Justin Brooks, Vice President, U.K. & Ireland, Zscaler.
Cyber incidents across the U.K. have prompted a clear and direct response from government and national security authorities. In October 2025, the U.K. government issued a ministerial letter to major company CEOs making it explicit that cybersecurity is no longer solely an IT concern—it is a board-level responsibility.
At the same time, the National Cyber Security Centre (NCSC) reinforced that expectation by aligning its guidance with the Cyber Governance Code of Practice and the Cyber Assessment Framework (CAF). Together, these signals represent a shift in how cyber resilience is expected to be managed across British industry.
The question is no longer whether organizations have security tools in place; it’s whether leadership can demonstrate that cyber risk is being governed, measured and reduced in a systematic way. For CIOs, CISOs and CEOs, the CAF provides a practical structure for answering that question.
A Shift From Technical Guidance To Governance
The NCSC Cyber Assessment Framework evaluates how effectively organizations manage cyber risk. Unlike prescriptive compliance, CAF is outcome-focused, assessing an organization’s ability to demonstrate managing risk, protecting systems, detecting threats and minimizing incident impact. These four outcomes have been elevated from technical guidance to a governance expectation, requiring boards to show active management of cyber risk, similar to financial or operational risk. This shift acknowledges the modern reliance on complex digital infrastructure across cloud, global supply chains and OT environments, where cyber incidents can directly disrupt revenue, safety and trust.
While these expectations are emerging from U.K. regulators and security authorities, the underlying governance challenges are not unique to British organizations. Businesses globally are facing similar pressure to demonstrate that cyber risk is being actively governed and operationally contained.
A key area of focus is operational technology (OT). NCSC guidance, such as “Secure Connectivity Principles for Operational Technology,” highlights that the design of connectivity between IT and OT is a front-line cyber defense issue. Systems like manufacturing lines and energy infrastructure are increasingly connected to corporate networks. Without strong identity controls and segmentation, these connections become high-risk pathways into critical systems, a factor in recent high-profile incidents. The traditional perimeter security model, built for a defined internal network, is no longer sufficient given today’s expansive and complex attack surface.
Architectural Alignment: Fulfilling The CAF Objectives
To effectively align with the NCSC’s CAF and strengthen security posture, organizations must integrate the framework’s core objectives into their architectural design. This primarily involves a fundamental shift from network-based trust to identity-based access.
By adopting this modern model, organizations move beyond implicitly trusting users inside the corporate network and instead grant access based on identity, device posture and context, connecting users directly to specific applications. This directly supports the CAF’s expectations for minimizing exposure and enforcing least privilege access, as it drastically reduces the attack surface and inhibits lateral movement between systems.
Furthermore, fulfilling the CAF’s emphasis on evidence and governance requires transforming visibility into a core operational capability. Modern architectures must generate detailed telemetry on traffic flows, application access and user activity. Integrating this data into security operations and monitoring platforms allows executive leadership to gain the crucial insights needed to answer board-level questions about risk exposure, access conditions, detection speed and containment effectiveness.
Finally, organizations must design for containment to meet the CAF’s objective of minimizing incident impact. Since eliminating risk is impossible, the focus shifts to architectural resilience. Environments that enforce strong segmentation and rely on identity-based access naturally limit the blast radius of any compromise.
By restricting an attacker’s ability to move between systems, this architectural containment is the most effective way to reduce operational disruption and protect critical services, ensuring a faster recovery. In essence, meeting the CAF’s requirements is achieved by adopting a modern, identity-centric architecture that maximizes visibility and inherently limits the scope of any breach.
A Leadership Responsibility
Cyber resilience is now firmly within the remit of executive leadership. While CIOs and CISOs play a central role in implementing security controls, boards must ensure that cyber risk management is embedded into organizational governance.
For business leaders, the most effective starting point is not technology selection but strategic alignment. That means understanding which services are critical to the organization’s mission, mapping the dependencies that support those services, and ensuring that security controls reduce both the likelihood and the impact of cyber events.
Turning Guidance Into Action
The NCSC’s guidance is not only directed at organizations that received letters from government; it reflects a broader expectation that businesses must treat cyber resilience as a fundamental component of operational stability.
For CIOs and CISOs, the opportunity is to translate these expectations into clear architectural principles that reduce exposure and increase visibility. For CEOs and boards, the challenge is to ensure that cyber risk is governed with the same rigor applied to other enterprise risks. In practice, the organizations that succeed will be those that move beyond perimeter-based assumptions and embrace architectures built around identity, segmentation and continuous monitoring.
In addition to strengthening security, these principles align directly with the outcomes that the NCSC Cyber Assessment Framework is designed to measure. And in today’s threat landscape, that alignment is quickly becoming a defining characteristic of resilient enterprises.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
