CYBERUK 2026 reinforced a reality many security leaders already recognise: cyber security has outgrown its historical framing as a technical or compliance discipline.
While artificial intelligence (AI), geopolitical instability and ransomware loomed large, the dominant message was not about breakthrough tools or innovation headlines. Instead, discussion converged on a more fundamental shift, from cyber security as control and compliance, to cyber security as trust, preparedness and organisational behaviour.
Takeaway 1 - Cyber security is now a leadership and system problem
Speakers repeatedly positioned cyber security as integral to economic resilience, national security and public trust. Digital systems now underpin critical services and supply chains, meaning failures of cyber security increasingly translate into real-life impact, with their roots often traced back to failures of governance, leadership and culture.
For CISOs and IT Directors, this reframes the challenge. The question is no longer just whether appropriate controls are in place, but whether resilience is being developed alongside growth, and whether their CEOs, CFOs, senior management and Boards accept their accountability rather than simply defer to the CISO. A recurring theme was that growth without resilience is fragile and organisations that continue to defer fundamentals are increasingly seen not as naïve, but negligent.
Takeaway 2 - The accelerating threat landscape
The scale and pace of cyber threats continue to increase sharply. National figures highlighted a year‑on‑year rise in nationally significant incidents, with adversaries (still) operating at speed across blurred boundaries between criminal, state and geopolitical activity. Machine‑speed attacks were repeatedly cited as a defining challenge for security teams, particularly when contrasted starkly with the bureaucracy that still governs too many response actions.
AI featured strongly here, not as a silver bullet but as a force‑multiplier. CYBERUK speakers were clear that AI has not fundamentally changed what good cyber resilience looks like - core principles of asset visibility, hygiene, segmentation and recovery still apply.
However, AI dramatically amplifies both attacker capability and the consequences of existing weaknesses. Slow decision‑making, fragmented accountability and delayed response models are increasingly misaligned with today’s threat tempo.
Takeaway 3 - From resilience to trust
While resilience remains essential, discussion increasingly framed cyber security as a question of trust. Trust in systems, data, supply chains and institutions and the ability to demonstrate that trust under stress was repeatedly emphasised.
This shift is subtle but important. Cyber security is no longer judged solely on prevention, but on preparedness, recovery and assurance. Leaders were encouraged to consider not just whether controls exist, but whether organisations can evidence how risk is understood, managed and acted upon. Regulation and baseline standards were consistently described as foundations, not end‑states, with secure‑by‑design and secure‑by‑default principles highlighted as critical enablers. This affirms one of the conclusions in our latest Global Cyber Policy Radar which found that “global efforts to streamline compliance, reduce administrative burden and focus on demonstrable results over prescriptive checklists may finally herald a shift towards outcomes-based cyber regulation”.
Takeaway 4 - AI, assurance and the risk of false confidence
Leaders also raised the growing assurance gap caused by AI. As AI systems become more embedded leaders may assume confidence without genuine control. Several discussions highlighted the risk of delegating judgement to systems that are poorly understood, weakly governed or insufficiently challenged.
This intersects directly with cultural risk. Research shared during keynote sessions showed that around 85% of people choose not to raise concerns, often believing it will make no difference. In AI‑enabled environments, that reluctance can be amplified if outputs are perceived as objective or unquestionable. The result is not just technical risk, but organisational blind spots.
For security leaders, the implication is clear: AI systems must be governed, secured and challenged like any other critical asset. Using AI defensively without securing it properly simply relocates risk.
Takeaway 5 - Culture, silence and “wilful blindness”
Perhaps CYBERUK 2026’s strongest message was that many cyber failures are not caused by lack of knowledge, but by silence. Across sectors, incidents often share a common pattern: early warning signs existed, but were fragmented, normalised or ignored.
Highly hierarchical or siloed organisations were repeatedly cited as particularly vulnerable. Where people feel disconnected from outcomes, or believe escalation is futile, risks accumulate unseen. Security, therefore, was positioned as inseparable from psychological safety (the ability and willingness of individuals to speak up when something feels wrong).
Lessons from aviation’s “just culture” were frequently referenced. In safety‑critical sectors, resilience depends on early reporting of weak signals, protection for those who raise concerns, and visible follow‑through when issues are addressed. Cyber security, it was argued, requires the same mindset shift.
Takeaway 6 - Shared responsibility
CYBERUK also reinforced the idea of government and industry operating as one team. This goes beyond information sharing to include closer operational collaboration, faster intelligence exchange and joint development of defensive capabilities, particularly in relation to AI and critical infrastructure.
At the same time, responsibility sits squarely with organisations themselves. Government can set expectations and standards, but it cannot implement cyber hygiene on behalf of the private sector. For boards and executive teams, the message was unambiguous: cyber resilience is a leadership responsibility.
What this means for CISOs and IT leaders
CYBERUK 2026 did not claim to have solved cyber or promise a technological revolution. Instead, it underlined the imperative to act on what is already known.
For CISOs and IT Directors, the outcomes point to three priorities:
- Building resilience as a system, not a silo
- Creating cultures where concerns surface early
- Demonstrate preparedness, not just confidence.
What this means for Boards and senior executives
CYBERUK 2026 made clear that senior leaders are now as much a part of the collective cyber response as their CISO and IT colleagues.
Their priorities should very much include:
- Accept accountability for cyber resilience as a core enabler of their organisations’ future growth
- Understand their gaps, blind spots and skills to ensure they are as cyber literate as they need to be today
- Be part of their organisations’ preparedness efforts, whether that means exercising, simulating threat, or rehearsing response and recovery
As several speakers noted, future crises may arrive faster than new capabilities can be built. What we should all ask ourselves is whether we are ready to respond technically and culturally with the capabilities we, collectively, already have.