slogans. It is about building workplaces that think better, adapt faster and perform more consistently under pressure. For HR and business leaders, that is not a future aspiration. It is a present-day advantage.

Read the article on The HR Director here: https://www.thehrdirector.com/features/neurodiversity/neurodiversity-reshaping-attraction-retention/

Featuring Nige Wilkinson, COO, Cyberfort

Cybersecurity regulation is changing, driven by a need to be more robust in the face of increasingly sophisticated attacks. As 2026 kicks off, what are the key regulatory changes that will impact UK businesses?

Cyber Resilience Will Be Essential

One major legislation expected in the coming year is the Cyber Security and Resilience Bill, which brings with it a new set of resilience requirements. As the Bill enters Parliament, cyber resilience will “stop being a compliance checkbox “and “become a board-level operational performance test that recognises people, ways of working and the technology needed to succeed,” says Dan Jones, senior security advisor at Tanium.

“The UK government is making it clear that ‘reasonable steps’ and after-the-fact reporting won’t fly in a world where one weak supplier can knock out hospitals, councils or entire supply chains effecting the livelihoods of families and whole communities,” he says.

Over the next year, organisations that can’t prove continuous control of their environments will be “exposed to regulators, customers, and to reality,” he warns.

A key shift, which will not feature as one bill or regulation, is “the incorporation of demonstrable operational resilience into existing legal and regulatory frameworks,” adds Martin Davies, senior audit alliance manager at Drata. “Beyond having security policies in place, firms need systems and suppliers that can withstand disruption and recover within defined tolerances. This already exists as part of the Financial Services regulatory outlook (FCA’s Operational Resilience PS21/3) and is likely to become a facet of regulatory requirements in broader sectors.”

More Companies Will Find Themselves In Scope Of Key Regulation 

As the Cyber Security and Resilience Bill comes into force, it brings with it mandatory adoption of the Cyber Assessment Framework across critical sectors. The scope of regulation expands as the definition of Relevant Managed Service Providers (MSPs) is broadened, placing more of these firms “directly in the regulatory spotlight,” says Jamie Akhtar, CEO and co-founder of CyberSmart. “This change introduces new duties around incident reporting, baseline security controls and formal assurance, meaning that both service providers and their customers must operate with far greater transparency and discipline.”

Supply Chain Risk in The Spotlight

In 2026, regulation will put supply chain risk under the spotlight, experts predict. Supply chain risk has become “hard to ignore,” says Akhtar. High-profile interventions such as the FTSE 350 cyber letter and the latest CSM v4 requirements for defence suppliers have “pushed the issue into the mainstream,” he says.

Large organisations now expect their upstream suppliers, including SMEs, to show that they have implemented basic controls and can maintain resilience in a “consistent and certifiable way,” according to Akhtar. “The bottom line is that we will see the emergence of a market that values demonstrable, continuous cyber competence over declarations of intent.”

The Cyber Security and Resilience Bill will introduce “tougher scrutiny of supply-chain security,” adds Sam Peters, chief product officer at IO. “It will require organisations to standardise supplier due diligence, risk scoring and ongoing monitoring across departments to avoid fragmented processes. Businesses will also need to link supplier controls directly to the organisation’s risk register and resilience expectations, and maintain continuous assurance evidence for high-risk suppliers rather than relying on one-off questionnaires.”

In 2026, third and fourth-party cybersecurity will come under even greater scrutiny, says Mike Smith, partner – security at TXP. “Companies that fail to meet required security levels risk losing business over the coming months as the risk for their customers is simply too high.”

Security initiatives, such as red teaming and penetration testing, and developing robust processes around reporting, “will be crucial for suppliers, ensuring their security standards stand up to external scrutiny,” he adds.

Accountability Requirements Put CISOs “In The Firing Line”

In 2026, legislation such as the UK’s Cyber Security and Resilience Bill will “radically reshape accountability for cyber breaches,” by expanding the definition of critical infrastructure and introducing mandatory 24-hour breach reporting, with escalating fines for non-compliance, says Mark Jow, technical evangelist EMEA at Gigamon.

