Cyber Risk: The strategic advantage leaders can’t afford to miss

Written by Helen Barge.

Cyber-attacks are everywhere. With the media headlines full of successful attacks on major household names, and the long running impact of those attacks, one thing is clear – as leaders, we can’t ignore it. We all need to understand how any lapses in cyber security poses a major risk in our ability to deliver for our clients and customers.

You don’t even need to be the direct target. Supply chain disruption alone can bring you to a standstill – as the Jaguar Land Rover attack clearly demonstrated. If you’re connected, you’re exposed. None of us should consider ourselves impervious to this threat.

And if you feel you’re not an attractive target, or that the IT team can handle everything, it’s worth taking a closer look at the reality of today’s threat landscape.

Cyber security: From threat to strategic advantage

In many organisations, cyber security is often seen as a negative risk. It’s something that usually falls to the bottom of Board agendas (assuming it’s there in the first place), or which fails to garner excitement with leaders. 

But, as every risk manager knows, there are two sides to risk. In fact, the definition of risk from ISO 31000, the global risk management standard, defines risk as ‘the effect of uncertainty on objectives’. 

We’re very familiar with the negative aspect which could impact our objectives. However, unless we understand and take on risk, we restrict our ability to seize opportunities. And without opportunity, progress stalls. 

With this in mind, it’s time to move beyond viewing cyber risk solely as a threat. Strong cyber hygiene doesn’t just reduce exposure – it can also unlock meaningful opportunities for the business. Let’s explore how shifting this perspective can create real advantage.

Cyber as a competitive advantage

Larger organisations are understandably tightening the security and resilience of their supply chains. We’ve seen the UK Government write to CEOs of the FTSE 350 companies together with those who deliver Critical National Infrastructure (CNI), advocating the achievement of Cyber Essentials and Cyber Essentials Plus. 

These organisations are likely to demand their supply chains partners to be, as a minimum, Cyber Essentials Certified. Therefore, if you’re in the supply chain for any of these organisations, be proactive and prepare to meet the requirements now, rather than scramble to achieve it under someone else’s deadline. 

Better still, strong cyber credentials don’t just help you stay in supply chains. They can help you enter new ones. The data also backs this up – the National Cyber Security Centre reports that 92 per cent of organisations with Cyber Essentials accreditation don’t need to make a cyber insurance claim. That’s not just good security; that’s good business.

As well as looking ‘up’ the supply chain, there are also opportunities with our own suppliers. We’ve all been there – receiving long, complex questionnaires that take hours to complete from clients and customers. So, how do we engage our own supply chains to ensure they are secure and resilient? What happens if they fail? Would we be able to deliver to our clients? Cyber resilience is – first and foremost – a team effort.

Collaboration is key to managing cyber-risk

Some years ago, we were involved in an innovative workshop with a client. The objective was simple: how could the client and key suppliers to their critical business processes become more resilient? Collaboration was the answer. By bringing key groups of people into a room, we: 

• Explored the threat landscape
• Spoke in confidence about our concerns
• Discussed solutions openly
• Signposted to organisations that could help 

We recognised the group of people in the room supported a critical ecosystem. The result was outstanding, with all parties coming together against a common threat. 

The group continues to operate today (albeit in a virtual space) and has expanded its remit from ‘prevent’ to considering ‘recover’ activities, should the worst occur. 

Does cyber present an opportunity for you to engage with your supply chain in a different and collaborative way? 

Empowering people as our first line of defence

We must move beyond the idea that our people are our weakest link. They are our greatest strength and a crucial line of defence. 

At the 2025 International Cyber Expo in London, a simple question was asked to a room of around 100 professionals: “How many of you have online cyber training modules?” 75 per cent of the audience raised their hands. The follow up question then left us all amazed: “How many of you believe this training is effective?” Not one person felt that it was. 

We then debated the ‘why’ and the response was simple. Online training can be useful, but nothing beats someone in the organisation explaining face-to-face why cyber security matters. Not just to the business… but to each individual.

A small change in approach – treating staff as an asset rather than a risk – can greatly improve the return on cyber security investment, while also creating better personal and professional engagement with employees.

The impact of legislation on cyber security

Legislation is changing quickly. If you’re part of an organisation that provides IT support or delivers software services, the Cyber Security and Resilience Bill should be on your radar. It’s commenced its journey through Parliament in the UK will serve (rightly) as a wake-up call for many to ‘improve their game’. 

If you’re in this sector, now is the time to review your processes and procedures on how you communicate with your clients before the legislation forces you to do so. Of course, if you’re ahead of the legislative requirements, then this may be a great time to shout this advantage ahead of your competitors.

If you’re a business owner contemplating a sale or a divestment, then now is the time to get your house in order. And just like selling a house, your business will be subject to scrutiny and due diligence. Poor cyber-hygiene will drive that value down. No one wants to buy a liability. 

Shifting the cyber conversation: from risk to opportunity

Cyber security is absolutely a risk to organisations and one which cannot be dismissed. But if we’re to engage more effectively with the Board and other leaders, we must start to speak more effectively about the opportunity of cyber risk. 

As humans, we often focus on the negative. But, perhaps we should spend a little more time considering what could go right? 

If you’re ready to turn cyber security into a source of competitive strength, Howden is the partner you can trust to guide the way. Speak to our specialist team today to strengthen your cyber defences.

About Helen Barge, Principal and Head of Digital Resilience Services

Helen joined Howden Risk Advisory following the acquisition of Risk Evolves, the specialist risk advisory firm she founded in 2015. As Director, she supported organisations in addressing cyber security, data privacy and compliance challenges. Prior to this, Helen spent almost 20 years at IBM UK in senior roles focused on governance, risk assurance and large-scale transformation, alongside earlier experience in financial services and FMCG.

With more than 25 years’ experience, Helen is a highly regarded governance, risk and compliance (GRC) leader, working across sectors including technology, finance, retail and public services. She is known for delivering practical, proportionate and business-focused advice, with expertise spanning cyber and information security, data privacy, risk assessment, business continuity, regulatory compliance and ISO implementation.

Helen is particularly recognised for her clear, no-jargon approach, helping boards and senior leaders navigate complex risk topics and build risk-aware cultures. She is a regular industry speaker and an advisory panel member for the West Midlands Cyber Resilience Centre.