Cyber resilience has outgrown the IT department, and policy is racing to catch up. At Infosecurity Europe 2026, Sean Martin and James Morris dig into the UK's Cyber Security and Resilience Bill, the breaches it would not even cover, and why protecting a modern economy now starts in the boardroom.
⬥EPISODE NOTES⬥
From the show floor at Infosecurity Europe 2026, Sean Martin sits down with James Morris, Director of The CSBR (Centre for Cyber Security and Business Resilience) and a former UK Member of Parliament who spent fourteen years in the House of Commons and chaired the All-Party Parliamentary Group for Cyber Security. His work now lives at the intersection of cybersecurity and resilience, translating evidence and expert roundtables into policy that Parliament can actually use.
The conversation opens on a hard problem: legislation moves slowly, and technology does not. The UK's Cyber Security and Resilience Bill has been working through Parliament for fifteen months and may not be operational for the better part of a year, even as AI moves from the margins to the center of national infrastructure. James Morris describes how the government has responded by giving itself powers to designate organizations and sectors as threats emerge, a top-down approach that he argues only works if business is brought along from the bottom up.
What counts as resilience is changing too. For years the word pointed narrowly at critical national infrastructure such as power and rail. James Morris makes the case that resilience now means economic resilience, pointing to high-profile UK breaches at Marks and Spencer and JLR that paralyzed major businesses yet would not be captured by the very bill moving through Parliament. Sean Martin pushes the thread into the supply chain, where the legislation starts to designate critical suppliers for the first time, with new expectations around transparency, incident reporting, and hardening, though financial services sits outside under its own regime.
The closing turn is the one business owners should sit with. Cyber resilience is no longer a peripheral technical task to hand to IT. It is a board-level issue tied to strategy, reputation, and the survival of the organization itself, and the leaders who treat it that way, rehearsing breaches before they happen and planning for the media scrutiny that follows, are the ones positioned to recover.
Resilience, in the end, is not only technical. It is economic, managerial, and political, and getting it right is becoming inseparable from how a modern society protects itself.
⬥HOST⬥
Sean Martin, CISSP -- Co-Founder, ITSPmagazine & Studio C60 | Host, Redefining CyberSecurity Podcast & Music Evolves Podcast | https://www.seanmartin.com/
⬥GUEST⬥
James Morris -- Director, The CSBR (Centre for Cyber Security and Business Resilience); former UK Member of Parliament; former Chair of the All-Party Parliamentary Group for Cyber Security | https://uk.linkedin.com/in/james-morris-obe-787a2b17
⬥RESOURCES⬥
Infosecurity Europe 2026 is taking place June 2-4, 2026 | ExCeL London -- Follow our coverage: https://www.itspmagazine.com/infosecurity-europe-2026-infosec-london-cybersecurity-event-coverage
The Future of Cybersecurity Newsletter | https://www.linkedin.com/newsletters/7108625890296614912/
Redefining CyberSecurity Podcast | https://www.seanmartin.com/redefining-cybersecurity-podcast
On Location | https://www.itspmagazine.com/on-location
🥁 🎶 A very big THANK YOU to our Infosecurity Europe 2026 Full Coverage Sponsors: Corelight · Qualys · Sumo Logic 👏 👏 👏
⬥KEYWORDS⬥
sean martin, james morris, infosecurity europe 2026, cyber resilience, cybersecurity policy, cyber security and resilience bill, uk cybersecurity, supply chain security, critical national infrastructure, economic resilience, board level security, csbr, on location, itspmagazine
Redefining Cyber Resilience | An On Location Conversation at Infosecurity Europe 2026 with James Morris, Former UK Member of Parliament
[0:10] Sean Martin: James?
[0:19] James Morris: Hi.
[0:20] Sean Martin: How are you?
[0:21] James Morris: I'm doing good. I'm doing good.
[0:22] Sean Martin: Look at that. It's good to know. It's good to know. We're here in London.
[0:25] James Morris: Absolutely.
[0:26] Sean Martin: Infosecurity Europe 2026. It's a good week to talk about policy and regulation.
[0:33] James Morris: It's always good to talk about policy.
[0:36] Sean Martin: Just ask the business, right? They're spending so much money on policy. It's a serious thing, though. So we're going to get into what's going on here in the UK and Europe, and maybe compare and contrast to other parts of the world if you have some insights on that. And folks who watch and listen to my show know I like to look at the operational and business aspect of cyber, and the impact those things have on the bottom line, ultimately, and how a business and teams are run. So, before we do that, who is James Morris? What are you up to?
