Opportunities for Professional Development, Cross‑Sector Risk Reduction and the Case for Crisis Resilience as a Shared Societal Responsibility

Dr. Paul Wood MBA CSyP ChCSP CiiSCM CIISec FSyl FIoL RSES (Principal)

Introduction

The United Kingdom faces a cyber threat landscape of unprecedented scale and complexity. The National Cyber Security Centre (NCSC) has reported that nationally significant cyber incidents now regularly reach triple digits annually, while an independent study cited by the Department for Science, Innovation and Technology estimates that cyber-attacks cost the UK economy approximately £14.7 billion each year, roughly 0.5% of GDP. High-profile attacks on London hospitals, the Ministry of Defence payroll system, the British Library and Royal Mail have exposed the vulnerability of national infrastructure and the services upon which the public depends.

Within this landscape, private security companies occupy a critical and expanding role. They provide cyber security services, conduct due diligence, manage risk, protect networks and respond to incidents on behalf of commercial organisations across every sector of the economy. Yet the legal and regulatory framework within which they operate has, until recently, been fragmented, outdated and insufficiently demanding. The Cyber Security and Resilience (Network and Information Systems) Bill, introduced to Parliament in November 2025, represents the most significant reform of UK cyber regulation since the NIS Regulations 2018. It brings managed service providers, data centres and critical suppliers within regulatory scope for the first time and signals a fundamental shift towards mandatory resilience, accountability and shared responsibility.

This paper examines how existing UK cyber legislation applies to private security companies supporting commercial organisations; identifies opportunities for these companies to develop their service portfolios in ways that strengthen national infrastructure protection and contribute to societal resilience; and argues that the legislative trajectory, exemplified by the Cyber Security and Resilience Bill, must be accompanied by a transformation in education, culture and individual responsibility if the UK is to achieve genuine cyber resilience. Security is not merely a technical problem to be outsourced to specialists. It is everyone’s responsibility.

The Legislative Landscape for Private Security Companies

The Computer Misuse Act 1990

The Computer Misuse Act (CMA) 1990 remains the primary criminal statute governing unauthorised access to computer systems. Its five principal offences; from basic unauthorised access (s.1, up to two years’ imprisonment) through to unauthorised acts causing serious damage to human welfare or national security (s.3ZA, up to life imprisonment), define the outer boundaries of lawful activity in cyberspace. For private security companies conducting penetration testing, vulnerability research, threat intelligence gathering and incident response, the CMA is both a shield and a sword.

The challenge is that the Act was drafted in 1990 and has been amended incrementally rather than fundamentally reformed. The CyberUp Campaign found that 80% of cyber security professionals have worried about inadvertently breaking the law when researching vulnerabilities or investigating threat actors and 91% of businesses reported being placed at a competitive disadvantage by the Act’s constraints. Penetration testers and security researchers operate in a legal grey zone: their activities often mirror those of the malicious actors they seek to defend against and the CMA’s intent-based offences provide limited statutory safe harbour for legitimate defensive research. The Pall Mall Process Declaration (2024) acknowledged the benefit of good faith security research and vulnerability disclosure, but domestic legislative reform has not yet followed. Private security companies must therefore operate with explicit written authorisation, carefully scoped rules of engagement and robust legal advice to ensure their activities remain lawful under the CMA, even when those activities are essential to protecting clients and, by extension, national infrastructure.

The Data Protection Act 2018 and UK GDPR

Private security companies handling personal data in the course of their work, which includes virtually all incident response, forensic investigation and monitoring activity, are subject to the Data Protection Act 2018 and the UK General Data Protection Regulation. These instruments require lawful processing, data minimisation, security by design and breach notification to the Information Commissioner’s Office (ICO) within 72 hours. For security companies conducting due diligence on behalf of clients, the GDPR imposes a dual obligation: they must protect the personal data they encounter during their investigations and they must advise clients on their own data protection obligations as part of the due diligence process. The intersection of data protection law and cyber security practice is an area of significant commercial opportunity and legal risk.

