Skip to main content
Cybersecurity

NCSC Warns of Rising Uncertainty, Urges Immediate Cyber Resilience Boost

Cybersecurity team lead contemplates strategy at desk with laptop and papers.

“77% of British organizations suffered a cyber incident over the past year,” ManageEngine reported — a figure the National Cyber Security Centre framed as one sign of a shifting, less predictable battleground that requires immediate action.

Paul Chichester’s assessment of an unpredictable threat landscape

Speaking at Infosecurity Europe on June 2, Paul Chichester, director of operations at the NCSC, said the convergence of rapid technological change, geopolitical uncertainty and evolving adversary behaviour has produced an unusually opaque future for cyber defenders. “Now is perhaps the first time I’m not sure ‘where next?’,” he admitted, adding that “professionally, things are harder than they’ve ever been.”

Chichester described the current environment as one with “a lot of dice and a lot of variables,” and said defenders are struggling to predict outcomes. He highlighted hyper connectivity, rapid technology transformation and increasingly complex corporate IT as specific pressure points that make it harder to understand and manage risk across an organisation’s full tech stack.

ManageEngine data: scale of incidents in the UK

The remark came alongside new data from ManageEngine, which found 77% of British organisations experienced a cyber incident in the past year — a rate the story notes is 11 percentage points above the European average. The statistic was used by Chichester to underscore the practical consequences of the trends he described: attacks and incidents are common and rising in a context of accelerating change.

Hyper connectivity, AI and statecraft: the specific pressures Chichester named

Chichester singled out several forces that defenders must address. He warned hyper connectivity is growing so quickly that it becomes “increasingly difficult for defenders to track and manage across the entire IT estate.”

On technology, he argued the pace of transformation will drive “societal and civilizational changes” and create “vast amounts of uncertainty.” He described corporate IT as becoming more complex: codebases with lifespans of “just weeks or months,” applications that “rewrite themselves,” and artificial intelligence as a disruptive factor. “How many people really understand their entire tech stack from apps down to the hardware?” he asked.

Chichester also warned cyber is being used as a tool for “overt and covert statecraft,” citing the hybrid warfare Russia is waging in Ukraine and what he called “the transnational repression Beijing turns on certain parts of its diaspora” as examples of that trend.

NCSC’s immediate resilience measures and technical priorities

Despite the uncertainty, Chichester issued a series of concrete, tactical prescriptions for organisations to improve resilience. He listed four priority areas:

  • Reducing the attack surface — illustrated by his remark that “it’s hard to use a frontier AI model [as an adversary] if you can’t get to the platform.”
  • Addressing legacy systems and shadow IT — an area where Chichester said frontier AI could help by “democratising” high-performance pen testing and red teaming for all organisations.
  • Access controls, including zero trust approaches and access management — summarised by Chichester’s line that “identity is the root of everything going forward.”
  • Preparing for incidents before they occur — he emphasised incident response exercises as particularly important, saying they could “transform” an organisation’s response posture, “especially at board level.”

His central refrain was practical: uncertainty should not paralyse action. “Uncertainty can be massively disabling and make you wait for certainty,” he said, urging organisations to “get match fit” now rather than wait.

Cyber Security and Resilience Bill, offensive techniques and public-private collaboration

Chichester expressed guarded optimism about the policy and operational environment. He said the NCSC is “really pleased about where the bill is ending up” when referring to the Cyber Security and Resilience Bill (CSRB), adding: “We’re optimistic we’re setting some really powerful standards.”

He also noted a growing acceptance in government of using offensive techniques “to confer costs on our adversaries.” But he warned that government action alone will not be enough, arguing public-private collaboration is essential: “Government can only do so much. It’s a collective endeavor,” he said, urging a stronger partnership between state actors and commercial organisations.

What this means for technologists, policymakers, enterprises, and nation-states

  • Technologists and security teams: Expect to prioritise attack-surface reduction, identity and access controls, and pre-incident exercises; Chichester framed these as immediate, practical steps to manage uncertainty.
  • Policymakers and regulators: The NCSC signalled support for the CSRB and for calibrated offensive options to impose costs on adversaries — measures the centre believes will set “powerful standards.”
  • Affected enterprises and boards: Chichester urged boards to take incident-response exercises seriously, saying those exercises can “transform” an organisation’s posture and elevate preparedness at the leadership level.
  • Nation-states and adversaries: The NCSC highlighted that cyber activity is embedded in statecraft — both overt and covert — and that governments are increasingly prepared to use offensive techniques in response.

Chichester left the audience with a clear, if stark, closing challenge: uncertainty is not a reason to delay. “Don’t wait for certainty, because it’s never coming,” he said. The NCSC’s message at Infosecurity Europe was both diagnostic and prescriptive — name the risks, harden the basics, practise the response, and build cooperation across sectors now.

https://www.infosecurity-magazine.com/news/ncsc-resilience-certainty-is-never/