The opinions expressed here are those of the authors. They do not necessarily reflect the views or positions of UK Finance or its members.

Cybersecurity professionals across the United Kingdom face an increasingly complex risk environment. According to the Bitsight 2025 Cybersecurity Survey, nearly 80% of UK organisations report heightened exposure to cyber threats over the past 12 months. The pace of digital transformation—accelerated by cloud migration, remote work models, and AI-driven automation—has expanded attack surfaces faster than many teams can manage.

For financial institutions, this challenge carries amplified consequences. Trust and stability are the cornerstones of the sector, and protecting customers' data and assets is not only a regulatory obligation but also a business imperative. Yet many CISOs report widening skill gaps, budget constraints, and growing difficulty in aligning cybersecurity goals with the broader business strategy.

Key challenges shaping cybersecurity strategy

1. Resource and skills shortages

The most pressing challenge identified by UK cybersecurity professionals is talent scarcity. Over half of respondents cite limited access to experienced professionals in areas such as threat intelligence, incident response, and third-party risk management. As financial institutions continue to modernise their infrastructure, the need for skilled practitioners has never been greater.

2. Increasing regulatory pressure

The regulatory environment is also expanding rapidly. From the Digital Operational Resilience Act (DORA) to the Network and Information Security Directive (NIS2), institutions are navigating a dense web of obligations around governance, resilience, and reporting. While these frameworks are designed to enhance systemic stability, they also require continuous adaptation of cybersecurity programmes, particularly across global supply chains.

3. Third-party and supply chain risk

Nearly 60% of UK cybersecurity leaders highlight third-party risk as a top concern. As financial services increasingly depend on technology providers and outsourced functions, the visibility gap across extended supply chains grows wider. Continuous monitoring and collaborative risk management are now essential to ensure resilience and regulatory compliance.

4. The AI and automation paradox

Generative AI and automation tools have become double-edged swords: while they enhance efficiency and threat detection, they also introduce new vectors of vulnerability. One in three respondents admits to lacking clear policies around AI security governance, underlining the need for organisations to balance innovation with responsibility.

5. Balancing prevention and response

The survey reveals that most CISOs are shifting focus from reactive to predictive security. However, nearly 70% acknowledge that incident response plans remain under-tested. Continuous measurement, scenario simulation, and board-level reporting are becoming standard expectations, yet operationalising these practices remains a challenge.

Turning insight into action

To navigate these pressures, cybersecurity leaders are adopting a set of foundational practices:

• Integrate cyber risk with business risk. Boards increasingly expect cybersecurity metrics to be tied to operational and financial performance.
• Invest in visibility and automation. Proactive detection and remediation across cloud and third-party ecosystems are now vital.
• Strengthen collaboration. Engagement between the public sector, regulators, and industry peers helps ensure collective resilience.
• Foster a security-first culture. From the C-suite to the front line, awareness and accountability drive resilience.

As the UK's financial services sector continues to innovate, cybersecurity must remain at the heart of trust, resilience, and growth. By investing in skills, collaboration, and continuous monitoring, organisations can not only protect their customers but also strengthen the foundations of a thriving digital economy.