The Investigatory Powers Act 2016

The Investigatory Powers Act (IPA) 2016 governs the interception of communications and equipment interference. While primarily directed at state agencies, it has important implications for private security companies. Companies providing communications monitoring, network surveillance, or lawful intercept capabilities must ensure their activities fall within the statutory framework and do not constitute unlawful interception. The IPA’s provisions also create opportunities: private companies with appropriate capabilities and certifications can support law enforcement and intelligence agencies in their operations and the growing demand for lawful intercept and communications data analytics represents an expanding market for suitably qualified providers.

The Network and Information Systems Regulations 2018

The NIS Regulations 2018 imposed security duties on operators of essential services (OES) in five sectors; transport, energy, drinking water, health and digital infrastructure  and on relevant digital service providers (RDSPs). These regulations established the principle that organisations providing essential services must implement appropriate and proportionate security measures and report significant incidents to their sectoral regulators. For private security companies, the NIS Regulations created both obligations (where they themselves provide digital services) and commercial opportunities (as advisers, auditors and service providers helping clients achieve and maintain compliance). However, the regulations’ scope was narrow, enforcement was inconsistent and incident reporting was inadequate. Regulators have publicly acknowledged learning about major incidents through the press rather than through statutory reporting mechanisms.

The Cyber Security and Resilience Bill: A Step Change

Expanded Scope and New Obligations

The Cyber Security and Resilience (Network and Information Systems) Bill, introduced to Parliament on 12 November 2025 and given its second reading on 6 January 2026, represents a fundamental expansion of the UK’s cyber regulatory framework. For the first time, medium and large managed service providers (MSPs), the companies that manage IT infrastructure, provide cyber security services and hold trusted access across government, critical national infrastructure and business networks, will be directly regulated. Data centres have been designated as critical national infrastructure and brought within scope. The Bill also empowers the Secretary of State to designate critical suppliers and to expand the regulatory perimeter to additional sectors through secondary legislation.

The implications for private security companies are profound. Those providing managed security services, security operations centre (SOC) functions, incident response, or IT management will, for the first time, carry direct legal accountability for their security practices. As one analyst observed, the Bill places more responsibility with the managed security service provider where it normally lies with the enterprise, raising expectations for both parties. The NCSC’s Cyber Assessment Framework (CAF) becomes the expected standard for demonstrating compliance and companies must implement baseline security controls across access management, monitoring and recovery for all services deemed essential.

Incident Reporting and Transparency

The Bill introduces mandatory incident reporting with significantly compressed timelines: regulated entities must notify their sectoral regulator and the NCSC within 24 hours of becoming aware of a significant incident, with a detailed report following within 72 hours. The definition of a reportable incident is broadened to include events that are merely capable of having a significant future impact. For example, the discovery that an unauthorised third party has gained access to a network, even before any disruptive attack has been launched. This represents a shift from reactive to anticipatory reporting and will require private security companies to invest in detection, triage and escalation capabilities that can operate at the speed the legislation demands.

Supply Chain Due Diligence

The Bill’s provisions on supply chain security are particularly significant for private security companies. Regulators will be empowered to require higher security standards of suppliers and to designate specific suppliers as critical where their compromise could cause considerable economic or societal consequences. Organisations relying on external IT or security providers will be required to conduct due diligence and ensure contractual agreements reflect security expectations. This creates a cascade of obligation: operators of essential services must assess their supply chain risk; managed service providers must demonstrate compliance to their clients; and the security companies that support both must provide evidence of their own resilience.

For private security companies, this is simultaneously a regulatory burden and a commercial opportunity. Companies that can demonstrate robust security practices, hold relevant certifications (ISO 27001, Cyber Essentials Plus, SOC 2) and provide verifiable evidence of compliance will be preferred by clients seeking to discharge their own regulatory obligations. Those that cannot will lose contracts and market position. The Bill thus creates a powerful market incentive for the professionalisation and maturation of the private cyber security sector.

