An image of an online meeting on a laptop with the image blurred and a green plant in the foreground.
3rd October 2023

Cyber expertise is essential for UK boards in the information age

The remit of UK boards is expanding as the world becomes more complex.

Where once financial acumen, sectoral expertise, and the ability to lead were the most vital characteristics, today’s boards must be equipped with a broader array of skills, particularly as companies reposition amid the rise of ESG.

But while companies are making good progress on those fronts, the emergence of new digital threats has become impossible to ignore, and now requires proper representation among the leadership of UK plc. Nearly four-in-ten companies faced cyber attacks in 2022, up from a little over three-in-ten a decade ago, according to data from IT support services firm AAG. Meanwhile, only 62% of sizeable British businesses have a board member designated for cybersecurity, predominantly in sectors like finance, insurance, information, and communications, according to a 2022 survey by the Department for Digital, Culture, Media and Sport (DCMS).

Awareness isn’t the problem. The DCMS survey found that cybersecurity is now a higher priority than ever, but “there remains to be a lack of both will and skill around organisational cybersecurity, resulting in gaps in some more fundamental areas of cyber hygiene.”

It’s a shame, because the benefits of getting on top of the issue extend beyond merely stopping the worst from happening. Rather, cybersecurity can be an enabler of positive change – it came as little surprise that organisations with a pro-active approach to cybersecurity were able to adapt quickly to the challenge of providing secure homeworking in response to the Covid-19 pandemic, for example.

The National Cyber Security Centre used that example when it published a toolkit for UK boards. Among its key conclusions were that board members didn’t need to be technical experts, but they did need to know enough about cybersecurity to have constructive discussions with key staff so they can be confident that cyber risk is being appropriately managed.

That was a tacit acknowledgement of a broader truth: that the UK faces a lack of cybersecurity expertise across the board, amounting to a shortage of about 14,000 people with relevant skills, according to the Cyber Security Council. The problem is particularly acute among senior leaders, as my colleague Caius Freeman explored in June. There are workarounds: while boards can implement cybersecurity expertise directly, we’ve also seen success by bringing in external advisors to provide regular input.

Addressing the issue will only grow more urgent. Experts expect the volume of cyber-attacks to climb steadily over the next five years as the digital ecosystem grows more complex. The rise of AI, for example, will help attackers better detect vulnerabilities in systems and networks, or create evasion strategies that resemble genuine user behaviour. However, the same tools could improve cybersecurity by detecting and analysing threats, spotting patterns, and responding to security breaches faster that more common security tools.

Problems like this aren’t restricted to AI either, rather it’s a good example of how difficult it can be to know whether new technologies present threats or opportunities. Modern senior leadership teams need to know enough to spot the difference. For a more detailed discussion about getting the balance right at board level, please contact Zoe Harris on

More by this author