This legal shift puts CISOs “directly in the firing line,” says Jow.

Ultimately, the legislation moves cyber resilience “decisively into the boardroom,” says Nigel Wilkinson, COO at Cyberfort. “It will no longer be credible for senior leaders to say cyber is ‘owned by IT.’ Regulators will expect clear accountability, informed oversight and proof that cyber resilience is treated like any other critical business risk.”

High-Profile Attacks Will Give The Cyber Security And Resilience Bill A Political Boost

The attacks of 2025 — and the downtime as a result — will inevitably make the Cyber Security and Resilience Bill a key focus in 2026, says Mike Upton, director of partnerships and ecosystem, e2e-assure. “Historically the attitude among critical organisations has been to hold back budget and deal with issues post-breach, with little understanding of how harmful or expensive an approach that can be.”

The Bill promises to change this by making critical organisations implement risk management and improve their cyber posture, he says. “While there’s still aspects of to be finalised, the requirements as they currently stand could still see some stakeholders baulk at the spend required to ensure compliance. If that happens, there will inevitably be a few sacrificial scapegoats to encourage other entities to fall into line.”

UK Government Could Introduce Regulatory Sandboxes for AI

In 2026, it is likely there will be developments in the UK government’s plans to introduce regulatory sandboxes for AI, says Kate Densiton, tech regulation lawyer at Bird & Bird. “In its consultation document on the sandboxes, it said evidence from pilots could lead to regulatory reforms, enabling UK businesses to adopt trusted AI. Having launched a consultation in late 2025, some legislation will be needed over the coming year to give the mandate, budget and scope for the conduct of the AI sandboxes.”

In the UK, it is still unclear what specific regulation will be implemented by the government covering AI. With so many aspects unresolved, there’s “a clear risk that AI usage by UK industry will be impacted by uncertainty,” says Densiton.

In-house lawyers must keep up to date on developments and decide how best to advise the business within the current environment, she says. “We expect the UK government to implement an incremental, narrow regulatory framework for AI in the UK, but clarity might not come until late 2026.”

Read the article on SC Media UK here: https://insight.scmagazineuk.com/regulation-predictions-key-uk-legislation-changes-coming-in-2026

By Nige Wilkinson, COO, Cyberfort

For many board directors in financial services, cyber security confidence is built on certificates, audit reports and regulatory tick boxes. The problem is that none of these things, on their own, actually prove an organisation is secure.

In recent years, regulation has pushed firms to demonstrate compliance at pace. In response, many institutions have invested heavily in frameworks, accreditations and assurance programmes that look reassuring on paper. But too often, this has created an illusion of control rather than genuine operational resilience. The result is what many security leaders now describe as ‘paper security’.

Compliance is not the same as capability

Frameworks such as ISO 27001, SOC reporting and sector specific regulatory requirements have an important role. They create common language, minimum standards and accountability. But they were never designed to prove that a business can withstand a real-world cyber attack.

Firms collect certificates, pass audits and reassure boards that security is under control, even when fundamental weaknesses remain. Accreditations are frequently delivered through narrowly scoped assessments that focus on documentation rather than behaviour, process effectiveness or real technical capability.

This is compounded by the growth of providers offering compliance led security services without the depth of expertise needed to deliver operational defence. In some cases, organisations receive assurance from firms that are not equipped to detect, respond to or recover from advanced attacks. The paperwork is correct, but the protection is thin.

Recent regulation has unintentionally reinforced this behaviour. The introduction of initiatives such as the Digital Operational Resilience Act and evolving FCA expectations around operational resilience have increased pressure on firms to demonstrate compliance quickly. The risk is that boards see regulatory alignment as the end goal, rather than a baseline from which real security maturity must be built.

The real cyber challenges financial services now face

As we move through 2026, the threat landscape facing financial services is becoming more complex, not less. Attackers are increasingly patient, well-funded and focused on exploiting operational weaknesses rather than technical flaws alone.

Supply chain compromise remains one of the biggest risks. Financial institutions are deeply interconnected with technology providers, outsourcers and partners. A single weak link can provide attackers with privileged access that bypasses traditional controls. Regulation has highlighted this risk, but many organisations still rely on questionnaires and contractual assurances rather than active oversight.