Enforcement and Penalties

The Bill introduces turnover-based penalties that fundamentally change the economics of non-compliance: up to £17 million or 4% of global annual turnover for the most serious breaches and daily fines of £100,000 for failure to act against identified threats. The Secretary of State gains powers to issue national security directions to any organisation carrying on essential activity in the UK. These provisions ensure that cyber security is elevated from a technical consideration to a board-level strategic priority and that the cost of inaction exceeds the cost of investment.

Opportunities for Portfolio Development

The evolving legislative landscape creates substantial opportunities for private security companies to develop their service portfolios in ways that simultaneously generate commercial value and contribute to national infrastructure protection and societal resilience.

Due Diligence and Assurance Services

The Bill’s supply chain provisions will drive demand for comprehensive cyber due diligence services. Private security companies are well-positioned to offer supply chain risk assessments, vendor security audits, continuous monitoring of third-party risk posture and assurance services that provide clients with the evidence they need for regulatory compliance. This extends beyond traditional penetration testing to encompass governance, risk management and compliance (GRC) advisory, security maturity assessments mapped to the NCSC’s CAF and ongoing assurance programmes that provide real-time visibility into supply chain risk.

Managed Detection and Response

The 24-hour reporting requirement will accelerate demand for managed detection and response (MDR) services. Many organisations, particularly small and medium enterprises within the supply chains of critical infrastructure operators, lack the in-house capability to detect, triage and report incidents within the statutory timeframe. Private security companies that can offer 24/7 security operations, automated threat detection and rapid incident triage will find an expanding market. The key differentiator will be the ability to integrate technical detection with regulatory reporting workflows, ensuring that when an incident is detected, the client’s legal obligations are discharged simultaneously.

Resilience Planning and Business Continuity

The legislative shift from cyber security (preventing attacks) to cyber resilience (maintaining operations despite attacks) opens a significant portfolio opportunity. Private security companies can develop integrated resilience services encompassing crisis management planning, business continuity and disaster recovery, tabletop exercises and simulation and post-incident recovery. The CyBOK Law and Regulation knowledge area emphasises that cyber security practitioners increasingly require multidisciplinary expertise spanning technology, law, risk management and organisational behaviour (Carolina, 2021). Companies that can offer this integrated capability, combining technical security with crisis management, legal compliance and organisational resilience, will command premium positions in the market.

Critical National Infrastructure Protection

The Bill’s explicit focus on energy, water, transport, health and digital infrastructure creates demand for specialist security services tailored to operational technology (OT) environments, industrial control systems (ICS) and the convergence of IT and OT networks. Private security companies with expertise in these areas can contribute directly to national infrastructure protection by providing vulnerability assessments, security architecture design, incident response and ongoing monitoring for critical infrastructure operators. This is an area where commercial activity directly serves the national interest and where partnerships between private companies, the NCSC and the National Protective Security Authority (NPSA) can deliver significant public value.

Education, Training and Awareness

Perhaps the most important portfolio development opportunity lies in education and training. The Cyber Security and Resilience Bill imposes obligations on organisations, but organisations are composed of individuals. The ISC2 roundtable on the Bill emphasised that humans are the strongest defence, not the weakest link, provided they receive proper training. Private security companies can develop and deliver cyber awareness programmes, role-specific training, board-level briefings and continuous professional development that build the human capability upon which regulatory compliance ultimately depends. This is not merely a commercial opportunity; it is a societal imperative.

Security as Everyone’s Responsibility: The Case for Shared Obligation

Beyond the Specialist

The current legislative framework, even as strengthened by the Cyber Security and Resilience Bill, places obligations primarily on organisations, operators of essential services, digital service providers, managed service providers and critical suppliers. This is necessary but insufficient. Cyber resilience cannot be achieved by regulation of specialist entities alone if the broader population remains digitally illiterate, security-unaware and passive in the face of threats. The UK Cyber Security Breaches Survey has consistently found that a significant proportion of cyber incidents are enabled by human error: weak passwords, phishing susceptibility, failure to apply updates and poor data handling practices. These are not failures of technology or regulation; they are failures of culture and education.

