Cyber resilience requires more than letters: commentary on the ministerial letter on cyber security

Cyber resilience requires more than letters: commentary on the ministerial letter on cyber security.

We at ADS welcome the Ministers’ clear and timely message. We have long seen cyber security as a board-level issue, and we fully support the call for senior industrial leadership across all sectors to take ownership of cyber resilience in their businesses and throughout strategic supply chains. We are actively leaning in – through the Digital, Cyber and Resilience Group (DCRG) and other ADS special interest groups and councils, through collaboration with the National Cyber Security Centre (NCSC), Ministry of Defence (MOD), Department for Science, Innovation and Technology (DSIT) and other parts of His Majesty’s Government, and through ongoing engagement with the Defence Cyber Protection Partnership (DCPP) – to drive meaningful change and support our members.

Cyber threats are existential risks that can disrupt operations, erode trust, and impact national security. While cross-societal and cross-sectoral awareness is growing, many boards still lack the expertise or frameworks to engage meaningfully with cyber risk. ADS continues to advocate for board-level training, integration of cyber risk into enterprise risk registers, and the appointment of cyber-literate non-executive directors. Cyber resilience must be embedded in governance – not just as a compliance exercise, but as a strategic imperative.

The NCSC’s Early Warning service provides timely alerts about malicious activity. For maximum impact, broader adoption and integration into operational processes and Standard Operating Procedures (SOPs) is needed. Many organisations, especially SMEs, remain unaware of available government guidance and tools. ADS encourages government to consider mandating participation in Early Warning for critical sectors and to invest in outreach and education.

Cyber Essentials is a sensible baseline for supply chain security, but organisations in high-risk environments need more robust protections, such as the Cyber Assessment Framework (CAF) or ISO 27001. ADS continues to urge greater adoption of Cyber Essentials and active participation in ongoing conversations around Secure by Design, Defence Cyber Certification, and enhanced cyber security standards.

Beyond Compliance: Building a Cyber-Resilient Society and what comes next

Cyber resilience is as much cultural as technical. Organisations must foster environments where security is everyone’s responsibility. The UK, like many other nations, faces a significant cyber skills gap, threatening future progress. ADS supports expanding training pathways, apprenticeships, and diversity initiatives like CyberFirst, and calls for these to be scaled and integrated into broader workforce strategies.

Looking ahead, the incoming Cyber Resilience and Security Bill will place new requirements on Critical National Infrastructure (CNI) and managed service providers. The forthcoming National Cyber Strategy refresh will further shape the UK’s approach to cyber resilience. ADS will continue to engage with government and members to ensure our sectors are prepared for these developments. The threats we face are complex, evolving, and transnational. Our response must be equally sophisticated, but also relative to the threat and the target organisations – one tool will not fit all. We must also consider the demands on businesses, especially SMEs, when new and more complex accreditations are imposed upon them. By working together—across sectors, disciplines, and borders – we can build a cyber-resilient UK that is secure, competitive, and prepared for the challenges ahead.

Ultimately, letters alone will not secure our digital future. Cyber resilience demands leadership, investment, and innovation. ADS stands ready to work with government, industry, and the broader supply chain to build a secure, competitive, and resilient UK. We challenge HMG from mid-management, right up to DG and Ministerial level to engage closely with industry, through trade associations like ourselves to coordinate the task at hand.

Useful Resources for the Supply Chain

Whilst this is by no means an exhaustive list, here are some useful resources available to SMEs to support them on their cyber resilience journey. We also encourage companies to explore the capabilities of ADS Cyber Security members, which can be found here.