The UK Public Accounts Committee’s recent report sends a clear and urgent message: cyber threats are evolving faster than defenses can keep up. The digital infrastructure underpinning our critical infrastructure is increasingly exposed—not only due to external threats but because of internal gaps in strategy, capability, and legacy system management.

Replacing outdated technology may be part of the solution, but it’s far from the full picture. We need a fundamental shift in mindset—toward continuous assurance, smarter system design, and a dynamic approach to skills development that anticipates the challenges of tomorrow, not just today.

Beyond ‘build and forget’: cybersecurity as an ongoing commitment

For too long, cybersecurity has followed a static, compliance-driven model—deploy once, tick the box, and move on. In today’s evolving threat landscape, this ‘build and forget’ mentality is no longer viable, if it ever was.

Security must be woven into every stage of design, development, and operations through a Secure by Design approach. With Cyber Physical Systems and enterprise IT environments in constant flux, reassessing security posture regularly ensures defenses remain adaptive and effective.

The UK government has rightly prioritized Secure by Design in its Defending the UK in a Digital World: Cyber Security Strategy 2022–25. Yet, despite this ambition, adoption across sectors remains uneven, with many organizations still relying on outdated risk frameworks and reactive measures—essentially attempting to counter modern threats with legacy solutions.

Cybersecurity must evolve beyond static processes. It requires continuous evaluation, proactive defense, and resilient security strategies to stay ahead of emerging risks.

Legacy systems: balancing risk and progress

Few areas illustrate the tension between innovation and practicality more clearly than legacy systems. Originally built for a different technological landscape, many were air-gapped, manually operated, and completely isolated from external networks—never designed to withstand the level of connectivity and cyber threats seen today.

In pursuit of efficiency and cost reduction, organizations have increasingly networked and remotely managed these systems, often without implementing adequate security safeguards. While this enhances operational flexibility, it also exposes critical infrastructure to new vulnerabilities, opening doors to sophisticated cyber threats.

The solution isn't as simple as replacing old systems outright. The decision to upgrade or extend the life of legacy platforms requires careful cyber risk evaluation, ensuring the right balance of mitigation strategies, isolation measures, and continuous monitoring to maintain security. Organizations must also weigh financial constraints, applying appropriate risk controls to optimize security investments without excessive costs.

Secure by design: a strategic imperative

Secure by Design isn’t just a cybersecurity buzzword—it’s an essential principle for building resilient digital infrastructure. It ensures that an appropriate level of security is built in from the ground up, integrated at every design, development, and operational phase to create adaptable, auditable, and testable systems.

Yet, despite its inclusion in policy frameworks and industry guidelines, implementation is often incomplete or superficial. Many organizations pay lip service to security but fail to embed it across teams and processes, treating it as an isolated function rather than an organizational priority – much like organizations approach health and safety.

Regulation will play a vital role in closing this gap. The upcoming Cyber Security and Resilience Bill is set to improve oversight, enforce stronger standards, and introduce mandatory incident reporting for high-risk sectors. Coupled with enhanced threat intelligence sharing, this legislation could shift cybersecurity strategies from reactive defense to proactive resilience.

Cyber talent: securing the future workforce

Another major challenge in cybersecurity is building a workforce capable of responding to evolving threats. As technology advances, skills become obsolete faster than ever, requiring ongoing investment in cyber capability development.

While direct government hiring plays a role—especially in sensitive security domains—industry partnerships offer a scalable alternative. Specialist organizations, like Thales, are well-positioned to train and upskill professionals through apprenticeships, immersive simulations, and diverse sector exposure, which traditional public-sector roles often lack.

This model provides dual benefits: it equips trainees with experience across various threat scenarios, while also fostering an agile workforce that can quickly adapt to emerging technologies like artificial intelligence and quantum computing. Cybersecurity isn't just about fixing vulnerabilities of the past—it's about anticipating and securing against the threats of the future.

Transparency and collaboration: strengthening cyber resilience

Cybersecurity can no longer be viewed as a standalone issue—threats don’t respect organizational boundaries, and weaknesses in one system can expose an entire network. Transparency, collaboration, and mandatory incident reporting are essential for national security, ensuring vulnerabilities are addressed before they escalate into widespread risks.

Reporting cyber incidents, much like the practice of reporting near misses and accidents in health and safety, strengthens overall resilience. Just as greater visibility has helped organizations reduce safety incidents, increased cyber reporting makes it harder for hackers to exploit gaps, reinforcing defenses before real damage occurs.

The Thales Data Threat Report underscores the growing risks to Critical National Infrastructure (CNI) and highlights the value of compliance—organisations that passed cybersecurity audits had significantly fewer breaches than those that failed. With the Cyber Security and Resilience Bill raising standards, stronger protections for essential infrastructure, including data centers that support AI innovation and national healthcare, will become the norm.

Each unreported cyber-attack is a missed opportunity to refine security strategies. Enhanced visibility into cyber threats improves collective intelligence, allowing organizations to make faster, smarter decisions in the face of emerging risks.

Conclusion: building security for the future

Modern cybersecurity requires more than patching vulnerabilities or checking compliance boxes—it demands a strategic rethink of how systems are designed, maintained, and safeguarded. Understanding how legacy and modern environments interact is key, alongside developing cyber talent that can anticipate and mitigate future risks.

Secure by Design must be the standard, not the exception. With the right balance of policy, proactive security measures, and skilled professionals, organizations can shift from reactive defense to sustainable resilience, ensuring they are prepared for the threats ahead, not just responding to the ones they see today.

