The cyber resilience pledge and why it matters
The UK government has thrown down the gauntlet. At this year’s CyberUK conference in Glasgow, the Security Minister announced a new Cyber Resilience Pledge — a voluntary commitment asking organisations to take three concrete actions:
- Elevate cyber to a board-level responsibility,
- Register with the NCSC’s free Early Warning Service, and
- Require Cyber Essentials certification across their supply chains.
Ministers have written directly to the CEOs and chairs of the UK’s leading companies. The message is clear: cyber security is no longer an IT problem. It’s a boardroom imperative.
Cyber security is no longer an IT problem. It’s a boardroom imperative. Share on XThe numbers behind the announcement are sobering. A significant cyber attack now costs the average UK business around £195,000. At the same time, the UK’s cybersecurity sector is growing, with revenues up 11% to an estimated £14.7 billion annually. At the same time, the UK’s cyber security sector is growing, with revenues up 11% and the number of firms in the space rising 20% to over 2,600 companies. There is no shortage of expertise. What there has historically been a shortage of is board-level urgency.
This pledge attempts to change that. And for what it’s worth, the government deserves credit for framing this not as a compliance exercise but as a competitive differentiator. Organisations that sign up will be listed publicly and held up as exemplars. There’s a reputational incentive here, alongside the practical one. And with the Cyber Security and Resilience Bill progressing through Parliament, the writing is on the wall: voluntary today, expected tomorrow, mandated next.
Cyber resilience starts at the top
At Northdoor, we’ve been saying for years that cyber resilience starts at the top. A CISO without board backing is fighting with one hand tied behind their back. So any initiative that puts cyber on the agenda in the boardroom — not just the server room — is a step in the right direction. The question, as always, is whether organisations will follow through beyond the signature.
A hacker doesn’t care about your pledge
Here’s the inconvenient truth that no government announcement can change: a pledge is a piece of paper. Threat actors, whether state-sponsored groups, ransomware gangs, or opportunistic criminals wielding AI-generated phishing campaigns, do not pause their operations because a company’s CEO has signed a declaration and posted it on their website. They are scanning your unpatched perimeter right now. They are probing your supply chain. They are testing whether your staff will click a convincing deepfake email from what appears to be your CFO. No pledge changes any of that.
What changes it is action: patched systems, trained staff, tested incident response plans, and a board that asks the hard questions every quarter — not just when a breach makes the headlines. The Cyber Resilience Pledge is a useful catalyst. But the moment an organisation treats signing it as the finish line rather than the starting gun, they have already lost.
Sign the pledge. Absolutely. But then do the work. Because the hackers certainly are.