Last week, Mike Haywood and Alan Chambers from the Cyber Security Centre (CSC) attended CYBERUK 2025, where the theme ‘Transforming Resilience. Countering Threats’ set the tone for urgent and forward-looking discussions. In a powerful opening address, Cabinet Office Minister Pat McFadden underscored that cybersecurity is no longer a routine concern but a national imperative, highlighting recent high-profile attacks and warning that threats from hostile states and cybercriminals are becoming more frequent, sophisticated, and disruptive. His remarks framed a conference that brought together leaders, practitioners, and policymakers from across the cybersecurity landscape to shape the future of cyber resilience.
A clear message echoed throughout the event: cybersecurity is a strategic issue, not just a technical one. It requires strong governance, collaboration across sectors, and a commitment to resilience. This message echoed through the various keynotes, panels, and breakout sessions, but it was in the individual stories, practical examples, and reflections from speakers that these ideas truly came to life. Here are some of the key lessons we took away from those moments.
Cybersecurity Strategy & Governance: Elevating the Conversation
One of the strongest themes at CYBERUK was the need to reposition cyber as a core governance issue. Boards must set the tone from the top by defining risk appetite and embedding a code of practice for cyber oversight. Yet, many leadership teams still lack sufficient cyber expertise, leaving critical gaps in decision-making.
Life Will Still go on…
Sir Ciaran Devane, Chairperson at the Health Service Executive (Republic of Ireland), shared his experiences from the cyber-attack in 2021. In a panel, he identified that after the attack the initial priority was not cyber but to do the ‘right thing’ for patients. Whereas so many organisations reflect on the technical response to a cyber-attack: the reality is that contingency and business as usual operations need to be part of your cyber response plan(s).
Public-Private Collaboration: A Shared Responsibility
CYBERUK emphasised the power of partnerships across both the private and public sector. A “campaigning mindset” was advocated: one that lowers barriers to knowledge sharing and invites the wider community into the cyber conversation.
From joint threat intelligence initiatives to collaborative exercises, it’s clear that meaningful public-private cooperation is key to building a resilient ecosystem.
Passkeys: The Death of the Traditional Password?
The growing momentum behind passkeys as a replacement for traditional passwords was a key topic of discussion. Experts highlighted how passkeys, cryptographic credentials tied to a device and protected by biometrics or a PIN, offer a more secure and user-friendly alternative to passwords, which are often reused, weak, or phished. With support from major tech providers, passkeys are being positioned as a future standard for authentication, reducing the risks associated with password-based systems and helping organisations strengthen their cyber resilience.
A Shifting Threat Landscape: Staying Ahead of the Curve
The nature of threats continues to evolve. State-sponsored actors, hacktivists, and terrorist groups are targeting political, economic, and societal structures. Attacks, such as those on Germany’s Social Democratic Party, showcase the growing sophistication and geopolitical motivations behind cyber campaigns.
CYBERUK reinforced the importance of threat hunting, red-teaming, and scenario-based exercises to maintain readiness. But it also highlighted a more human concern: the increasing pressure on cybersecurity staff, who are often on the frontline of complex and relentless attacks.
Cyber Hygiene & Resilience: Fundamentals First
No matter how advanced the threat, strong cyber hygiene remains the foundation of resilience.
Whilst a familiar message to some, introducing preventative measures such as 2-step verification (multi-factor authentication) was promoted. It was estimated that 60% of cyber-attacks could have been avoided if this had been deployed comprehensively by organisations.
The recognition that Boards have often struggled to know what steps to take to address this risk, or what good looks like, several presentation and panel discussions referenced the Cyber Governance Code of Practice.
This has been developed to support Boards and Directors, and it sets out the most critical governance actions that Boards need to take ownership of.
Global Perspectives: Learning from Peers
Hitting at the speed of change, CYBERUK offered a valuable look into how other nations are introducing or building on previous legislation in order to tackle similar challenges:
- Japan’s Active Cyber Defence Bill - amongst other measures the legislation will require critical national infrastructure providers to report cybersecurity incidents.
- Germany’s NIS-2 legislation- will see a large increase in the number of entities in scope of the legislation.
- Singapore – in 2024 passed the Cybersecurity Amendment bill amending the Singapore Cyber Security Act 2018. Change was introduced to address the evolving Cyber Security challenges brought about by, amongst other things, the rise of cloud computing.
- UK Cyber Security and Resilience Bill – if adopted the proposed measures will increase the number of organisations brought into scope.
In line with legislative changes being introduced elsewhere, we are able to report that the Isle of Man’s National Infrastructure Security Bill (NISB) is progressing, if introduced the NISB will raise levels of cyber security and resilience for core services on the Isle of Man, which rely heavily on digital services.
Updates and developments to the NISB will be announced on our website and through gov.im.
Recovery & Response: Planning for Life After the Attack
Cyber Attacks are no longer a matter of if, but when. CYBERUK made it clear that organisations must invest not only in prevention but in recovery. Robust backups, response plans, and regular testing are critical.
Real-world examples drove the point home: recovery from major incidents can take months—or even years. Ffion Flockhart, Global Co-Head of Cybersecurity at A&O Shearman shared experience of it taking nine months to restore partial service and over three years to achieve full recovery.
Final Thoughts
The discussions at CYBERUK 2025 highlighted that as cyber threats become more sophisticated, so too must our responses. It’s not enough to just defend; we must also prepare, recover, and adapt. The event also gave us a great opportunity to connect with a wide range of partners from across the British Isles, and we look forward to working together more in future.
We’re looking forward to taking the lessons and key messages of CYBERUK and bringing them, alongside a range of high-profile speakers, to CYBERISLE on the 15th of October.
More information can be found on our CYBERISLE webpage.