A recent death linked to a ransomware attack at a London NHS trust has been a stark reminder that cyber threats have real-world consequences. For many, cybersecurity still feels abstract, full of technical jargon, data breaches and system outages that seem intangible, but the reality today is very different. Cyber attacks aren’t confined to disrupting the unseen digital realm; they’re increasingly threatening the public services and critical infrastructure that keeps society ticking. The LockBit ransomware attack on the NHS 111 service in 2022, for example, forced staff to abandon digital record-keeping and switch to pen-and-paper for as long as a month after discovery, hampering patient care coordination and delaying treatments.
This was more than just data theft and system downtime; it was a clear demonstration that cyber incidents can have a direct impact on human lives. But healthcare isn’t the only sector at risk.
As geopolitical tensions escalate worldwide, cyber attackers are targeting critical infrastructure – power grids, water treatment plants, transport networks – systems that, if compromised, can cause widespread disruption, economic damage, and even public panic. This July also marked 15 years since the Stuxnet attack on Iranian nuclear facilities, a watershed moment that blurred the line between cyber operations and traditional kinetic warfare.
Since then, the landscape has shifted dramatically. The rise of ransomware-as-a-service has commodified cyber weapons, empowering cybercriminals – from sophisticated groups to inexperienced first timers – to launch highly damaging attacks with relative ease. What was once the exclusive domain of elite nation-states is now accessible to a broad range of threat actors.
In response, the role of cybersecurity professionals is evolving at pace. Tomorrow’s leaders won’t just be security managers – they’ll be responsible for protecting public safety, whether they work in banks, national infrastructure, healthcare or many other industries. This profound responsibility demands a new kind of readiness. Yes, technical expertise remains foundational, but so do crisis leadership, clear communication of organisational risks, and cross-sector collaboration. These skills were highlighted by CIISec members in our 2024 State of the Profession survey, which had communications skills as the second most coveted after analytical, thinking, problem solving.
So, how do we prepare for a world where cybersecurity is moving from the abstract into the physical?
First and foremost, we must get the basics right. Strong cyber hygiene, such as asset management, regular patching and rigorous testing of incident response plans, remains the bedrock of resilience, especially in high-risk sectors like healthcare and energy. This includes harnessing the power of people across our own and partner organisations to develop a security positive culture to support us in combatting threats.
Second, we need to come together as a profession. No single organisation or sector can fend off a nation-state threat alone. Sharing threat intelligence, particularly within critical infrastructure, is imperative to building collective defence.
Lastly, we must commit to continuous learning and professional development. Threat actors are constantly evolving their tactics, and so must we. This means sharpening our technical skill sets alongside our judgement, adaptability and strategic thinking.
This is precisely where CIISec is focused – nurturing, recognising and supporting the individuals and organisations entrusted with defending the UK’s most critical systems today and in the years (and decades) to come.
