Professor Buck Rogers, University of Gloucestershire, talks to Grant Powell MBCS about the importance of reframing cyber risk as a leadership challenge.
Cyber incidents are consistently ranked among the top business risks facing UK organisations. Yet many senior leaders still see cybersecurity as an IT problem — something for technical teams to handle quietly in the background.
Professor Buck Rogers, a cybersecurity and digital innovation expert at the University of Gloucestershire, argues that this mindset is no longer sustainable. Having spent decades helping boards understand the real nature of cyber risk, Buck is now heading up a new cyber leadership programme designed specifically for senior decision makers. In this article he explains why traditional training falls short, what good cyber mature organisations do differently, and how leaders can build resilience against the threats they haven’t yet encountered.
How did your career develop into what you do today?
I’ve had quite an unusual career path. I started at 16 in the Royal Navy — which is actually where the nickname ‘Buck’ came from — and from there held senior security roles across military, government, financial services and industry. I’ve been everywhere from the Bank of England and HSBC to BAE Systems. I’ve also worked internationally as a short term expert for the IMF, including assignments in sub-Saharan Africa. Over the years I’ve spent a lot of time working directly with boards and senior leaders, helping them understand what cyber risk really means for their organisation.
What gap in current senior leadership training prompted the development of this cyber leadership programme?
Almost all cyber education is still aimed at technical specialists, not decision makers. Senior leaders are expected to make strategic decisions about cyber risk, supply chain vulnerabilities, AI driven threats, you name it... but the training available to them is usually very technical or focused purely on compliance. We wanted to create a programme that treats cybersecurity as a leadership and governance challenge, not an IT problem. Leaders need to understand how cyber risk affects strategy, operations and organisational reputation, and they need the confidence to ask the right questions internally.
How do you translate technical cybersecurity concepts into something that senior leaders can act on?
Cyber professionals talk in terms of vulnerabilities, exploits, attackers and controls. But senior leaders think in terms of risk, investment, resilience and impact. So instead of explaining the mechanics of an attack, it’s important to focus on consequences: how would this affect customer trust? What does it mean for supply chain operations? Would we still be able to function at 2am if this happened? When leaders understand cyber risk in those terms, they can make informed decisions rather than relying entirely on technical specialists.
Is there room for participants to bring their own real world challenges into the training?
Absolutely. That’s intentional. We hold quarterly face to face sessions with guest speakers from across the cyber industry. Those sessions are essentially built around real scenarios participants bring to the table. It’s almost like free consultancy — they bring their worries, and we translate them into something they can understand and act on.
What are the consequences when organisations still treat cyber security purely as an IT issue?
Most cyber incidents are actually failures of governance, oversight and resilience, not technology, and yet many businesses are still wholly focused on technology and tools. When leadership isn’t engaged, organisations underestimate risks in areas like supply chains and third party relationships. When an incident does occur, they’re not just dealing with a technical problem, they’re dealing with operational disruption, reputational damage and potentially regulatory scrutiny. That’s why cybersecurity needs to sit alongside other strategic risks at board level.
What patterns do you see in businesses that handle cyber threats well?
The most cyber mature organisations share a few common traits:
- They treat cyber risk as a business resilience issue, not a technical one
- They understand their dependencies, especially in their digital and supply chain ecosystems
- They rehearse — they test their response before an incident happens rather than assuming everything will work on the day
Ultimately, the organisations that win are those that can react quickly at 2am, understand what’s critical and avoid those ‘rabbit in the headlights’ moments.
What is the key to becoming a leader that can effectively manage and understand the cyber security of their organisation?
It’s all about being able to grow in confidence when it comes to managing cyber risk. Many leaders feel they lack the vocabulary to challenge cybersecurity issues. I’ve sat in boardrooms where you see slides being flicked through without anyone asking a question.
For you
Be part of something bigger, join BCS, The Chartered Institute for IT.
Leaders should be asking better questions, challenging assumptions and engaging with their security teams in an informed way. It’s vital to remember that CEOs don’t need to be technical specialists, but they do need to be informed decision makers. We live in a digital world that’s evolving and becoming more complex all the time, so taking the steps now to gain that confidence and understand security vocabulary is imperative.
You mention the constant evolution of cyber threats. How can leaders prepare for risks they can’t yet see, especially as AI use becomes more prevalent?
You can’t run a cybersecurity strategy based on predicting the next attack — it’s impossible. The threat landscape changes constantly, especially with AI accelerating both scale and speed. Instead, organisations must focus on strengthening governance, understanding critical business dependencies and building adaptable structures. Most attacks still succeed because organisations struggle with basic risk management. It’s always a symmetrical threat: attackers use new tools, defenders adopt new tools. Leaders need to know what questions to ask and what risks to look for.
For leaders reading this article, what three actions can they take away to implement immediately?
First, get into the mindset that cybersecurity isn’t a technology problem, it’s a leadership problem, and leadership problems can’t be patched.
Second, understand your critical processes yourself. Don’t rely entirely on others to tell you what matters.
Third, know exactly how you would respond during an incident: who you would call, what you would prioritise, and how you would maintain continuity.
Do you have any final thoughts for BCS members about improving cyber awareness?
Don’t treat cybersecurity as something that can be solved with new tools alone. This is a leadership and culture challenge. Build the right governance, the right environment and the right mindset. Treat it as a business issue, not a technical one. We spend too much time, as an industry, chasing the next threat and not enough time building organisations that can survive the one we didn’t predict. That’s the real goal.
Buck is cyber expert to the International Monetary Fund, Chief Security Advisor to Cyb3r Operations, Chair of the InfoSec Live Advisory Board, and Professor of Cyber Security and Digital Innovation at University of Gloucestershire. Learn more about the University of Gloucestershire leadership cybersecurity programme.
Take it further
Interested in this and similar topics? Explore BCS' books and courses:
