Cyber resilience: a strategic board-level priority

Cyber security is no longer just an IT issue – it is a critical strategic responsibility for boards. Awareness of the rapidly evolving cyber threat landscape has never been higher.

Following high-profile attacks on organisations such as M&S, the Co-op and Jaguar Land Rover, government messaging is clear that cyber resilience is a critical national priority, with responsibility resting not just with IT teams but firmly at board level.

This was made explicit in the NCSC Annual Review 2025, which states: “Cybersecurity is now a matter of business survival and national resilience.”

In October 2025, this position was reinforced by a ministerial letter sent to boards and CEOs across the country, calling on organisations to make cyber risk a top priority and urging the use of the Cyber Governance Code of Practice as a framework for action, ensuring robust measures are in place to respond to an attack, maintain operations during an incident, and recover following a destructive cyber event.

Alongside this, the forthcoming Cyber Security and Resilience Bill will introduce new legislative requirements for organisations, further increasing expectations around cyber security posture and resilience.

As I told the AoC Governance Professionals Conference, the message is clear: the time to act is now, and this needs to be a priority for every board and senior leader.

The evolving threat to the HE, FE and research sectors

At Jisc, we often describe protecting the higher and further education sector from digital threats as the biggest challenge in cyber security. We know that education institutions are being deliberately targeted by threat groups, with attackers drawn to the scale and sensitivity of student data, research outputs and financial information held within the sector.

Institutions need to understand not only the potential consequences of a breach, but also the pace at which the threat landscape is evolving. The increasing use of AI is creating new and more effective ways to exploit and weaponise vulnerabilities, often within ageing infrastructure protected by outdated security standards.

This includes more convincing phishing and fraud through AI-generated emails, voice cloning and deepfakes, as well as faster malware development, with code that can adapt to evade detection.

As a result, there must be a renewed focus across the sector – and nationally – on collective defence and information sharing.

Identity, monitoring and resilience

A central part of improving resilience is stronger adoption of identity security and enhanced monitoring. Cyber security is no longer just about patching systems, but increasingly about understanding typical user behaviour and noticing anomalies. That means people, not just technology, must be alert.

Identity has become central to organisational security, shifting the focus from technical controls alone towards cultural awareness.

For example, a user account logging in from an unexpected country may indicate identity compromise. This again underlines the importance of board-level engagement if institutions are to take their people on an awareness journey and make meaningful progress in strengthening resilience.

The responsibility for boards to become cyber security literate

The Cyber Governance Code of Practice sets out five core principles for boards: risk management, strategy, people, incident planning, and assurance and oversight.

As the UK Government-backed minimum security standard, universal implementation of Cyber Essentials is the starting point for all organisations. This can be strengthened through adoption of Cyber Essentials Plus, which involves independent technical testing of controls.

Cyber Essentials Plus confirms real-world effectiveness, providing higher assurance to boards and supporting audit, regulatory and risk confidence.

As a gold standard, organisations should also be working towards Cyber Assessment Framework (CAF) 4.0, which provides an even greater level of assurance over cyber controls.

The tools we need are already in place

The NCSC already provides a strong suite of resources, including toolkits, a Code of Practice and governance training. These resources support cyber risk management, supply chain assurance and sector resilience.

They translate technical cyber risk into relevant insight, encourage board ownership of cyber strategy and oversight, and enable informed, constructive conversations between boards and cyber teams. The tools already exist; what is needed now is consistent implementation, supported clearly from the top.

Support from us

Our highly active cyber security community group has grown to more than 2,800 members and brings together a diverse network of security professionals from across the sector. The group provides valuable insight into best practice and plays an important role in driving collaboration.

Our members also benefit from Janet, the UK’s most secure, high-capacity network, and access to our Security operations centre (SOC), which represents the gold standard in proactive threat prevention and response for education and research.

In addition, we have produced a guide featuring 16 key cyber security considerations to help boards ask the right questions and strengthen their oversight.