At this week’s CyberUK conference in Glasgow, National Cyber Security Centre (NCSC) CEO Richard Horne delivered a stark assessment of the evolving cyber threat landscape, warning that organisations are facing a “perfect storm” driven by rapid advances in artificial intelligence and rising geopolitical tensions. In his keynote, Horne highlighted how emerging technologies are fundamentally reshaping cyber risk, with attackers now able to scale operations faster than ever before. Despite this acceleration, he stressed that many successful attacks still exploit basic security weaknesses such as unpatched systems and legacy infrastructure.
Horne also pointed to the growing role of nation states in cyber incidents, noting that the most serious attacks are increasingly linked to state actors. This shift, he said, cements cybersecurity as a central pillar of modern conflict and national resilience.
A key message from the NCSC chief was the need for organisations to treat cybersecurity as a business-critical capability. Rather than focusing solely on prevention, he urged organisations to embed resilience, adopt new technologies and prepare to operate through attacks.
Industry experts have echoed Horne’s concerns, with many emphasising the widening gap between threat sophistication and organisational readiness.
Jamie Akhtar, CEO and Co-Founder of CyberSmart, said the warning is particularly relevant for the UK’s small and medium-sized businesses.
“The NCSC CEO’s warning is one the small business community needs to hear. When he says frontier AI is now exposing where fundamentals of cyber security still aren’t being addressed, unpatched systems, vulnerable code, ageing infrastructure, that is the lived reality for most of the UK’s 5.5 million SMEs,” he said.
Akhtar added that AI is rapidly shortening the window between vulnerability disclosure and exploitation.
“The gap between a vulnerability being disclosed and being exploited is closing fast, and AI is doing the closing,” he said. “What’s shifted is the economics. AI collapses the cost of finding exploitable weaknesses, meaning smaller organisations are now viable targets in a way they simply were not two years ago.”
He also highlighted the role of managed service providers in raising security standards across SMEs, describing them as “the fastest route to raising” baseline protections in line with Horne’s call for collective responsibility.
Oliver Simonnet, Lead Cybersecurity Researcher at CultureAI, said the keynote underscored the uncertainty facing organisations.
“We are operating in an increasingly turbulent and unpredictable time. From rapid technological changes to shifting geopolitical landscapes, there is a growing need for preparation across many domains, with AI likely to influence all of them,” he said.
Simonnet added that embedding cybersecurity into core business objectives will be essential in the years ahead.
“Embedding cybersecurity into core objectives, rather than frequently treating it as an afterthought, will likely be even more critical if we want to securely navigate what comes next.”
The convergence of technological and geopolitical risks was another key theme picked up by Shane Barney, CISO at Keeper Security.
“The NCSC CEO’s keynote does not describe a single threat to be managed. It describes a convergence,” he said. “Rapid technological change and deepening geopolitical instability are compressing the timeline for organisations to act.”
Barney warned that nation state involvement is already reshaping the threat landscape.
“The majority of nationally significant incidents handled by the NCSC now originate, directly or indirectly, from nation states. Cyber operations are now integral to modern conflict,” he said.
He also pointed to emerging risks such as quantum computing, noting that the “harvest now, decrypt later” threat means organisations must act now to protect sensitive data.
Graeme Stewart, Head of Public Sector at Check Point Software, described the situation as an urgent national challenge.
“At a time of heightened geopolitical uncertainty, the rise of increasingly sophisticated AI-powered cyber attacks and unbreakable ransomware could bring the country to its knees,” he said.
“Large scale hacktivist attacks pose an existential threat to UK PLC, with hostile powers seeking to damage and disrupt core services like the NHS, energy and supply chains.”
Stewart added that the UK’s position as a highly targeted nation makes immediate action essential, calling for cyber resilience to be placed “at the very top of the boardroom agenda”.
Anthony Young, CEO at Bridewell, reinforced concerns around organisational readiness, particularly in the face of nation state threats.
“Fundamentally the majority of businesses are not well prepared for a sustained nation state level attack. Most organisations are still struggling to get basic security controls in place and have full visibility across their estate,” he said.
Young warned that constrained budgets are compounding the challenge, leaving CISOs under pressure to deliver more with fewer resources.
“Cyber security is not a point in time assessment then done. It needs to always be improving and evolving as the threat landscape evolves,” he said.
Reflecting on the broader implications of Horne’s speech, Young added: “If a nation state wanted to undertake a sustained attack on the UK today I would be very worried.”
Horne’s keynote ultimately delivered a clear message. As cyber threats grow in scale and complexity, organisations must move beyond reactive security measures and embed resilience at the heart of their operations.