Ransomware continues to evolve, with attackers shifting focus from encryption to data theft and extortion. This puts regulatory, reputational and legal pressure on organisations simultaneously. At the same time, identity based attacks are rising, exploiting gaps in access management and user behaviour rather than software vulnerabilities.

One widely cited industry study shows that the majority of successful breaches now involve compromised credentials rather than technical exploits. This reinforces the point that documentation and policy alone do not stop attacks. Day to day operational discipline does.

Moving from paper security to operational maturity

The answer is not less regulation. It is a better interpretation of what regulation is trying to achieve. Boards need to move beyond asking whether the organisation is compliant and start asking whether it is genuinely prepared.

Operational maturity is about evidence, not paperwork. Can the organisation detect an attack quickly? Can it contain damage? Can it recover critical services under pressure. These questions cannot be answered by an audit report alone. They require testing, rehearsal and continuous improvement.

This shift also requires clarity about the role of security partners. Firms should be wary of providers that lead with certificates rather than capability. Effective security comes from teams that understand the threat landscape, can operate in real time and are accountable for outcomes, not just assessments.

Encouragingly, there is growing recognition across the sector that security must be treated as a business resilience issue rather than a compliance exercise. Regulators are increasingly focused on outcomes, not intent. That creates an opportunity for boards to reset the conversation and invest in security that works when it matters most.

Security That Works When It Matters

Compliance will always be part of financial services security. But when it becomes the primary measure of success, it creates dangerous blind spots. Paper security may satisfy auditors, but it does not stop attackers.

As regulation continues to evolve, boards have a choice. They can use compliance as a comfort blanket, or as a foundation on which to build real operational resilience. In 2026, the difference between the two will be felt most clearly when things go wrong.

Read the article on Finance Derivative here: https://www.financederivative.com/when-compliance-becomes-a-blind-spot-why-boards-are-being-misled-on-cyber-security/

By Glen Williams, Cyberfort CEO

When technology looks the same, the real differentiation comes from honesty and long-term relationships

Today, in every corner of the channel, a race is taking place. Businesses are scrambling to attach themselves to the latest technology breakthrough, the newest AI model, or the most eye-catching automation platform. There is a belief that technological novelty alone will secure the next wave of business growth.

But in truth, technology is no longer the great differentiator it once was. AI is becoming accessible to everyone. Automation is no longer a luxury but a standard expectation. The more these innovations level the playing field, the more the real advantage shifts somewhere perhaps less glamorous and far more human: trust.

Trust over technology

Trust needs to become the channel’s ultimate currency. In the noise of competing messages, escalating product complexity, and a market full of solutions that all claim to be good enough, customers are tired. They are overwhelmed by choice, confused by jargon, and increasingly sceptical that a vendor has their best interests at heart.

What they are now seeking, and what they will increasingly value, are partners who act with integrity, who guide rather than simply sell, and who view the relationship as more important than a transaction.

As a channel leader, I have watched the shift happen in real time. The organisations that continue to grow are the ones that understand that trust is not a soft value or a marketing slogan. It is the most strategic asset any partner can build.

Integrity shows up not in what a partner sells, but in how they sell it. Customers can sense the difference between someone pushing a product to hit targets and someone giving clear, expert advice, even when that advice means recommending a different solution or admitting that their own services are not the right fit. The partners who are willing to take short-term losses for long-term honesty almost always build stronger, more profitable relationships over time.

Across the channel, this gap in trust is growing. Nowhere is it more visible than in cybersecurity. Too many companies are being sold inexpensive certifications or basic tools that tick compliance boxes but offer little real protection. It creates a dangerous illusion of safety, one that leaves organisations exposed to threats capable of bringing their operations to a halt.

Many businesses may not fully understand what they are buying or what specific risks they need to defend against. When vendors oversell lightweight solutions or fail to explain their limitations, they widen the divide between perceived security and actual resilience. If the channel is not truthful about what genuinely protects a business, we will never meaningfully secure the systems, data, and assets companies depend on.

