At a recent leadership discussion, someone asked: “Are we ready for the next disruption?” The answer wasn’t straightforward.

Disruption today doesn’t just come from economic pressure, regulatory change or operational failure. Increasingly, it comes from how well we understand and manage digital risk. The collective ability to protect systems, data and services in an interconnected environment.

And that word collective matters - because is not an IT conversation - it is a governance one.

We know ransomware attacks are increasing. We know threat vectors are expanding. The more important question is why organisations remain exposed despite this awareness.

In housing for example, there is no single dominant cyber threat to point to, no single attack type, no obvious “top risk” to anchor on - and that is exactly the point. Modern threats can enter through multiple, often overlapping vectors:

• Supply chains.
• System and architecture design.
• People and behaviours.
• Data flows and legacy processes.
• Weak control environments.
• Governance blind spots.

These are not technical weaknesses. They are organisational vulnerabilities. Cyber incidents rarely succeed because IT teams fail. They succeed because layers of defence were never designed to work together.

Many organisations still operate with the unspoken assumption that IT “owns” cyber risk. Modern digital protection sits across decision‑making, data sharing, third‑party relationships and everyday behaviours. Technology is simply where the consequences appear.

This creates what I call a digital governance gap: capable technology teams operating within unclear ownership models for digital risk. And when ownership is unclear, accountability becomes blurred.

That is why building a culture of digital protection matters as much as implementing controls. If something goes wrong, regulators and customers won’t ask your supplier to justify decisions, they will ask you.

Good cyber protection means not only understanding what you use, but asking: What risks do we own? What risks do we share? Which risks might we not yet have recognised? Boards do not need to become technical experts - they need to ask better governance questions.

Instead of: “Are we compliant?” - Ask: “Do we understand our most significant digital risks?”

Instead of: “Do we have security controls?” - Ask: “Do we know who owns our critical risks?”

Instead of: “Has IT got this covered?” - Ask: “Where does accountability sit across the organisation?”

The strongest organisations are not those with the most tools; they are those with the clearest ownership.

The shift is cultural. True cyber maturity is not defined by technology alone but by whether leaders talk about digital protection openly and in a way that invites challenge.

In organisations with a strong culture of digital protection, people understand their role in protecting systems and data. Risks surface earlier. Decisions are clearer. Incidents are contained rather than escalated.

Resilient organisations reframe cyber as a leadership responsibility, a governance priority, and a core resilience capability. They move from asking:

“How secure are our systems?” to “How resilient is our organisation?”

Cyber incidents rarely become crises because of technology alone. More often, they escalate because a supplier risk was not fully understood, ownership was unclear, or a risk sat between teams without clear accountability. When cyber incidents do escalate, it is usually because:

• Risks were not visible.
• Ownership was unclear.
• Decisions were delayed.
• Warning signs were missed.

In other words, governance determines resilience.

The housing sector has always understood trust and it sits at the heart of what we do. Digital trust is simply the next evolution of that responsibility.

The sector is ready for this conversation. The next stage of housing governance will be defined not only by how we manage financial risk but by how seriously and clearly, we govern digital risk.

I’m looking forward to contributing to that conversation at the Housing Governance Conference.