Former logistics company director Paul Abbott used his slot at the East Midlands Cyber Summit to call for cybersecurity to be treated with the same seriousness as health and safety.

He highlighted how current Board-level provisions for cyber at many UK businesses reflect a “fundamental governance failure” at board level. 

Giving the keynote address at the Summit, Mr Abbot described how, in the company at the centre of his story, the board technically “owned” cybersecurity risk.

Yet the reality was that they lacked the understanding to properly govern it as they would other organisational functions. 

Cyber was largely framed as a cost line that had been ticked off once the budget was approved – allowing directors to turn their attention back to day‑to‑day operations.

Mr Abbott said responsibility for security was delegated to the internal IT team and a long‑standing MSP, creating a belief that “we’ve got it covered”. He also suggested several ways that this might be addressed.

1. Place cyber security on Board agendas

Mr Abbot argued that cybersecurity must be elevated to a top‑tier board issue.

It is of such importance that it should sit alongside Health and Safety and the general welfare of employees. 

In doing so, cyber would be explicitly owned by the chair, chief executive, or equivalent senior leader.

In his view, simply assigning nominal ownership is not sufficient and directors must recognise that security extends far beyond IT.

Therefore clarity is required about who is actually taking responsibility.

2. Take lessons from Health and Safety

Mr Abbott draws a direct comparison with health and safety governance.

In doing so, he cited the example of his former company, which employed around 900 staff in physically demanding roles. 

Board members undertook an OSHA course designed not to turn them into health and safety managers, but to equip them to lead: identifying key risks, understanding potential personal liability, and making informed policy decisions. 

Mr Abbott suggests cyber governance requires a similar cultural shift, giving leaders enough literacy to understand risks and challenge experts productively.

3. Interrogate the MSP gap

Mr Abbott has identified the role of the MSP partnership as pivotal.

Boards often work with MSPs that they have trusted for many years. However, it is only after an attack that Directors realise they didn’t really know how to interrogate their MSPs about what was being done – and if it was good enough.

Mr Abbott notes that trust is often based on relationship and assumption rather than structured scrutiny. 

He now argues that organisations must be able to verify the competence of those in critical roles, and that without sufficient knowledge at leadership level, it is difficult to challenge and gain genuine comfort.

4. Benchmark, verify and partner

Mr Abbott advocates regular benchmarking and independent verification of MSP performance. 

Penetration testing and defence testing should be carried out routinely, with MSPs expected to accept independent assessment without defensiveness. 

He warns against focusing solely on price, urging boards to benchmark on security quality, transparency, incident responsiveness, alignment with risk appetite and willingness to undergo external testing. 

Mr Abbott also likens the MSP relationship to that with an insurance broker, insisting it should function as a true partnership aimed at designing the right protection, rather than simply extracting fees.

5. Develop collaboration

Speaking at the Summit, Mr Abbott also called for structured, ongoing engagement between Boards, IT leaders, MSPs, and other stakeholders. 

He says these discussions must be honest, psychologically safe and non‑adversarial, allowing all parties to air concerns and acknowledge gaps. 

Mr Abbott’s overarching message is that risk ownership without real understanding amounts to “governance theatre”. 

Boards may sign off budgets and appoint experts, yet remain unable to interrogate providers, evaluate disaster recovery capabilities or spot critical vulnerabilities. 

Mr Abbott warned Summit delegates that – until leadership teams are informed – they can’t truly rely on their cyber arrangements and their organisations remain exposed.

• This post is part of a series based on content from speakers at the East Midlands Cyber Summit. The Summit was delivered by East Midlands Cyber Security Cluster as part of its CyberGrowth programme.