[1:11] James Morris: Yeah, so I'm the Director of the CSBR. We are an independent policy center in the UK dedicated to looking at policy at the intersection between cybersecurity and resilience. I'm a former Member of the UK Parliament, so I was a Member of Parliament for 14 years. Among many other things that I did as a legislator, I was the Chair of the All-Party Group for Cybersecurity in the UK Parliament. The remit of the All-Party Group was to bring together parliamentarians on a cross-party basis to talk about issues to do with cybersecurity and resilience for the UK, what needed to happen, and to raise awareness around those issues. I fought five elections in 14 years. I served under five Prime Ministers. After I left Parliament in the last election, we started the CSBR policy center, and we've been focused very much on looking at how the UK should be responding to the cybersecurity and resilience challenge. The UK government has introduced a new Cyber Security and Resilience Bill to the UK Parliament, which is its response to the challenge. And we've been doing a whole bunch of research around cybersecurity in our health system, and around the challenge of skills in the UK for cybersecurity and resilience. We want to influence policy and influence legislation in the UK and internationally.
[2:50] Sean Martin: So that's a big, big swath of stuff.
[2:53] James Morris: Indeed.
[2:54] Sean Martin: From skills to actually making a difference. Let me ask this question. It's hard enough getting multiple parties to come together. And then you have the complexity of what cyber is, and all the things you just talked about. How do you marry those two together? You talked about that intersection. How do you get the language of both to bring people together, and bring it all together?
[3:22] James Morris: Yeah, well, that's the ongoing challenge. What we're interested in is looking at examples of what works, looking at evidence, and coming up with policy ideas, but that then needs to be translated into practical reality. Which means we draw on quite a diverse range of different inputs. We're developing partnerships with academia, with business, with policymakers. The way that we typically work is we have expert roundtables where we draw people together from a diverse background and pose a series of questions, and then we produce policy ideas out of that. And then we go back into the parliamentary community. So, for example, the All-Party Group has representatives from all of the political parties, to try and get some kind of agreement. Not necessarily consensus, but some kind of agreement. Because the thing about cybersecurity and resilience is it's not particularly what you would call ideologically charged. So there aren't massive ideological differences. There might be differences over whether we need tighter or slightly looser regulation, but there tends to be agreement that we need to get some of this stuff sorted out. So we're using that platform to influence debate in Parliament, influence the legislation, and make suggestions about how it might need to change. It's about translating the ideas and what people are saying into practical change, because that's what is required in the environment we're currently operating in. I don't know whether you were hearing it, but the Director of GCHQ, which is the center of the UK Intelligence Services, has been making public statements about the nature of the resilience and security threat the UK is currently facing. When senior members of the intelligence services go out and start making public statements, you know there are some serious issues. So we're operating in the context of a debate where the external threat is very real. It's developing on a daily basis. And our legislation and policymaking community need to respond to that in order to make sure we're hardening our security as much as we can in an extremely complex world. Even over the last 15 or 16 months: 15 months ago there was a change of government in the UK, and an introduction of this new bill. But if you think about the changes that have happened in the world in the last 15 months, technological change, AI becoming much more mainstream, geopolitical tensions around the world, shifting relationships, it's an extremely challenging set of circumstances. And we need to get it right.
[6:18] Sean Martin: How do you balance the change? Obviously the change in technology is a big thing, staying current with it and understanding it well enough to then have a conversation at the policy level, to not get too drawn into the weeds, so you're over-prescribing or over-dictating, and basically paralyzing things?
[6:43] James Morris: Well, I think that's a really good question, and it's at the heart of the balance that needs to be struck. In the UK, our legislative process is a little bit cumbersome. It takes quite a long time to get laws passed. The Cybersecurity Bill was introduced into Parliament 15 months ago, and it's still going through its stages, and it's probably not going to be operational in the UK until eight to 12 months' time. The challenge is, you can't prescribe, because we don't know what the technological developments are going to be. So one of the responses of the government to that challenge is actually accruing power to itself. In that bill, it's given itself quite a lot of power to change the regulations and the laws if something emerges in the future. That's how the government has dealt with the technological uncertainty, by saying, well, we need powers to say if X happens, we're going to designate that organization or that sector, because it poses a real threat to Britain's national security. That's quite a top-down approach. The government giving itself more power to respond makes sense in national security terms, but one of the downsides is that what we also need is a bit more of a bottom-up approach, because we need to make sure business is on side with any of the changes. What we don't want to do is create an enforcement regime that people are just playing, rather than actually implementing the changes required to make them more resilient. So that's the central challenge of the legislation. With this bill going through, you know, we left the European Union, but the bill does bring quite a lot of the EU's cybersecurity legislation into UK law. But it's also very distinctive, because the UK has quite a distinctive position in the geopolitical context. We have a very close relationship with the US on intelligence sharing and on cybersecurity. We've got the AUKUS relationship, which is the international relationship with Australia. And the UK is a permanent member of the Security Council. So we've got some very distinct issues, but we are bringing some of the EU regulations into UK law. So it's quite a complex picture in terms of where the UK sits in the international landscape.
[9:26] Sean Martin: So can you describe what some of the discussions sound like, in terms of what the challenges are that we're facing? How do we write policy to address some of those challenges? And what I'm thinking of here is a simple thing: resilience. What does that mean? You hear a lot of people talk about it. Is it protecting? Is it good detection? Is it response? Is it doing the right thing for the business in the first place? Is it hardening?
