Amid intensified regional conflicts, headline-grabbing cyber attacks, and the emergence of AI-driven threats, board-level representation for cyber security surged 55% in the last 12 months within the UK’s critical national infrastructure (CNI) organisations.
The figures are revealed in new research from Bridewell, which surveyed 521 staff responsible for cyber security at UK CNI organisations (encompassing civil aviation, telecommunications, energy, transport, media, financial services and water supply).
In central government, the percentage of organisations with a board-level cyber security representative increased massively – by 250% – rising from just 6% last year to 57% this year, reflecting the imperative to improve security in the face of an onslaught of attacks.
The urgency to act in central government has steadily increased as threats have grown. Attackers gained access to masses of data in a successful 2021 attack on the Electoral Commission, for example. In November last year, the National Cyber Security Centre’s annual review featured a call from the government for improved CNI cyber preparedness as threats mount, whilst further attacks on election infrastructure are likely this year ahead of next month’s general election.
Across all CNI sectors, 29% of organisations now have a Chief Information Security Officer (CISO) or person with cyber security responsibilities on their board of directors, compared with 19% last year. More than a quarter (27%) of organisations are currently bringing in such changes, and 19% plan to within the next 12 months.
The research found, for example, that in the civil aviation sector, although 37% of organisations already have a cyber security board member and 21% are in process of appointing one, 11% have no plans and cannot foresee they will ever have one, despite the obvious threats.
Anthony Young, Chief Executive Officer of Bridewell, said: “As CNI organisations grapple with a challenging and changing environment, it is very welcome to see such a significant increase in board members with responsibility for cyber security. Even if the overall level is still too low and a greater sense of urgency is required, the signs are there that cyber security is getting the recognition it needs at the top table. The increase in such appointments among central government organisations, for example, shows they are acting on their own advice that organisations must give priority to cyber concerns.
“Threats are proliferating and nation-state activity is more determined and well-resourced, aimed very specifically at our critical infrastructure organisations. Cyber security must have a voice at the top table in every organisation as part of a fully-developed strategy that includes technology, human expertise and constant vigilance.”
The research also found a very significant 89% increase in the percentage of CNI organisations that have aligned their cyber security strategy to their business objectives – up from 15% in the 2023 research to 29% this year.
All CNI organisations must ensure their business initiatives do not jeopardise cyber security. Having a senior figure on the board with cyber security as part of their job description helps ensure security awareness and best practice are embedded across the organisation.