This is where the best channel partners stand apart. They are the ones willing to say, “This will not keep you safe, and here is why.” They are transparent about risks, realistic about solutions, and confident enough in their expertise to risk losing a sale to protect a customer. In an industry drowning in noise, honesty becomes a refreshing and memorable differentiator.

Integrity is the new value driver

There is no denying the impact of AI on the channel. Much like cloud computing before it, it is transforming service delivery, accelerating product development, and reshaping how partners support customers. But it is also making many offerings look increasingly similar. When technology becomes commoditised, value shifts from what you provide to how you provide it.

AI can solve many real problems for businesses. But over the last 24 months, the market has been flooded with products hastily rebranded as AI to capitalise on the hype. Too often, the technology underneath has not meaningfully changed at all. Partners and customers are left wondering whether these tools genuinely deliver intelligent capability or whether the label has been added simply to accelerate sales. This opportunistic branding only adds to the noise and deepens the trust issues already growing in the channel.

This is why the partners who will thrive in the next decade are those who weave integrity into every part of their business. They create cultures where honesty is rewarded, not penalised. They train teams not only in product knowledge but in ethical decision-making and long-term thinking. They make transparency part of their everyday language, whether discussing pricing, capability limitations, risks, or alternatives. They invest in deep expertise, certifications, systems and processes so their recommendations genuinely protect customers rather than simply helping them pass an audit.

When trust becomes central to a company’s identity, everything changes. Conversations become more open. Loyalty strengthens. Customers begin to see partners not as suppliers but as advisors, people who act in their interest, provide clarity in complexity, and anchor decisions in truth rather than trends.

The channel’s future will not be defined by who adopts the most AI, automates the fastest, or sells the most security certifications. Those things matter, but they are no longer enough. The real competitive edge now lies in relationships built on transparency, ethics, and consistency. Partners who embrace this shift will find themselves winning not because of the flashiness of their offering but because customers believe in them.

Trust may not seem glamorous, but in a landscape crowded with identical claims and interchangeable technologies, it is the most powerful strategy we have.

Read the article on IT Pro here: https://www.itpro.com/business/business-strategy/why-trust-not-tech-will-decide-the-channels-future

By Glen Williams, Cyberfort CEO

For years, cybersecurity has been filed under the responsibility of the IT department, as if resilience could be achieved through technical controls alone. Yet the greatest weakness facing UK enterprises today is not a new strain of malware but persistent overconfidence in the boardroom. Far too many senior leaders believe their organisations are fully protected, while the operational reality tells a different story. This disconnect leaves businesses exposed in ways they often discover only after an attack.

The challenge is not a lack of technology. It is the misconception at the top that cybersecurity is in hand, when credentials, processes and controls are often outdated or incomplete. This happens not because IT teams are careless, but because they are expected to deliver enterprise-grade protection with limited budgets and little involvement from the wider business. The result is a dangerous mismatch between executive confidence and actual resilience.

Why board confidence rarely reflects reality

Boards usually receive cybersecurity updates in heavily distilled form heat maps, compliance reports or certificate renewals. This creates an illusion of protection. If the business passed its annual assessment, leaders assume the organisation is secure. If an auditor issued a certificate, they believe it represents ongoing protection. Yet certificates do not stop attacks, and they are meaningless if the underlying controls are not actively maintained.

A certificate reflects a moment in time, not the evolving risk position of a complex organisation. Attackers operate continuously while many businesses validate their defences annually. This mismatch leaves leadership teams with a confidence that is rarely justified. They equate compliance with protection, despite the two being very different measures.

Within IT departments, the picture is more complicated. Teams manage legacy systems, incomplete identity controls and cloud environments that have grown faster than governance. They know where vulnerabilities sit, but without adequate investment and cross-functional alignment they cannot address them. Executives assume infrastructure is protected, but those responsible for that protection are often aware of gaps they lack the bandwidth or budget to close.

Minding the communication gaps

A recurring issue is the lack of a shared language between technical teams and business leadership. CIOs and CISOs may outline risks clearly, but by the time those risks reach the board, they are simplified in ways that remove critical nuance. This turns cybersecurity into a tick-box exercise rather than a strategic dialogue.

