The Cyber Security and Data Protection Theatre at DigiGov Expo 2025 hosted a compelling discussion on cyber resilience and securing the digital frontier. Chaired by Jill Broom, Head of Cyber Resilience at techUK, the panel brought together senior cybersecurity leaders from across government and industry: Nick Hamer, Chief Risk Officer for the Department for Work and Pensions; John Keegan, Head of Digital Security at DWP Digital; Casper Klynge, VP of Government Partnerships at Zscaler; and Breandán Knowlton, Chief Information Security Officer at the Government Digital Service. The session explored the evolving threat landscape, emerging technologies, and practical approaches to building resilience in public sector organisations.
The panel opened with a sobering assessment of the current threat environment. Panellists emphasised that cybersecurity attacks represent one of the most imminent threats facing European countries today, with certain sectors experiencing dramatic increases in incidents. The energy sector, for instance, has seen over 500% year-on-year increases in cyberattacks. The message was clear: no organisation, regardless of size or sector, can afford to assume they won't be targeted.
The discussion highlighted how hybrid warfare is increasing dramatically, with traditional organisations that previously didn't consider themselves primary targets now finding themselves in the crosshairs. Recent high-profile incidents affecting major UK companies serve as stark reminders of this evolving reality.
While artificial intelligence offers significant productivity gains, the panel cautioned against underestimating how AI is simultaneously introducing new attack surfaces. One panellist noted that their organization has seen a 36-fold increase in traffic on cloud systems due to AI adoption, with nearly 70% of that traffic being blocked due to associated risks.
The consensus was that while public sector organizations are rightly focused on leveraging AI for efficiency gains, there's a risk of drastically underestimating the security implications. AI is making it easier for malicious actors to access organisations, requiring different approaches to security and the retirement of legacy infrastructure.
For government departments, the stakes are particularly high. Service delivery organistions emphasised that their customers (the general public) don't care about the increasing complexity of cyber incidents; they care about whether they get paid on time and whether systems work effectively. This creates a challenging balance between adapting to evolving threats and maintaining service resilience.
The panel discussed emerging threats like quantum computing, with organisations already harvesting encrypted datasets today that could potentially be decrypted in the future. This "harvest now, decrypt later" threat adds another dimension to long-term security planning.
A recurring theme throughout the discussion was the importance of defence in depth and zero trust principles. Rather than relying on perimeter defences, organisations are moving toward treating every user and device as an island, with access to applications and data controlled through defined policies.
One panellist illustrated this shift by describing how their organisation has moved 120,000 end users from desktop devices within a "walled garden" to a Windows 11 evergreen estate operating on a zero trust model. Users now sit on the internet rather than corporate networks, working from anywhere while accessing services securely.
The airport analogy was offered to explain zero trust: screening luggage as it passes through, identifying anything suspicious, and allowing the customer to decide whether to proceed; without storing the luggage itself. This approach removes IP address visibility, making it impossible for attackers to target specific users or devices.
Importantly, panellists noted that zero trust architecture can actually reduce costs by eliminating physical devices like routers, VPNs, and firewalls in favour of cloud-based security infrastructure.
While prevention remains important, the panel stressed that organisations must now operate in a "when not if" paradigm. This requires significant investment in response and recovery capabilities rather than solely focusing on prevention.
Practical approaches discussed included:
One panellist emphasised the value of focusing on resilience because it provides tangible results that can be demonstrated to leadership, rather than perpetually asking for investment to prevent something terrible that hasn't happened yet. Resilience exercises reveal exactly what needs fixing and how quickly recovery can occur.
The reality of operating legacy technology alongside emerging systems provoked substantial discussion. One organisation revealed they still have half a billion lines of COBOL code dating back four decades, despite having moved 80% of applications to the cloud and eliminated mainframes.
The challenge is compounded by government's move toward more personalized digital services, which brings legacy code effectively closer to the internet with fewer intervening layers. This increases attack surfaces even as organizations work to modernize.
Panellists stressed the importance of layering protections around legacy systems so attackers must penetrate multiple defences, while simultaneously working on refactoring and replacement where possible. The balance between serving citizens with existing systems while building modern alternatives remains an ongoing challenge.
The skills question generated both pessimism and optimism. Concerns were raised about government's competitiveness as an employer in the cyber sector, with visible salary disparities and policy decisions affecting where and how people work. The reality acknowledged was that government often borrows talent for a period before individuals move to the private sector.
However, the mission-driven nature of public sector work and the scale of challenges provide significant appeal. One department has grown its security team from two or three people to about a hundred over three years, using diverse approaches including apprenticeships and academies to retrain people from other careers.
Importantly, panellists argued that cyber shouldn't be a separate priesthood but rather integrated into all roles. The goal is getting product managers to think about how features can be abused, user researchers to consider adversary motivations, and developers to code defensively. This broader concept of cyber skills—potentially called "soft skills" but representing the hard edge of defence—may be more important than simply hiring more certified cyber professionals.
AI tools are also helping, enabling newer team members to ask questions and learn without constantly requiring senior expert time.
The panel concluded with reflections on the coming 12 months. Expectations included:
The session underscored that while threats are escalating and challenges are significant, practical approaches combining modern architecture, resilience planning, cross-government collaboration, and workforce development provide a path forward. The key is maintaining this focus consistently while balancing the immediate need to deliver services with long-term transformation.
As attendees departed for their break, the message resonated clearly: cyber resilience isn't just about preventing attacks anymore, it's about ensuring that when incidents occur, as they inevitably will, organisations can respond effectively and recover quickly while maintaining the critical services citizens depend upon.