The Education Imperative

There is a compelling case for legislation that places greater responsibility on all individuals, not just organisations and specialists, to take reasonable steps to protect themselves and others in cyberspace. This does not mean criminalising ignorance, but it does mean embedding cyber hygiene into the fabric of education, professional development and civic life. Cyber security awareness should be taught as a core competency from primary school through to adult education, just as road safety and fire safety are embedded in public consciousness. The Government’s Cyber Action Plan, published in January 2026, signals a move in this direction with its focus on a cross-government Cyber Profession and a Software Security Ambassador Scheme, but these initiatives remain focused on the public sector and the professional community rather than the general population.

Private security companies have both an opportunity and a responsibility to contribute to this educational transformation. They possess the expertise, the threat intelligence and the practical experience to design and deliver training programmes that are engaging, current and relevant. But they also have a commercial interest in a more security-aware society: a workforce that understands phishing, that uses multi-factor authentication, that reports suspicious activity and that takes personal responsibility for digital hygiene is a workforce that is cheaper to protect and easier to insure. The economic case for investing in human capability aligns with the societal case for shared responsibility. The introduction and adoption of Crisis Resilience Professionals across all industries, will be critical to achieving societal resilience.

Legislative Development: Towards Universal Obligation

The Cyber Security and Resilience Bill represents an important step, but it is not the final destination. Future legislative development should consider extending obligations beyond regulated entities to encompass a broader duty of care in cyberspace. This could include requirements for directors and senior officers of all companies (not just those in regulated sectors) to demonstrate adequate cyber governance; mandatory cyber awareness training for employees in organisations of all sizes; incentivisation of Cyber Essentials certification through procurement requirements, insurance premium reductions and regulatory benefits; and public education campaigns that frame cyber hygiene as a civic responsibility comparable to public health measures.

The Pall Mall Process Declaration (2024) acknowledged that commercially available cyber intrusion capabilities should not be used in ways that threaten the stability of cyberspace or human rights and that good faith security research benefits cyber security defences. This normative framework, developed at the international level, should be reflected in domestic legislation that empowers individuals and organisations to participate actively in their own defence. The principle of due diligence, well-established in international law as an obligation on states to prevent their territory from being used for harmful cyber operations (Moynihan, 2023; Coco & de Souza Dias, 2021), has a domestic analogue: every individual and organisation that connects to the internet benefits from the shared infrastructure and therefore bears a proportionate responsibility for its security.

Building a Culture of Resilience

Legislation alone cannot create a resilient society. It must be accompanied by a cultural transformation in which security is understood not as a cost centre or a compliance burden, but as a shared value and a condition of participation in digital life. The CyBOK Law and Regulation knowledge area notes that ethical norms might assist in curbing behaviours that abuse positions of trust or present significant risk to the public and that compliance with the law, on its own, may be insufficient to guide practitioners to ethical action (Carolina, 2021). This observation applies with equal force to the broader population: legal compliance is a floor, not a ceiling. What is needed is a positive security culture, one in which individuals take pride in their digital hygiene, organisations compete on resilience rather than merely on price and the security industry sees itself as serving a public interest rather than merely a commercial one.

Private security companies are uniquely positioned to catalyse this cultural shift. Through the services they deliver, the advice they provide, the training they offer and the standards they model, they can demonstrate that crisis resilience  is not a burden but a capability, a source of competitive advantage, operational resilience and societal trust. The legislative framework created by the Cyber Security and Resilience Bill provides the incentive structure; the private security sector must provide the leadership.

