As the Cyber Assessment Framework v4.0 is released, CyberNorth’s Lead for Cyber & FinTech, Jon Holden, gives his thoughts on why cyber security should be now front and centre for every business.
Cybersecurity isn’t a static discipline—it’s a daily pressure test. Whether I’m wearing my CISO hat or working with organisations across the North East via my role as Cyber & FinTech Lead at CyberNorth, the challenge is the same: how do we stay resilient when the threat landscape never stops shifting?
That’s why the new NCSC Cyber Assessment Framework (CAF) v4.0 is more than a routine update, it’s a timely shift and one that finally reflects the sophistication of today’s threats, the realities of modern digital infrastructure and the direction we needto be heading.
CAF has already earned its place in the ecosystem. It’s adopted by nearly all UK cyber regulators and sits at the heart of GovAssure. I’ve seen its impact, which gives structure to security conversations, helps translate technical risks for senior stakeholders and offers a credible benchmark for maturity. Where CAF v3.1 was starting to feel behind the curve, CAF v4.0 brings it back to the front.
Here’s why it matters, both to my own team and to the broader CyberNorth community:
Threat-Led Thinking Is Front and Centre
One of the strongest additions is the focus on attacker motivations and methods, for too long, security strategy has been overly control-focused, this version flips the lens. It asks: who’s coming after you, why, and how? It encourages intelligence-led defence, an approach I’m always striving for across our regional networks, this is the move from checkbox cyber to real-world resilience.
Secure Software Gets the Spotlight It Deserves
The inclusion of secure software development is huge. We live in a world run by code and yet too many orgs still treat security as something to patch later, this framework bakes it in from the start, shifting security “left” and holding teams accountable for building it right, not just fixing it later. It’s a message that will resonate strongly with digital and fintech teams here in the North East.
Better Detection. Smarter Hunting.
CAF v4.0 moves us beyond basic monitoring. Logging is necessary—but it’s not sufficient. The updated guidance pushes us towards smarter detection and proactive threat hunting. This isn’t about flooding your SIEM with noise, it’s about knowing what to look for, where to look and having the confidence to act early.
AI Risk is Finally on the Map
AI is changing everything, from attack automation to deepfakes and decision-making, CAF v4.0 doesn’t shy away from that. It gives CISOs and tech leaders a starting point for understanding, managing and mitigating the risks associated with AI which is especially important now, when so many organisations are rushing to deploy AI without fully thinking through the implications.
So What?
For me, this version of CAF isn’t about compliance, it’s about capability. It gives security teams, product owners, boards and business leaders a shared language for building resilience that works in the real world.
At CyberNorth, we’ll be championing this update across the region. Not because we have to but because it’s the right thing to do. It raises the bar in all the right places and gives teams the tools to respond to today’s threats and build stronger systems for the future.
To every CISO, tech leader and board member reading this: don’t treat CAF v4.0 as another set of hoops to jump through, treat it as an opportunity to step up because resilience isn’t a nice-to-have anymore, it’s the price of playing in today’s digital economy.
Jon Holden
Cyber & FinTech Lead, CyberNorth