Related Posts
by Lisa Ventura MBE FCIIS
Yesterday’s #InfosecLunchHour December virtual meetup brought together cyber security professionals to discuss the incoming Cyber Security and Resilience Bill and the broader challenges facing UK organisations in an increasingly complex threat landscape.
The Cyber Resilience Bill: A Regulatory Reaction Without Vision?
The conversation centred on the upcoming Cyber Security and Resilience Bill, due for implementation early in the new year, and the concerns were immediate and striking. Participants questioned whether the legislation represents a genuine step forward or merely another layer of compliance burden without addressing fundamental security challenges.
The primary criticism focused on the bill’s lack of a holistic approach. Whilst the legislation aims to strengthen cyber resilience across UK organisations, there remains significant uncertainty about how compliance will be measured, monitored, and enforced. The tight timeframe for implementation has left many organisations scrambling to understand what is actually required of them, let alone how to achieve it.
The discussion revealed a familiar pattern: reactive legislation created in response to high-profile incidents rather than proactive policy designed to build long-term resilience. The question repeatedly posed was not whether organisations support the principle of improved cyber resilience, but whether this particular legislative approach will achieve meaningful change or simply create additional administrative overhead.
Regulators and Responsibilities: Who Watches the Watchers?
A significant portion of the discussion focused on enforcement mechanisms and regulatory oversight. The legislation assigns responsibility to different regulators depending on the industry sector, with the Information Commissioner’s Office likely serving as the ultimate arbiter for data protection elements.
However, participants expressed scepticism about effective enforcement. The current regulatory landscape already includes substantial data protection requirements under UK GDPR, yet compliance remains patchy at best. Organisations often calculate that the risk of non-compliance, combined with the relatively low probability of meaningful enforcement action, makes investment in comprehensive security measures economically questionable.
The conversation highlighted a fundamental problem: regulatory frameworks only work when there are genuine consequences for non-compliance. Without significant financial penalties or reputational damage, organisations will continue to treat security as a cost centre to be minimised rather than a business imperative to be prioritised.
Participants also discussed the need for more proactive engagement between organisations and regulators. Rather than waiting for breaches to occur and then investigating, there was support for creating mechanisms where organisations could work collaboratively with regulators to improve reporting, share threat intelligence, and streamline incident response processes.
Supply Chain Risks: The Single Point of Failure Nobody Discusses
The meeting devoted substantial attention to supply chain vulnerabilities, prompted by recent high-profile incidents including the Jaguar Land Rover cyberattack. The discussion revealed uncomfortable truths about modern business dependencies and the cascading effects when critical suppliers are compromised.
One particularly striking observation concerned the rediscovery of traditional business continuity practices. The revelation that Lloyd’s of London now requires immutable backups demonstrates how some fundamental principles, temporarily forgotten in the rush to digital transformation, are being relearned the hard way. The group discussed how organisations have sometimes eliminated basic business processes in favour of digital efficiency, only to discover during incidents that those processes provided essential resilience.
The interconnected nature of modern supply chains creates risks that individual organisations cannot mitigate alone. Smaller companies serving as suppliers to larger enterprises find themselves in an impossible position: they lack the resources to implement comprehensive security measures, yet a breach could destroy not only their own business but also disrupt their larger clients. The question was raised whether organisations include their largest clients in their operational risk registers, recognising that over-dependence on a single customer represents a significant vulnerability.
A cautionary tale emerged about due diligence and supply chain depth. One participant shared an experience where dual internet suppliers, implemented specifically for redundancy, both used the same physical conduit. When that conduit was damaged, both connections failed simultaneously. This anecdote prompted discussion about how far down the supply chain organisations can realistically conduct due diligence, and at what point the complexity becomes unmanageable.
The Great CISP Experiment: When Good Ideas Go Wrong
The discontinuation of the Cyber Information Sharing Partnership (CISP) platform by the National Cyber Security Centre provided another focal point for discussion. Participants who had used the original CISP remembered it as a valuable forum for information sharing and threat intelligence but acknowledged that the re-engineered version failed to gain similar traction.
The original CISP was well-attended and created genuine value through facilitating information exchange between organisations. However, the redesigned platform suffered from usability issues and ultimately failed to recreate the collaborative environment that made the original successful. The early warning system, one of CISP’s key features, will also be discontinued at the end of March, forcing organisations to seek commercial alternatives.
The discussion touched on liability concerns around information sharing. Whilst CISP did not provide explicit liability shields for organisations sharing threat intelligence, content was appropriately flagged according to sharing permissions. The discontinuation of CISP highlights a broader challenge: without strong national coordination, individual organisations are left to develop their own solutions or purchase commercial alternatives, fragmenting the collective defence approach that cyber security requires.
This trend towards siloed, organisation-specific solutions was evidenced by NHS England setting up its own Information Sharing and Analysis Centre (ISAC). Whilst this ensures the health service has appropriate mechanisms for threat intelligence sharing, it raises questions about whether multiple sector-specific ISACs represent the most effective approach or whether a coordinated national platform would better serve collective resilience.