Another misconception is that having an IT department inherently makes the organisation safe. Cybersecurity relies on every employee, supplier, process and system being aligned to the same standards. Yet many leaders behave as if they have “purchased” safety in the way they might purchase insurance. If you cut the budget, you cut the protection.

Communication gaps worsen the problem. IT teams know when infrastructure is too old to patch or privileged accounts have proliferated, but unless leadership treats this as business-critical intelligence, the issues remain. Without a culture that values transparency, teams stop escalating concerns because they no longer expect change to follow.

Creating a culture of accountability

Resilience begins when leaders recognise cybersecurity as a shared responsibility. Technology alone will not save a business. What matters is governance, ownership and culture. Senior leaders must move cybersecurity to the top of the agenda and empower their CTOs, CISOs and IT teams to implement the processes needed to protect the organisation.

This means aligning budgets to risk, not convenience. It means embedding cyber considerations into every strategic decision, just as financial or legal risks are considered today. It also requires ensuring the technical truth reaches the board without being diluted into a reassuring summary.

The wider workforce also plays a critical role. Employees need clear guidance, practical training and consistent reinforcement. Cybersecurity cannot be left to a single team; it must be lived across the organisation.

Why the Cyber Security and Resilience Bill matters

The government’s Cyber Security and Resilience Bill is a reminder that the UK must raise its defensive posture. The Bill aims to set minimum resilience standards and strengthen supply chain protections. Supply chains remain one of the weakest entry points for attackers. Organisations can invest heavily internally only to be breached through a trusted supplier with inadequate controls.

If boards better understood what the Bill entails and what is missing from their current plans, they would be more able to empower their technical leaders. Understanding regulatory direction allows organisations to invest proactively and promotes accountability across suppliers, lifting standards across the entire ecosystem.

A call to the boardroom

Cybersecurity will only improve when overconfidence is replaced with informed responsibility. Leaders cannot assume they are protected because they have an IT team, a certificate or a budget line. Resilience demands engagement, investment and continuous dialogue. It requires CEOs and boards to treat cybersecurity as a business imperative, not a technical afterthought. Only then will UK organisations be prepared to defend themselves against the threats that evolve around them every day.

Read the article on Networking Plus here: https://networkingplus.co.uk/news-details?itemid=9364&post=the-cybersecurity-blind-spot-at-the-top-915204

Leaders from Bechtle, Cisilion, Computacenter, Cyberfort, Focus Group, Phoenix Software and Softcat weigh in

Glen Williams, Cyberfort CEO

Where does Cyberfort stand on peer-to-peer partnerships?

We work with your traditional VAR partners. Their security solutions are based on a vendor and some wraparound services, which is very different to doing pen testing, cyber consulting or secure by design work, which is what we do. In essence, we are the cybersecurity experts for some of these partners. Some of them have almost outsourced cybersecurity to us, and we almost white label it.

It’s not extensive, but we’re looking to try and grow it next year.

What’s your top tip for a successful peer-to-peer partnership?

There’s no right or wrong answer. Some people want to have one organisation to deal with. Others want to know they’re working with two companies and one’s an expert in the space. It just depends.

What I’ve seen work better is when they say, ‘this is the expert, and this is why we brought them in’ – typically that works well.

Read the full article on IT Channel Oxygen: https://itchanneloxygen.com/7-partner-leaders-on-rise-of-peer-to-peer-partnerships/3/

Glen Williams at Cyberfort argues that the real cyber-security vulnerability in businesses is leadership, not technology

For too long, many organisations have viewed cyber-security as a technical problem that sits squarely with the IT department. This belief has always been misguided, but in today’s modern threat landscape it is actively dangerous. The pace and sophistication of cyber-attacks have risen dramatically, yet many leadership teams remain detached from the operational reality of defending their organisations. Cyber-risk is now not just a technology risk, but a business risk and the C-Suite needs to treat it as such.

