From National Grid to OVO Energy, CISOs at the UK's most critical organisations agree: cyber risk is a board-level issue.
← Back to Insights
From National Grid to OVO Energy, security leaders at the UK's most critical organisations agree on one thing: cyber risk can no longer be delegated to IT departments. It belongs in the boardroom.
This isn't theoretical. The NCSC recorded 204 nationally significant cyber incidents in 2024-25 — more than double the previous year. For CNI organisations, the consequences extend far beyond financial loss. A severe cyber attack on energy, transport, water, or telecommunications can disrupt essential services, endanger public safety, and compromise national security.
Eighteen of those 204 incidents were classified as highly significant, marking a 50% increase for the third consecutive year. High-profile attacks on the Co-operative Group, Marks and Spencer, and Jaguar Land Rover demonstrated that even large, well-resourced organisations are vulnerable.
The NCSC's guidance on severe cyber threat preparation is explicit: such attacks could shut down critical services, erase or corrupt data, and damage physical industrial control systems. These are not risks that can be adequately managed by a CISO operating in isolation.
They require strategic prioritisation, resource allocation, and governance at the highest organisational level. When the CISO is three levels below the board, decisions get diluted, funding gets constrained, and risks drift below acceptable thresholds.
An Innovation Forum roundtable of CISOs from National Grid, OVO Energy, Santander, Vocalink, Evri, Crown Estate, and National Gas revealed consistent concerns across sectors.
Regulation is outdated and uneven. NIS2 is tightening requirements across Europe, but implementation varies by sector. Ofgem was specifically criticised for lagging behind the threat landscape. Boards need to understand not just current compliance but where regulation is heading.
Social engineering remains dominant. Despite significant investment in technical controls, human factors are still the primary entry point for attackers. The emergence of deepfake technology is escalating this threat. Realistic deepfake simulations for executive teams are becoming necessary.
Supply chain risk is systemic and evolving. Multiple CISOs highlighted that their organisations' security is only as strong as their weakest supplier. Some argued that supply chain diversity — rather than consolidation — may actually be a better defence.
The definition of critical national infrastructure is expanding. CNI now extends beyond traditional sectors to include digital platforms, SaaS supply chains, and wearable technology. More organisations fall within CNI scope than realise it.
Despite the clear case for board engagement, a governance gap persists. The Forescout Global Industrial Cybersecurity Benchmark found that 64% of organisations classify their OT security maturity as foundational. This level of maturity is inconsistent with the threat level the NCSC describes.
Part of the problem is presentation. Cyber security is often explained to boards in technical language that obscures rather than clarifies the risk. Effective board engagement requires translating cyber risk into business terms: financial exposure, operational continuity, regulatory penalties, and reputational impact.
The economic data supports this translation. UK businesses face an average cyber incident cost of £195,000. But for CNI organisations the figures are higher. A KPMG scenario modelling a one-week rail cyber attack estimated the total cost at £1.8 billion. These are numbers boards understand and can act on.
Cyber risk is a standing board agenda item. Not an annual presentation. The threat landscape evolves continuously, and board oversight must keep pace.
The CISO reports to the board or a board-level committee. Not buried several layers down in an IT hierarchy. This ensures security concerns are heard where resource allocation decisions are made.
Security budgets reflect actual risk exposure. Not compliance minimums. The NCSC's guidance is clear: organisations must plan for severe scenarios, and this requires investment in people, processes, and technology.
Incident response plans are tested at board level. Tabletop exercises involving executives and board members ensure that decision-making is practised before a crisis, not improvised during one.
Talent investment is a governance priority. The skills shortage in cyber security is not just an HR problem — it is a risk factor boards need to understand and address through competitive compensation, development programmes, and strategic workforce planning.
The evidence from the NCSC, from CISO roundtables, and from the regulatory landscape points in one direction. Cyber risk in CNI is a strategic issue that demands strategic governance. Boards that recognise this and act accordingly will lead organisations that are more resilient, more compliant, and better positioned to attract the talent that makes security possible.
The demand for experienced CISOs in critical national infrastructure far outstrips supply. We examine what's driving the gap, how organisations can compete for scarce talent, and why traditional hiring approaches are failing.
The UK government's decision to block Nvidia's acquisition of ARM underscored that technology sovereignty is a national security issue. For CNI organisations, the implications extend to supply chain assurance and specialist talent.
The NCSC's 2025 Annual Review reveals a sharp escalation in nationally significant cyber incidents — up from 89 to 204. With attacks on Co-op, M&S, and JLR making headlines, we distil the key findings.
UK businesses face an average cyber incident cost of £195,000, but for critical national infrastructure the stakes are far higher. A single week-long rail cyber attack could cost £1.8 billion. We examine the economic reality of CNI cyber risk and why investment in security talent is a financial imperative.
Trusted by security leaders at
"I can't recommend Gyles and the team at Foundations enough. We struggled to find a suitable candidate for 5 months, Foundations found 3 perfect candidates in 24 hours."
Manager of EMEA & APAC Network Engineering, Equinix
