When the NCSC Says Act Now, Boards Should Listen

The National Cyber Security Centre has issued its clearest warning yet: severe cyber threat is a present condition, not a future risk

7th May 2026BlogAJ Thompson

Are you ready to get in touch?

Request a Call back

The NCSC warns UK boards that severe cyber threats are outpacing resilience. This article by AJ Thompson, CCO at Northdoor, responds to the NCSC blog post published 20 April 2026. All threat characterisations are drawn directly from that publication.

Key takeaways:

  • Severe cyber threat is a leadership responsibility, not a technology problem.
  • Resilience means staying operational through disruption, not just preventing attacks.
  • Boards need to understand critical dependencies before an incident, not during one.
  • AI is accelerating attack speed and scale — most strategies have not caught up.
  • The gap between prepared and unprepared organisations is a governance gap.

The context

A gap that is widening, not closing

The NCSC’s Annual Review 2025 identifies a widening gap between the rising NCSC severe cyber threat levels and UK resilience. Boards and leadership teams should pause on that phrase before moving to the next agenda item. It is not a polite warning from a government agency doing its job. It means that the UK is moving in the wrong direction, despite years of cybersecurity investment across UK organisations.

A threat level gauge showing the needle at maximum. The arc runs from green at low through orange to dark red at max. The centre reads "Severe" with the label "NCSC · April 2026".

The NCSC’s characterisation of what it calls “severe cyber threat” is specific and worth understanding precisely.

This is not the routine cyber activity that every organisation now accepts as background noise. Severe cyber threat refers to highly capable actors, state-aligned and otherwise, whose intent and capability to cause real operational disruption to organisations of national economic significance are increasing. Extended downtime. Significant financial loss. Long-term reputational damage. Risks to public safety and national security.

That last category, risks to public safety, is the one that tends to make board members sit up. Cyber incidents at energy providers, transport operators, healthcare systems, and financial institutions do not stay contained within the organisation. They spread outwards, affecting people who have no visibility of the organisation’s security posture at all.
A donut diagram showing four consequences of a severe cyber incident: extended operational downtime, significant financial loss, long-term reputational damage, and public safety and national security risks.

“The organisations that fare best in severe cyber incidents are those that have put in place the steps needed to withstand and recover from disruption, not simply those that spent the most on prevention.”

The strategic shift: The threat is widening, not slowing

Resilience is not the same as prevention

One of the most important signals in the NCSC’s guidance is the explicit framing of resilience over prevention. This is a meaningful shift in emphasis that organisations need to internalise.

For years, cybersecurity investment has been focused on defence. Build stronger walls, reduce attack surface, detect threats earlier. That work remains essential and should continue. But the NCSC is now saying clearly that prevention alone is not sufficient. Organisations must build the capability to continue operating through disruption, not just to avoid it.

This has practical implications. It means mapping and understanding your most critical systems. Not in theory. In practice: what happens if those systems were degraded or taken offline? It means planning how operations would continue if IT or OT systems were unavailable. It means rehearsing defensive actions like network segmentation, isolation, and system rebuilds under pressure. These capabilities must exist before a crisis, not be built during one.

The NCSC is direct about the cost of inaction. Measures that are complex to implement under normal conditions become impossible to implement under pressure. That is the real risk of inaction. Not that something bad might happen, but that when it does, the organisation will not be able to respond effectively because it never built the capability to do so.

The leadership question

Who owns this in your organisation?

The NCSC frames severe cyber threat explicitly as a leadership responsibility. Not a technology responsibility, not an IT department responsibility. A leadership responsibility. This distinction matters. It changes where accountability sits and what adequate preparation looks like.

Adequate preparation, in the NCSC’s framing, requires clear commitment from the organisation’s leaders. It requires organisation-wide collaboration rather than a security function operating in isolation. It requires engagement with suppliers and partners, because supply chain vulnerabilities are consistently among the most exploited vectors in significant cyber incidents.  It requires advance planning. Not reactive planning, but deliberate, rehearsed, tested planning that has been invested in before the pressure arrives.

“When a severe cyber incident hits, it will be too late to start working out roles, responsibilities and decision-making thresholds for the first time. That preparation needs to happen now.”

From a commercial perspective, I would add one further dimension. The CAF is the NCSC’s Cyber Assessment Framework. It provides a baseline for cyber resilience under normal operating conditions. The new guidance specifically asks organisations to revisit those CAF principles through the lens of severe cyber threat. An organisation may satisfy CAF expectations in normal conditions but may not have fully considered how its risk profile and required response would change under sustained, high-capability attack.  If that gap exists, it is worth finding and addressing it now rather than discovering it mid-incident.

Three pillars of preparation against NCSC severe cyber threat

Resilience over prevention

Map critical systems. Plan for degraded IT/OT. Rehearse segmentation, isolation and rebuilds. Understand the trade-offs leadership must make.

Prepare before escalation

Complex measures cannot be improvised under pressure. Capabilities, controls, processes, and decision authorities must be built and rehearsed in advance.

Leadership owns this

Clear board commitment. Organisation-wide collaboration. Supplier and partner engagement. Advance planning with tested decision-making thresholds.