When leadership teams put cyber-security solely on the shoulders of IT, they inadvertently set the entire organisation up for failure. Most IT teams are already stretched thin, supporting every corner of the digital environment from infrastructure and devices to data management and software. Many operate with budgets that are already tightly allocated. Expecting them to carry full responsibility for safeguarding the business is neither fair nor feasible. 

A culture of shared cyber-security accountability can only emerge when leaders understand that cyber-resilience is woven into every aspect of the organisation, from finance and operations to human resources and procurement.

Putting cyber-risk on the boardroom agenda 

The first step is to make cyber-risk a standing agenda item at board level. Leaders must receive clear, contextualised reporting on cyber-exposure, emerging risks and the effectiveness of current controls. This reporting should be framed in terms of business impact rather than technical jargon so that conversations become strategic and informed. 

Senior leaders should ask questions, challenge assumptions and make sure that cyber-security decisions align with wider corporate objectives. In doing so, they signal to the entire organisation that cyber-security is not a back-office concern, but a core business priority.

To embed this mindset further, executives must take visible ownership of cyber-security behaviours. When leaders follow secure practices, complete training on time, and talk openly about cyber-security responsibility in staff communications, they demonstrate that cyber-security is a shared obligation that extends well beyond IT. Culture flows from the top, and employees are far more likely to take cyber-security seriously when they see leadership doing the same.

Stop chasing badges and build meaningful governance

Many organisations pour money into certifications and accreditations, believing they offer blanket protection. While frameworks such as Cyber Essentials or ISO standards have their place, they are only as effective as the strategy and partners supporting them. Accreditation without genuine operational understanding creates a false sense of security. A certificate on the wall does not stop a phishing attack, an internal breach or a misconfigured cloud service. Without the right partner to interpret, implement and maintain controls dynamically, these accreditations can become expensive tick-box exercises that lull leaders into dangerous complacency.

Effective cyber-security governance requires more than compliance. It demands clarity around roles, responsibilities and accountability across all levels of the business. Leaders should establish a governance model that connects cyber-strategy to business strategy with defined ownership for each area. This often includes forming a cross-functional cyber-security steering group which brings together representatives from IT, risk, finance, HR and operations. This group can help ensure that decision-making is balanced, informed and aligned with organisational goals rather than being driven by isolated teams.

Investment decisions should also be governed with maturity rather than panic. Many boards fall into the trap of approving new cyber-security tools whenever a new threat emerges. This reactive spending rarely leads to meaningful resilience. What is needed instead is an investment model based on risk, impact and long-term value. Leadership teams should build a clear picture of their threat profile and identify which controls genuinely reduce risk. With the right partner involved early in this process, organisations can avoid costly missteps and build a programme that enhances resilience rather than simply expanding the toolset.

The key message is simple. Responsibility for governance rests with senior leadership. IT can implement controls, but they cannot decide the organisation’s risk appetite, they cannot resolve budget constraints, and they cannot influence culture on their own. Governance becomes effective only when the board is actively involved, asking the right questions and treating cyber-security as a strategic enabler rather than a compliance requirement.

Turning cyber-security from a burden into a shared duty

The success of any cyber-strategy, however, depends on how well it is communicated across the organisation. Leadership teams play a critical role in shaping these communications so that cyber-security responsibility becomes an everyday consideration rather than an occasional reminder. Too many organisations rely on one-off training sessions or dense policy documents that fail to resonate with staff. What is needed is a continuous communication strategy that keeps cyber-security relevant and accessible.

Open dialogue should be encouraged about cyber-incidents and near misses. When employees understand that reporting suspicious activity is welcomed rather than discouraged, they become an essential layer of defence. Executives can reinforce this by sharing anonymised case studies or lessons learned from industry breaches. This makes cyber-risk tangible without creating fear. The goal is to foster a culture in which people feel informed, involved and empowered.

Communication must also address the reality of today’s hybrid and decentralised working models. Cyber-security behaviours outside the office are just as important as those inside. Staff need to understand that secure practices extend to home networks, personal devices and remote collaboration tools. Leadership should ensure that communications and policies reflect this, offering guidance that is practical and straightforward.

