Cyber resilience in the UK: learning to take the punches
UK law now puts resilience at the centre of cybersecurity strategies – but is legislation simply catching up with enterprise understanding that resilience is more than just an IT issue?
The UK’s Cyber Security and Resilience Bill recently passed its first reading in the House of Commons.
This is just the first step in a process that should see the bill become law later in 2026, or in 2027. The legislation sets out to strengthen UK cyber defences, in what the Government calls a “fundamental step change in the UK’s national security”.
Under the proposed laws, certain categories of organizations, such as managed services providers and data centre operators, will need to increase their cybersecurity defences.
Regulators will gain new powers over cybersecurity in their sectors, and the Government will be able to “direct” regulators or regulated organisations to respond to threats to national security.
Not the UK NIS2
The proposed law will update the UK’s existing NIS Regulations, which date back to 2018. The EU, of course, has had its update NIS2 since January 2023.
Although the CSRB has some similarities to NIS2, as Natalie Donovan, head of knowledge tech and digital at law firm Slaughter and May points out, the CSRB is not going as far as EU law. It will not, for example, cover as many sectors or mandate specific security requirements.
What the new law does do, is mark a change in emphasis. The focus is on security across supply chains and increasingly, on resilience. But the move to focus on resilience, rather than defence, is already well underway across both the public and private sector, with the CSBR and other regulations playing catch up.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Cybersecurity consultant Jen Ellis chaired two sessions on the CSRB and UK cybersecurity regulation at the recent Black Hat Europe conference.
“There’s no such thing as achieving a completely secure state, so it makes sense to think about how you can best weather an attack, minimizing the negative impact and keeping the business running as far as possible,” she told ITPro.
“The UK government plays an important role in educating, encouraging, and where necessary, mandating adoption of better security practices,” she adds. “Its focus on cyber resilience in the upcoming CSRB legislation will help ensure that regulators for critical national infrastructure increase their focus on this area”.
Regulators, she adds, will task the organizations they cover to do more to prove they can “weather cyberattacks with minimal fallout”.
I get knocked down…
This means shifting cybersecurity thinking towards assuming a breach will happen, rather than investing ever more on perimeter defence.
“Prevention is not enough,” Albert Estevez Polo, global field CTO at Zero Networks, tells ITPro. “Investing all your money in trying to prevent the next attack is not enough.
“You're going to be hit by something new that you didn't expect. Is your network is ready to be resilient, to contain attack and prevent access or is your infrastructure open so will it multiply its blast radius and affect your Crown Jewels?”
Security teams can use zero trust architectures, or tools such as network microsegmentation, to limit the impact of any attacker that does breach defences.
Just as important, though, is how an organization recovers from a breach, and how quickly it can restore the minimum services it needs to trade, or in the case of the public sector, to serve citizens.
Here, recent cybersecurity events are helping CISOs to argue their case.
“Things like Marks and Spencer, JLR, Co-Op and all of that have actually been quite useful in that debate,” James Morris, CEO of CSBR, a policy centre set up to promote cybersecurity and resilience, tells ITPro.
“Resilience, for me in this space, is about making sure that organizations are prepared for all eventualities, so it's partly preventative,” he adds.
“Developing a resilience mentality within companies requires board level commitment. It needs to be percolated throughout the whole organisation,” suggests Morris. “We test things, we run simulations about what may or may not happen if certain things were to occur. And that's not just about technical resilience, but organizational resilience.”
…I get back up again
There is, though, no standard definition of either cyber resilience or business resilience.
Much depends on the organization, its board’s approach to risk, and how long it can cope with disruption or downtime.
“It's back to basics,” says Ian Nicholson, head of incident response at Pentest People. “Understand your environment, understand what you need as a business, and if the worst happens, how are you going to bring it back up and test it?”
This applies whether the cause is a technical outage, natural disaster or cyber attack. “For me, resilience always been a wider business story. None of this has ever been a cybersecurity story,” Nicholson adds.
“We need to understand the wider business disruption and hopefully the Bill, with its reporting, better evidence and shared accountability across supply chains, should really help,” he tells ITPro. Often, he says, firms are better prepared for a flood than a ransomware attack.
Regardless of the incident, though, CIOs and CISOs need to plan how to recover. This includes knowing which systems are the most critical and need the strongest defences, and which need to be prioritized in recovery operations. This can mean being brutally honest with the board, and other stakeholders.
“The government’s message in general for the wider economy is focused on resilience,” says Rafe Pilling, director of threat intelligence at Sophos. “Cybersecurity is a component resilience. And resilience is made up of how we protect ourselves and prevent things happening in the first place. But if it does happen, are we positioned to quickly respond and recover from it?”
Leaders will need to rely on careful planning, skilled personnel, and exercises including incident response and recovery drills. This will also mean bringing physical security, cybersecurity, IT and operational technology closer together, as well as supporting functions including legal, HR and communications.
“The bill is predicated on the idea that it's going to drive up standards,” adds Morris. “So, driving up cybersecurity standards, making sure that my systems are complying, and making sure that I'm in a state of readiness.”
Weaker organizations could be brought up to a minimum standard through the bill, he suggests. The impact could be less, on those with mature business continuity and cyber response plans.
As the CSRB moves to its Second Reading in 2026, MPs will be tasked with making sure the bill improves cyber resilience across the economy, without putting an undue burden on CIOs and CISOs whose organisations already follow best practice.
-
CISPE claims European Commission gave Broadcom a ‘blank cheque to raise prices, lock-in, and squeeze customers’ with VMware dealNews Cloud providers have issued a formal response to the General Court of the European Union after the Commission defended its approval of the deal
-
What now for enterprise virtualization?With a trusted partner like Pure Storage, businesses can make the most of their virtualization journey
