Changing your mindset: Cyber security is a contest, not a risk to be managed

Key Insights

• Richard Horne, CEO of the UK's National Cyber Security Centre (NCSC), spoke at the Royal United Services Institute (RUSI) Annual Security Lecture
• Horne stated that the UK is in an ‘ongoing contest with capable adversaries’
• UK’s critical national infrastructure has been hit by more than 200 cyber incidents over the past year
• 75% of those attacks were “believed to be linked to state actors” including Russia, China and Iran
• AI developments - such as Anthropic’s Mythos - could add to the threat landscape as hacktivists access better tooling

Richard Horne, the CEO of the UK's National Cyber Security Centre (NCSC) gave the annual security lecture to assembled guests at RUSI, a leading security think tank, this week.

Seeking to "provoke thought, reflection, and I hope, discussion," Horne challenged the popular concept that cyber security is just another business risk to be managed to an acceptable level within a stated Board appetite.

"when executives ask ‘when will we be done investing in cyber security?’, the answer is: never!"
Richard Horne, CEO of the UK's NCSC, June 2026

Linking to current sporting events in the soccer World Cup, Horne's message was that organisations and nations must continuously improve their cyber capabilities, act urgently, and build resilience if they are to succeed in an increasingly AI-enabled threat environment.

Competition demands constant development and the margin between winning and losing is rarely fixed.

Playing against another side means striving to meet and exceed the capability and skills of your opposition and your adversary's position shifts constantly, requiring a constant and ongoing push to improve your own.

"Cyber security is a contest, not a risk"

The speech's most important theme was to challenge conventional thinking.

Many boards and executives treat cyber security as a risk that can be reduced to an acceptable level.

Horne believes this framing is inadequate - cyber security involves active opponents who are constantly improving. There is no end state, no 'good enough', no benchmark level of median capability to reach.

What this new mindset means for security teams and management reporting is:

• Security is a continuous competitive activity, not a compliance exercise to be ticked off
• Benchmarking against peers is insufficient, a mid-table standing is not good enough
• The new benchmark to measure is how well you perform against your adversaries when they attack
• Continuous improvement is essential because attackers are continuously improving

The "near, mid, and far space" model

Horne presented a framework for understanding modern cyber defence as a contest across three interconnected domains - the "near, mid, and far space" model.

Far space is where adversaries play and requires national intelligence and security operations to actively challenge and disrupt activity before they can act.

Mid space is the shared technology ecosystem, think cloud infrastructure, telco networks, open-source software ecosystems, often owned and managed by the private sector.

Supply-chain compromises and attacks against open-source infrastructure are examples of threats operating at scale in this layer and government-industry collaboration is critical.

Near space is where every organisation manages its own systems and resilience measures - networks, critical business systems, day-to-day operations and recovery capabilities.

This is where the largest amount of defensive effort is required and where organisations have the greatest degree of control over their competitive standing.

Artificial intelligence is a major force multiplier for attackers and intensifies the existing contest and increases the urgency of improving defences.

Three core capabilities to focus on

Horne identified three essential organisational competencies in his address:

1. Understand

Organisations must improve situational awareness and understand:

• Their exposure to risk
• Weaknesses in new and legacy technologies
• Supply-chain dependencies
• Which adversaries might target them
• Where critical business operations rely on fragile technology

2. Defend

Organisations still fail to implement basic controls and need:

• Strong foundational cyber hygiene
• Consistent implementation of basic controls
• Adoption of frameworks such as the UK's Cyber Essentials
• Advanced defensive capabilities where required
• Architectures that limit the impact of breaches

3. Respond

Resilience and recovery are strategic capabilities to focus on - not technical afterthoughts. Organisations must be capable of:

• Maintaining critical operations during attacks
• Recovering systems at scale
• Absorbing disruption without catastrophic consequences

We do not have the luxury of time

Horne argued that cyber preparation cannot be deferred because future conflicts are being shaped today.

Adversaries are already pre-positioning themselves inside critical infrastructure - the Volt Typhoon campaign is an example mentioned of infrastructure-focused intrusion activity.

More than 200 incidents affecting UK critical national infrastructure were recorded over a one-year period with three quarters of those incidents linked to state actors.

Whilst this reality may sound grim, Horne closed his speech on an optimistic note by illustrating the success of the 90s-era EMV payment-chip standard, whose security has endured for decades despite constant attack.

Why? Because it was designed for continuous adaptation and improvement over the long term with secure-by-design approaches. Vulnerabilities and implementation flaws have emerged, but have been rapidly contained and addressed.

This is the future reality of a cybersecurity contest that many organisations don't yet realise they are now playing, with an opposition that is eager to win.

The takeaway?

Cyber security is not a compliance obligation or a risk to be tolerated - it is an ongoing contest that requires continuous improvement, resilience, collaboration, and urgency.

Read the full speech on the NCSC website.