The long winding road to cyber-protection 

Finally, boardroom members must recognise that cyber-security is not a destination but an ongoing journey. 

Threats evolve, technology evolves and organisations evolve. Maintaining a culture of shared accountability requires consistent communication about progress, changes in risk and improvements being made. This transparency builds trust and reinforces the message that everyone has a part to play.

Organisations that build this communication culture are those that move beyond the outdated notion that cyber-security is an IT problem. Instead, they create an environment where resilience is collective, governance is embedded and investment is aligned with need rather than novelty. In a world where every organisation is a potential target, this cultural shift is not optional. It is the only sustainable path to long-term protection.

The leadership teams that thrive in this era will be those that understand their influence reaches far beyond strategy and finance. They set the tone, define priorities and model behaviour. 

By taking ownership of cyber-accountability, aligning governance with investment and communicating with clarity, they create an organisation where every individual becomes part of the defence. That is how modern resilience is built and how businesses protect not just their systems but their future. 

Read the article on Business Reporter here: https://www.business-reporter.co.uk/management/cyber-security-a-critical-concern-for-the-c-suite

Nige Wilkinson – COO – Cyberfort

The introduction of the Cyber Resilience Bill marks a defining moment in the UK’s approach to digital security. For years, regulation has focused on the most visible parts of the critical national infrastructure, but the digital economy has become far more interconnected and far more dependent on the unseen operators that keep it running.

By widening the scope to include data centres, managed service providers and a new class of critical suppliers, the bill recognises that resilience is shaped not only by the organisations at the forefront of service delivery but also by those embedded deep within the national supply chain.

This shift is an important one. Data centres and managed service providers are now fundamental to how business is conducted. They host the information that fuels decision making, the platforms that support essential public services and the systems that underpin national productivity. Yet the bill’s current definition of a critical supplier remains broad and, at present, untested.

The absence of clear consultation with the industry on what constitutes criticality leaves room for uncertainty. A data centre hosting low risk workloads could be treated in the same way as one supporting essential public services. For operators and investors alike, such ambiguity could influence future development decisions and impose new requirements that are not aligned with the risk profile of their services.

While the details of classification require further refinement, the intention behind the legislation is sound. Cyber threats increasingly exploit the gaps that exist between interconnected partners rather than focusing solely on direct targets. As organisations have matured their own defences, attackers have looked outward to the suppliers and service providers that form the operational backbone of modern businesses. 

The bill acknowledges this reality. It places supply chain resilience at the forefront of regulatory attention and emphasises that security must be consistent from end to end if it is to be effective.

Training people is easy. Securing partners is harder

Employees are often highlighted as the main vulnerability within organisations, yet they are also the most addressable. People can be trained, educated and equipped to understand the nature of evolving threats. Supply chains, by contrast, are more complex. 

They are formed of partners who do not always adhere to the same standards and who may have very different levels of maturity in their own security practices. Without shared expectations and a unified framework, individual resilience will never translate into ecosystem resilience. The new provisions for faster incident reporting and enhanced enforcement powers are therefore meaningful steps towards creating a more transparent and accountable operating environment. They encourage collaboration, raise the collective bar and help ensure that weaknesses cannot be hidden within the less visible layers of the digital infrastructure.

Resilience requires more than regulation

However, true cyber resilience cannot be guaranteed by regulation alone. It must become embedded within organisational culture. Some businesses are still not fully compliant with GDPR despite its introduction seven years ago. Compliance, by itself, does not create resilience. 

It is the minimum threshold, not the desired state. The new bill risks becoming another set of obligations that organisations react to rather than a catalyst for genuine transformation. The success of the legislation will depend on whether businesses choose to act now to strengthen their security posture or wait until the obligation becomes unavoidable.

Cyber resilience is ultimately about safeguarding the data, systems, people and partnerships that underpin both economic stability and public trust. The bill sends a clear message that resilience is no longer a matter of choice but a shared responsibility. Those who begin preparing today will be best placed to thrive in a future where cybersecurity is not an operational consideration but a fundamental requirement for sustainable growth.

Cyberfort
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.