The ICO’s Changing Tone on Cyber Security Signals a Long-Overdue Alignment

• by Olivia Lawlor-Blackburn
• Advent IM Blog

Cyber security, data protection, privacy, governance and risk management were never meant to operate as separate worlds. The ICO’s evolving stance reflects a more realistic view of how organisations actually manage risk, protect data and build trust. 

There has been a noticeable shift in the ICO’s tone on cyber security, and it is a significant one. 

For years, many organisations have treated cyber security, data protection, privacy, governance and risk management as if they were related, but still fundamentally separate, activities. Security was often positioned as a technical matter. Privacy was handed to legal or compliance teams. Risk management became something recorded, reviewed and reported on. Governance sat above it all, sometimes with too little connection to the operational decisions where real exposure was taking shape. 

That approach was always flawed. 

These disciplines do not simply sit alongside each other. They interact constantly. They shape each other’s effectiveness. They rise and fall together. A weakness in cyber security can become a privacy breach very quickly. Poor governance can undermine even well-designed controls. Superficial risk management can leave organisations exposed while still giving the appearance of order. The neat dividing lines many organisations created between these functions have never reflected how risk behaves in practice. 

That is why the ICO’s direction of travel matters. 

What we are seeing is a more joined-up understanding of how organisations actually succeed or fail when it comes to protecting information and maintaining trust. Cyber security is not just a technical concern. Data protection is not just a compliance exercise. Privacy is not simply a legal matter. All of them depend on sound governance, clear accountability and mature risk management. 

In truth, they always have. 

This is where the meeting point between data protection and privacy really hits the road. Not in a policy library. Not in a training slide. Not in a board paper full of reassuring language. It happens in real operational decisions. How systems are designed. How access is granted and reviewed. How suppliers are assessed. How data is classified, retained and shared. How incidents are escalated. How resilience is built. How accountability is demonstrated when something goes wrong. 

That is where governance becomes tangible. 

When organisations separate these responsibilities too rigidly, gaps appear. Those gaps may sit between IT and compliance, between procurement and security, between operations and privacy, or between the board and the teams expected to manage day-to-day risk. They are rarely obvious at first. They often reveal themselves only when an incident occurs, a regulator starts asking questions, or a critical decision is found to have been made without the right people in the room. 

This is one of the reasons fragmented approaches are so dangerous. Risks do not queue politely according to department. They move across process, technology, people and third parties without any regard for reporting lines. An operational shortcut can create a privacy issue. A supplier weakness can become a security incident. A security failing can quickly become a regulatory problem. A lack of governance can turn all of the above into a board-level crisis. 

The ICO’s evolving position reflects that reality more clearly than before, and that is welcome. 

At Advent IM, we have always sat in and between these important functions because we have always understood that they are interrelated. Security governance, risk management, privacy and data protection are not separate conversations that can be joined up later as an administrative exercise. The joining up is the work. 

That is why our approach has always focused on the relationships between these disciplines, not just the disciplines themselves. The most serious issues are often not caused by the complete absence of controls. They arise where responsibility is blurred, where assumptions go unchallenged, where risks are logged but not acted upon, and where decisions are made in one part of the organisation without understanding the consequences elsewhere. 

Those in-between spaces matter. 

They are where a privacy concern is missed because it was viewed as purely operational. They are where a supplier is onboarded without proper assurance because procurement, legal and security were not fully aligned. They are where a technically sound solution creates unnecessary regulatory exposure because no one considered the wider governance implications. They are where risk management can become either a living discipline that drives better decisions, or a paperwork exercise that provides false comfort. 

This is why security governance and risk management are so closely connected. Governance provides the structure for accountability, oversight and decision-making. Risk management provides the method for understanding exposure, prioritising response and making proportionate choices. One gives direction. The other gives substance. Remove either, and the organisation starts to rely on guesswork, habit or hope. 

Privacy and data protection sit squarely within that same picture. They are not add-ons. They are part of the organisation’s overall control environment, resilience model and trust framework. Treating them as separate may still be common in some places, but it is becoming harder to justify. Regulators are increasingly recognising the overlap. Attackers have always taken advantage of it. Clients, citizens and stakeholders are feeling the consequences when organisations fail to manage it properly. 

The practical message for organisations is clear. These functions need to be more closely aligned. Security teams, privacy specialists, compliance leads, operational owners and senior decision-makers need to engage earlier, work more collaboratively and understand how their responsibilities intersect. Controls need to be considered in the round, not in isolation. Risk needs to drive action, not just reporting. Governance needs to be visible in the decisions that shape systems, suppliers and services before problems emerge. 

This is not about creating more process for the sake of it. It is about making better decisions, earlier and with clearer accountability. 

The ICO’s changing tone suggests that regulatory thinking is moving closer to the reality many organisations have been slow to acknowledge. That is overdue. It is also useful. Because the more clearly this alignment is understood, the better chance organisations have of building resilience that is credible, proportionate and sustainable. 

Cyber security, privacy, governance and risk were never separate worlds. The sooner organisations stop treating them that way, the stronger they are likely to be. 

How Advent IM can help 

At Advent IM, we help organisations bridge the gaps between cyber security, privacy, governance and risk management so that controls are not just documented, but understood, aligned and effective in practice. Whether you need support with governance frameworks, risk assessments, security assurance, privacy considerations, supplier assurance or broader resilience planning, we work across the functions that need to come together. 

If your organisation is still managing these areas in silos, now is the time to take a fresh look.