As the National Cyber Security Centre Annual Review 2025 is released this week, CyberNorth’s Lead for Cyber & FinTech, Jon Holden, gives his thoughts on the document and how we should react, moving forward.
The NCSC Annual Review 2025 dropped this week, and let’s be honest — it’s not comfortable reading.
Cyber isn’t just an IT issue anymore. It’s a business issue. A leadership issue. An economic one.
And frankly, it’s about bloody time people started treating it that way.
We’ve seen it this year — Co-op, M&S, Jaguar Land Rover — all hit hard. Empty shelves, stalled production lines, angry customers. These aren’t “cyber incidents.” They’re business stoppages. Real-world pain caused by digital complacency.
204 nationally significant incidents.
Up 50% on last year.
4% classed as “highly significant.”
And still, too many leaders are treating cyber like a tick-box exercise — something to delegate to the techies while they get back to “the real business.”
It’s exhausting.
Let’s Be Honest — The Hackers Aren’t the Biggest Problem
The bad guys aren’t winning because they’re geniuses.
They’re winning because we keep leaving the doors unlocked.
The tools, guidance and frameworks are already there. Cyber Essentials, Early Warning, the Cyber Action Toolkit — all free.
But week after week, we see organisations still saying “we don’t have time” or “we’ll look at it next quarter.”
I’ve lost count of how many times I’ve heard:
“We’ll do security once the transformation’s done.”
That’s like saying you’ll buy the seatbelts once the car hits 80 mph.
Leaders sign off seven-figure digital projects but won’t approve a five-grand uplift for basic resilience.
They’ll talk endlessly about “innovation” while running unpatched servers from 2015.
It’s not a capability issue — it’s a complacency issue.
And it’s driving every CISO I know up the wall.
Leadership Needs to Get a Grip
The Co-op CEO’s open letter hit me. She owned it. No spin. No excuses. That’s what leadership looks like.
Compare that to the usual “we take security seriously” boilerplate we see after every breach — it’s pathetic.
If your exec team only shows up when you’re breached, that’s not leadership, that’s theatre.
If your CISO can’t get ten minutes on the board agenda, you’re not managing risk, you’re gambling with your reputation.
Cyber security isn’t just about tools and controls — it’s about culture, ownership, and leading from the front.
And that starts with the people at the top actually giving a damn.
Stop Admiring the Problem
Every year it’s the same buzzwords — collaboration, culture, shared responsibility.
Enough already. We know what needs doing.
Patch the damn systems.
Test your backups and prove you can restore.
Run tabletop exercises that actually hurt.
Invest in your people, not just your tech stack.
And stop hiding behind “awareness fatigue” as if apathy is a strategy.
We don’t need more PowerPoints. We need backbone.
A Call to Arms
To my fellow CISOs, Heads of SecOps, and security leaders — I see you. I know the grind.
We’re tired of explaining the same risks to the same faces every quarter.
We’re tired of being the adults in the room when everyone else wants to play with shiny toys.
But this is where we earn our stripes.
Push harder. Speak plainer. Don’t water it down.
Call out the nonsense.
And when someone says, “That’s not my problem,” make damn sure they understand it will be soon enough.
Here in the North East, we’ve built something different — CyberNorth, CIA Durham, CyberFirst, the clusters, the innovation centres. We collaborate, we share, we get it done. No fluff, no hierarchy, no excuses.
Let’s keep leading from the front and show the rest of the UK what real cyber resilience looks like — built on grit, community, and a healthy dose of honesty.
Final Thought
The NCSC said it best: It’s time to act.
I’ll add this — it’s time to grow up.
Cyber resilience is economic resilience.
Cyber leadership is business leadership.
So stop talking about it.
Stop planning to plan.
And start doing the bloody work.
Because the next attack won’t wait for your steering committee.
To read the annual review from the National Cyber Security Centre, click HERE.