[9:47] James Morris: It's probably all those things.
[9:49] Sean Martin: Right, but I think some people pick and choose what works for them.
[10:01] James Morris: I think you're right that, historically, there's been quite a narrowish definition of resilience, because when policymakers talk about resilience, often they're referring to critical national infrastructure defined as power plants, rail systems, and that kind of thing. Whereas what's happening is that our definition of resilience is beginning to change, because resilience is about the underpinnings of a modern economy. So, for example, in the UK over the last year or so, there have been some high-profile breaches in some of our largest companies, like Marks and Spencer and JLR, a big car manufacturer in the West Midlands, all of which had very significant breaches that paralyzed their businesses for a while. And what that prompted was a changed conversation about what we mean by resilience, because those two incidents would not have been captured within this new legislation coming through the UK Parliament, and yet they are fundamental. So I think the definition of resilience has to be more about economic resilience, and the way that cybersecurity and the necessity of hardening our resilience underpins the whole of our economy. That's been an ongoing debate in the policymaking community: when you talk about resilience, we're not just talking about technical resilience. We're talking about something much more overarching than that. Even, slightly off topic, the actual resilience of our political system itself, because the UK has burned its way through political leaders. There are questions about how our democracy works, and about the ability of the UK government to think about long-term issues. Because the thing about cybersecurity and resilience, even though the technology landscape is changing really rapidly, is that it's one of those long-term issues which requires patience and attention over a long period of time. The problem with our political system, not just in the UK, probably in the US and different parts of the world, is that our attention spans are a little bit limited. We want politicians to give us answers today, and we haven't got the investment in patience required to realize some of these long-term policy goals. So that's also a resilience challenge, because we're not going to be able to implement some of the long-term work we need to improve our economic resilience if we don't have a political system that is able to see through the changes we need.
[12:48] Sean Martin: Right. And as you were talking, I was thinking about the supply chain. You talked about a couple of companies that had breaches which impacted a lot of people who serve those companies, and those companies serve others, and obviously imports and exports. It's a huge shake-up if something big happens like that. How do you look at the supply chain, the third-party vendor landscape?
[13:14] James Morris: Well, it's absolutely critical to the resilience of companies large and small. One of the things the bill I've been describing does is start to mandate that certain critical parts of a company's infrastructure can be designated as a critical supplier, with a different regulatory regime. So, for the first time, it's recognizing the importance of supply chains, and the fact that certain critical nodes in a company's supply chain need special designation, and then a special regime around transparency, incident reporting, and hardening. The only thing this bill doesn't do is the following: the UK has one of the most competitive and largest financial services industries in the world, and actually financial services is not part of this bill. Financial services has its own regulatory regime, which raises a bit of a moot point about whether it should be brought into this regime, because the supply chain issue you're describing is particularly pertinent to financial services, which have very complex digital supply chains that can be very vulnerable. But the point I'm making is that there has been a recognition in this legislation that supply chains are important, that companies need to designate and understand their supply chains in much more detail, and be aware of the vulnerabilities, have transparency over where people sit on their supply chain, and understand how those vulnerabilities might impact their business.
[15:01] Sean Martin: So as we wrap here, James, maybe a thought, or some advice to business owners. How should they think about this? How should they prepare? Maybe some tips.
[15:18] James Morris: Yeah. Notwithstanding the legislation, I think it's all about the fact that cybersecurity and resilience is now front and center. It's not a peripheral technical issue that can be dealt with by IT people. It's a boardroom and business owner issue. For larger companies, it's got to be right at the center of how they think about the strategy of their business. CEOs can't just delegate it and think it's going to get sorted out. It's absolutely critical. And then there's the prevention piece: one of the things we're seeing is a lot more prevalence of simulations. I've been involved, for example, in running simulations where we have technical people working through a particular breach that may happen. But the other thing companies need to be aware of is the potential impact on reputation. They're going to have the media crawling all over them asking questions. How do you handle all of that so your business doesn't collapse, so that you have an opportunity, once you've sorted yourself out, to reemerge? So in summary, it's a board-level issue. It's not just a technical issue. It's to do with reputation management, how you handle that whole process, and resilience is technical, but it's also to do with overall managerial resilience and the resilience of the organization itself.
[16:41] Sean Martin: I love it. Well, I'm a nerd for this stuff. I have about 100 questions in my head. Maybe we could have a follow-up chat after the show and dig deeper into some of the things you're working on, and maybe bring some other folks in to have a deeper chat as well.
[16:47] James Morris: Sounds like a good idea.
[16:48] Sean Martin: James, thanks very much.
[16:48] James Morris: Yeah, thanks very much.
[16:59] Sean Martin: Pleasure. Thank you, everybody. Hope you enjoyed this. Stay tuned for more coming from Infosecurity Europe 2026.