Conclusion

The legal environment for private security companies operating in UK cyberspace is undergoing its most significant transformation in a generation. The Computer Misuse Act, Data Protection Act, Investigatory Powers Act and NIS Regulations provide the established framework, but the Cyber Security and Resilience Bill fundamentally expands the scope, ambition and enforcement of cyber regulation. For the first time, managed service providers, including the private security companies that protect the UK’s commercial organisations and critical infrastructure, will carry direct legal accountability for their security practices, with turnover-based penalties and national security powers ensuring that non-compliance carries consequences proportionate to the harm it enables.

This legislative shift creates substantial opportunities for private security companies to develop their service portfolios across due diligence and assurance, managed detection and response, resilience planning, critical infrastructure protection and education and training. These are not merely commercial opportunities; they are contributions to national security and societal resilience. The companies that develop integrated, multidisciplinary capabilities, combining technical excellence with legal expertise, risk management and organisational resilience, will both succeed commercially and serve the public interest.

However, the legislative framework will achieve its full potential only if it is accompanied by a broader cultural and educational transformation. Cyber security cannot remain the exclusive province of specialists. It must become everyone’s responsibility: embedded in education from the earliest years, practised by every employee, governed at every boardroom table and understood as a civic duty by every citizen who connects to the internet. The Cyber Security and Resilience Bill provides the regulatory architecture; private security companies can provide the expertise and the leadership; but genuine resilience requires the active participation of the whole of society. In an interconnected world, the security of each depends upon the responsibility of all.

References

Carolina, R. (2021). Law & Regulation. In A. Rashid et al. (Eds.), The Cyber Security Body of Knowledge (CyBOK) (Version 1.1.0, pp. 49–127). Crown Copyright / National Cyber Security Centre.

Coco, A., & de Souza Dias, T. (2021). ‘Cyber Due Diligence’: A Patchwork of Protective Obligations in International Law. European Journal of International Law, 32(3), 771–806.

Computer Misuse Act 1990, c. 18. UK Parliament.

CyberUp Campaign & TechUK. (2020). Reforming the Computer Misuse Act. London.

Data Protection Act 2018, c. 12. UK Parliament.

Department for Science, Innovation and Technology. (2025). Cyber Security and Resilience Bill Policy Statement. UK Government.

Devanny, J. (2020). The Ethics of Offensive Cyber: Reflections on the Role of the National Cyber Force. Foreign Policy Centre / King’s College London.

Georgieva, I. (2020). The Unexpected Norm Setters: Intelligence Agencies in Cyberspace.

Goldsmith, J. (2013). How Cyber Changes the Laws of War. European Journal of International Law, 24(1), 129–138.

Human Rights Act 1998, c. 42. UK Parliament.

Intelligence Services Act 1994, c. 13. UK Parliament.

Investigatory Powers Act 2016, c. 25. UK Parliament.

ISC2. (2025). UK Parliamentary Roundtable on the Cyber Security and Resilience Bill. ISC2 Insights.

Koh, H. (2012). International Law in Cyberspace. Harvard International Law Journal, 54.

Moynihan, H. (2023). Unpacking Due Diligence in Cyberspace. Journal of Cyber Policy, 8(1).

National Cyber Force. (2023). Responsible Cyber Power in Practice. UK Government.

National Cyber Security Centre. (2025). Cyber Assessment Framework (CAF). UK Government.

Network and Information Systems Regulations 2018, SI 2018/506. UK Parliament.

Schmitt, M. (Ed.). (2017). Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations. Cambridge University Press.

Tsagourias, N. (2019). The Slow Process of Normativising Cyberspace.

UK HMG. (2024). The Pall Mall Process: Tackling the Proliferation and Irresponsible Use of Commercial Cyber Intrusion Capabilities. UK Government.

UK HMG. (2026). Cyber Action Plan. UK Government.

Wright, J. (2018). Cyber and International Law in the 21st Century. Speech at the Royal Institute of International Affairs, Chatham House, 23 May 2018.