Board action checklist – based on NCSC guidance

✦ Map your critical systems
Understand operationally what happens if each is degraded or unavailable, not theoretically, but in practice.

✦ Test current plans under severe conditions
Do business continuity plans hold up if IT and OT systems are simultaneously impaired? Test them before you need them.

✦ Assign ownership of critical decisions
Identify the decisions that would be hardest to make under pressure. Ensure they are owned, understood, and rehearsed.

✦ Engage suppliers and partners
Supply chain is consistently among the most exploited vectors. Resilience requires the whole ecosystem, not just the core organisation.

✦ Revisit the CAF through a severe threat lens
Meeting CAF expectations under normal conditions is not sufficient. Review your risk profile against severe cyber threat scenarios.

✦ Embed learning in resilience plans
Turn guidance into operational readiness. Exercises, tabletops, and rehearsals — not documents that sit on a shelf.

The Northdoor perspective

What this means for organisations we work with

At Northdoor, we work with organisations across financial services, the public sector, healthcare, and critical infrastructure. Many fall within the NCSC’s definition of organisations of national economic significance. The guidance is consistent with conversations we have had with clients over time. It adds urgency and executive-level authority to those discussions.

The organisations we see handling cyber risk most effectively share a common characteristic. They treat resilience as a business continuity question, not a technology question. Their boards understand critical dependencies. Their leadership teams make decisions in advance about the trade-offs they would accept between security and operational continuity under different threat scenarios. Their incident response plans have been tested, and the people responsible for executing them know exactly what their role is.

The organisations most exposed are those in which cyber risk sits primarily with the IT function. Where the board receives periodic updates without genuine engagement, and where resilience planning exists on paper but has not been operationalised or tested. The gap between those two positions is not primarily a technology gap. It is a governance gap that leadership decisions can close.

The NCSC’s message is clear, and I think it is correct: the time to close that gap is now, not when an incident is already underway.

AJ Thompson – Personal viewpoint

My take: What I think boards are still getting wrong

The NCSC’s guidance is well-crafted, and its message is correct. But I want to be direct about something that the formal guidance, understandably, does not say: the reason most organisations are not adequately prepared for severe cyber threat is not primarily a lack of information. It is a governance problem. Specifically, the persistent tendency to treat cyber risk as a technology problem rather than a leadership problem.

I sit in conversations with boards and senior leadership teams regularly, and I see the same pattern.

Cyber risk appears on the agenda, presented by the CISO or IT director, acknowledged, and moved past. The board receives assurance that measures are in place, notes that the budget has been approved, and proceeds to the next item. What rarely happens is genuine board-level engagement with what those measures actually protect against, what they leave exposed, and what the organisation would actually do in the first 24 hours of a severe incident.

The NCSC is right that preparation requires clear commitment from the organisation’s leaders. But commitment is a specific thing. It is not approving a cybersecurity budget line. It is not receiving a quarterly update.

It is the board understanding, in operational terms, what the organisation’s critical dependencies are, what the decision-making authorities are under different threat scenarios, and what trade-offs between security and continuity it has already made, so that those decisions do not need to be made for the first time under pressure.

The AI dimension deserves more attention.

The other thing I would add is this: the AI dimension of the NCSC’s warning deserves more attention than it typically receives. The guidance notes that frontier AI risks increasing the speed, scale, and ease of attacks. This is not speculative. AI is already being used to craft more convincing phishing campaigns, to accelerate vulnerability discovery, and to automate attack sequences that previously required significant human skill. The asymmetry between attacker capability and defender readiness is shifting — and it is shifting faster than most organisations’ cybersecurity strategies have adapted to.

The framing change matters

The organisations I see responding most effectively are those where the CEO and board have made a deliberate choice to treat cyber resilience as a strategic business priority — not a compliance function, not a technology investment, but a genuine operational capability that sits alongside financial resilience and business continuity planning as a leadership responsibility.

That framing changes everything: the questions asked, the resources committed, the decisions made in advance.

The NCSC’s message is that the time to act is now. I agree, and I would add that acting now means the board making decisions, not delegating them.

AJ’s key points – summary

1. It’s a governance problem, not a technology problem.
The gap is not primarily about tools or budget. It is about whether boards are genuinely engaged with cyber risk as a leadership responsibility.

2. Board “commitment” needs to be specific.
Approving a budget is not commitment. Commitment means understanding critical dependencies, decision authorities, and trade-offs before an incident, not during one.

3. The AI threat dimension is moving faster than most strategies.
The speed, scale, and ease of attacks enabled by AI is already shifting the asymmetry between attacker and defender. Strategies need to catch up.

4. The framing change is everything.
Organisations that treat cyber resilience as a strategic business priority, not a compliance function, make fundamentally different and better decisions.

5. Act now means the board acting, not delegating.
The NCSC is right. The time is now, and that specifically means board-level decisions, not board-level endorsements of someone else’s decisions.

Assess your resilience against severe cyber threat

Northdoor’s cybersecurity team works with organisations across CNI, financial services, and the public sector to close the gap between governance intention and operational readiness.

Talk to Northdoor

cyber security threats, Cyber threats, NCSC
AJ Thompson All Author's Posts
1

Our Awards & Accreditations

See all Awards