Resilience Versus Recoverability: The Distinction That Matters
An important conceptual discussion emerged around the difference between resilience and recoverability. These terms are often used interchangeably in cyber security discourse, but participants emphasised the need to distinguish between them more clearly.
Resilience implies the ability to withstand an attack or incident whilst maintaining operations. It suggests robust defences, redundant systems, and the capacity to continue functioning even under adverse conditions. Recoverability, by contrast, acknowledges that systems may fail or be compromised, but focuses on the organisation’s ability to restore normal operations within acceptable timeframes.
This distinction has practical implications for how organisations approach security investment and planning. A resilience-focused strategy prioritises prevention and continuous operation, whilst a recoverability-focused approach accepts that breaches will occur and emphasises effective response and restoration capabilities.
The legislation’s emphasis on “resilience” may be misleading if organisations interpret this as requiring impenetrable defences. A more realistic approach acknowledges that sophisticated attacks will sometimes succeed, and that recovery capabilities, including properly maintained backups, documented processes, and rehearsed incident response procedures, are as important as preventive measures.
The Basics Still Matter: ISO Standards and Foundational Security
Despite the sophisticated nature of many cyber threats, the discussion repeatedly returned to basic security failures that continue to plague organisations. Participants shared observations of common weaknesses: poor forensic preparedness, inadequate multi-factor authentication implementation, lack of privilege management, and fundamental gaps in security hygiene.
The role of ISO standards in establishing foundational security frameworks received particular attention. Participants emphasised that standards like ISO 27001 should be understood as baseline requirements rather than gold standards. They provide essential frameworks for security management, but organisations need to recognise them as starting points for building comprehensive security programmes tailored to their specific risk profiles.
The conversation highlighted the need for proportionate approaches to regulation and legislation. Blanket requirements that fail to account for organisational size, sector, and risk profile create compliance burdens without corresponding security improvements. Smaller organisations particularly struggle with frameworks designed for large enterprises with dedicated security teams and substantial budgets.
Shadow IT emerged as another persistent challenge. Organisations often discover legitimate business services running on unofficial systems or platforms, sometimes hosted on obscure subdomains that create security risks. One participant shared historical experiences of phishing campaigns exploiting legitimate subdomains, demonstrating that organisations can inadvertently facilitate attacks against themselves through poor governance of their digital estate.
The Implementation Gap: Policy, Practice, and Practicality
Throughout the discussion, a consistent theme emerged around the gap between regulatory intention and practical implementation. Legislation like the Cyber Resilience Bill articulates important principles and creates frameworks for security requirements, but the challenge lies in translating these into meaningful action within organisations of vastly different sizes, capabilities, and risk profiles.
The short timeframe for implementation exacerbates these challenges. Organisations need time to understand requirements, assess their current security posture, identify gaps, develop remediation plans, and implement necessary changes. Rushing implementation increases the risk that organisations will focus on superficial compliance rather than genuine security improvement.
The discussion also touched on the importance of engaging organisations proactively rather than punitively. Security professionals understand that perfection is impossible and that organisations will always face resource constraints. Regulatory approaches that support and enable security improvement, rather than simply punishing failure, are more likely to achieve lasting change.
Key Takeaways
The December #InfosecLunchHour highlighted several critical points for the UK cyber security community:
Legislative effectiveness depends on enforcement: Without meaningful consequences for non-compliance, even well-intentioned legislation will fail to drive necessary change.
Supply chain vulnerabilities require collective action: Individual organisations cannot adequately address risks that originate from their suppliers and partners. Industry-wide collaboration and standards are essential.
Basic security hygiene remains the foundation: Sophisticated threats make headlines, but basic security failures continue to be the primary attack vector. Standards and frameworks provide essential starting points but must be properly implemented.
Resilience and recoverability are not interchangeable: Organisations need clarity about which they are prioritising and ensure their security investments align accordingly.
Implementation timeframes must be realistic: Rushing compliance creates superficial change rather than genuine security improvement.
National coordination matters: The discontinuation of CISP and the proliferation of sector-specific solutions suggest that collective defence approaches are fragmenting when they should be strengthening.
Looking Ahead: #InfosecLunchHour Festive Special and 2026 Monthly Meet Ups
As the meeting drew to a close, participants looked forward to the #InfosecLunchHour festive special scheduled for Wednesday 17th December 2025 at 12.30pm GMT, promising a lighter tone whilst maintaining the valuable exchange of ideas and experiences that makes these gatherings worthwhile.
The next regular #InfosecLunchHour meetup will take place on Wednesday 7th January 2026, as the cyber security community begins 2026 with fresh challenges and hopefully some progress on the issues discussed.
_________________________________________________________________________________________
This article has been written under Chatham House rules based on discussions at the December 2025 #InfosecLunchHour meetup. Individual comments have not been attributed to specific participants.
The next #InfosecLunchHour Festive Special will take place on Wednesday 17 December 2025 at 12.30pm GMT on Zoom, with the next regular meetup scheduled for Wednesday 7 January 2026 at 12.30pm GMT. Please email Lisa Ventura MBE FCIIS via lisa@unitysolutions.org.uk to be added to the calendar invite and receive the Zoom joining details if you would like to come along and take part.