In this article, Helen Barge (Principal-Senior Risk and Resilience Consultant at Barnett Waddingham) challenges the traditional narrative that cyber security is simply a negative risk to be managed and instead invites leaders to see it as a strategic opportunity.
Drawing on real-world examples, government direction, supply chain realities, behavioural insights and emerging legislation, the article explores how strong cyber hygiene can protect organisations while also unlocking commercial advantage, strengthening partnerships, engaging people more effectively and enhancing organisational value. Thought-provoking and practical, it reframes cyber from a boardroom burden into a catalyst for resilience, collaboration and growth—making a compelling case for why leaders should rethink how they talk about, invest in and leverage cyber security.
(January 2026)
With the media headlines full of successful cyber-attacks on major household names, and the long running impact of those attacks, it’s clear as leaders in our organisations we should all understand cyber security poses a major risk to our ability to deliver for our clients and customers.
Whether we are directly impacted or indirectly because of supply chain disruption (as so painfully evidenced during the Jaguar Land Rover attack), none of us should consider ourselves impervious to this threat. Those that believe they are not attractive to an attack – whether externally or internally motivated, are sadly misguided. Similarly, those that think ‘the IT team take care of all of that’ or that ‘they have nothing that would be of interest to an attacker’ are misinformed.
Cyber security is often seen as a negative risk within our organisations, something that falls to the bottom of Board agendas (assuming it’s there in the first place) or which fails to garner any excitement with leaders.
As every Risk Manager knows, there are two sides to the risk coin. In fact, the definition of risk from ISO 31000 defines risk as ‘the effect of uncertainty on objectives’. We’re very familiar with the negative aspect which could adversely affect our objectives. However, unless we take risk then we restrict our ability to seize opportunity, that may help us to achieve our objectives. With this in mind, is it time that we stop purely thinking about cyber risk as a negative and begin to describe the upsides and opportunities which good cyber hygiene may present?
Sounds mad? Let’s explore this in a little more detail.
We know larger organisations are understandably focusing on the security and resilience of their supply chains. We’ve seen the UK Government write to the CEOs of the FTSE 350 companies together with those who deliver Critical National Infrastructure (CNI) advocating the achievement of Cyber Essentials and Cyber Essentials Plus. These organisations are therefore likely to push down their supply chains the need for partners to be, as a minimum, Cyber Essentials Certified. Therefore, if you’re in the supply chain to any of these organisations, it makes sense to be proactive and prepare to meet the requirements now rather than be placed under pressure to achieve it within the timeframe put upon you. Similarly, aside from keeping you in your current supply chain, there’s a potential for it to open other opportunities in other supply chains. Equally, data from the National Cyber Security Centre identifies that 92% of companies with Cyber Essentials do not have a need to make a claim on their cyber insurance, making the attainment good business sense.
As well as looking ‘up’ the supply chain, there are also opportunities with our own suppliers. I’m sure many of us have received long complex questionnaires that take hours to complete from our own clients and customers. So, how do we engage our own supply chains to ensure they are secure and resilient? What happens if they fail? Would we be able to deliver to our clients?
Some years ago, I was involved in an innovative workshop with a client. The objective was simple: how could my client and the key suppliers to their critical business processes become more resilient? Collaboration was the answer. By bringing key groups of people into a room, we explored the threat landscape, spoke in confidence about the concerns, discussed openly the solutions, signposted to organisations that could help and recognised the group of people in the room supported a critical ecosystem. The result was outstanding, with all parties coming together against a common threat.
The group continues to operate today (albeit in a virtual space) and has expanded its remit from ‘prevent’ to considering ‘recover’ activities, should the worst occur. Does cyber present an opportunity for you to engage with your supply chain in a different and collaborative way?
Touching on behaviours, we must move beyond the idea that our people are our weakest link and reposition this in a more positive light – they are also our greatest asset and a crucial line of defence.
Education is key, but positioning this in a meaningful context is critical. I had the pleasure of joining a panel at the International Cyber Expo in London. A question was posed to the audience of approximately 100 people – how many of you have online training modules. 75% of the audience raised their hands. The follow up question left us all amazed. ‘How many of you believe this training is effective?’. Answer? Not one person felt that their training was effective. We understandably then debated the ‘why’ and the response was simple: whilst there is some great online training, there’s no substitute for someone in the organisation explaining, in person and not on a video, why cyber security is important for the business and more importantly, why it’s important to the individual. A simple change in approach, emphasising that staff are an asset and not a liability, has the potential to make the investment in cyber security deliver a far greater return on investment at the same time as providing an opportunity to engage with staff at both a personal and professional level.
Legislation is changing quickly. If you are an organisation that provides IT support or delivers software services to clients, the Cyber Security and Resilience Bill that has commenced its journey through Parliament in the UK will serve (rightly) as a wakeup call for many to ‘improve their game’. If you’re in this sector, now is the time to review your processes and procedures on how you communicate with your clients before the legislation forces you to do so. Of course, if you’re ahead of the legislative requirements, then this may be the opportune moment to shout this advantage ahead of your competitors!
If you’re a business owner contemplating a sale or a divestment, then now is the time to get your ‘house in order’. Just like selling a house, your business will be subject to scrutiny and due diligence. Poor cyber hygiene will drive that value down – no one wants to buy a liability.
If you’re in an organisation that is pushing the boundaries of security, which actively engages with its people, has strong processes, effective technology and an engaged Board, then celebrate this and use as part of an effective communications strategy. This maturity should be used to enable different conversations with stakeholders.
To conclude, cyber security is absolutely a risk to organisations and one which should not be dismissed. Yet, if we’re to engage more effectively with the Board and other leaders in our organisations, we must start to speak more effectively about the opportunity and upside that may exist. As humans, we have a propensity to focus on the negative – perhaps we should spend a little more time considering the positives.
This is a personal blog post. Any opinions, findings, and conclusion or recommendations expressed in this article are those of the authors and do not necessarily reflect the view of the Centre for the New Midlands or any of our associated organisations/individuals.
ABOUT OUR AUTHOR:
Helen Barge has had the honour of helping hundreds of organisations thrive through uncertainty.
After working in the IT industry for more than two decades, she saw first-hand how complex and inaccessible compliance and risk management could be. So, in 2015, Helen launched Risk Evolves to ensure businesses, regardless of their size or sector, could access the tools needed for their short- and long-term success.
More than a decade on, Risk Evolves has grown into a multi-award-winning consultancy with a global client base. But she doesn’t do it alone. Helen is surrounded by a team of experts who share her belief that businesses should be a force for good. This is why Risk Evolves joined forces with Barnett Waddingham to enhance their client risk support.
Together the team are dedicated to providing knowledge, tools and skills in:
● Cybersecurity, data protection and GDPR
● Training, education and ISO compliance
● Business continuity and risk management
● ESG and sustainability
● Supply chain management
● And much more.
