The Shape pathway is for anyone responsible for making strategic decisions or leading organisations at a local, regional or national level (e.g. policy-makers, board-level leaders, chief executives, business owners, directors). This pathway encapsulates the insights from Explore, Embed and Drive. It encourages consideration of how cyber security ideas should be used to shape decisions and actions.
| Read |
In April 2025, the UK government published the results of it’s latest Cyber Security Breaches Survey which reports on organisations’ approaches to cyber security, as well as the different types of threats and attacks that pose the biggest risks. This helpful article summarises some of the key findings from the recent survey. Although written with a social care audience in mind, the content is relevant to any organisation. Link: Cyber Security Breaches Survey 2025: what it means for social care - Digital Care Hub You can also access the full report here: Cyber security breaches survey 2025 - GOV.UK |
| Question |
How can you use the report findings to enhance your organisation’s defence against cyber threats? For example, consider some of the following questions:
|
| Question |
| What do you do in your role to help keep your organisation cyber safe? |
| Read |
Read this article and complete the National Cyber Security Centre (NCSC) Cyber Governance Training which provides valuable guidance to help senior leaders manage and oversee cyber risk effectively. Link: New online training helps board members to govern cyber risk |
| Question |
| Based on the training guidance, what additional steps could you and other senior leaders take to strengthen cyber security across health and social care? Consider how improved cyber‑resilience supports safe, continuous care and helps maintain public trust. |
| Explore Further |
A key resource highlighted in the article is the Cyber Security Toolkit for Boards, which supports effective cyber‑risk governance. For additional tools and exercises, review the Cyber Security Drive Pathway - Step 3: Cyber Security Toolkit |
| Read |
Whilst there are steps you can take as an individual within your role, cyber security should also be treated as a strategic risk with tested plans and a positive cyber security culture across organisations. Audit Scotland have developed a set of key questions that every organisation should be able to answer: Link: Cyber crime: A serious risk to Scotland's public sector |
| Task |
| Consider how these questions could support discussions amongst senior leadership within your organisation. How can they be shared with other senior leaders and what could you do to facilitate a meaningful conversation? |
| Watch |
The National Cyber Security Centre (NCSC) have developed a toolkit for organisation boards. The toolkit hosts a set of resources designed to help board members to govern cyber risk. Made up of nine modules, the toolkit covers the essential components of a cyber resilient organisation: |
| Question |
| Having looked through the toolkit, what needs to be done to encourage it’s use within your organisation? Who do you need to speak to in order to co-ordinate this? |
| Read |
Many of the resources included throughout this level highlight the importance of staff awareness of cyber threats and risks. This article looks at the importance of cyber security training for the workforce, and provides useful suggestions as to how local training can be improved to be more impactful. Although written with NHS staff in mind, the guidance could be applied across any organisation: Link: How to equip NHS staff with cyber security skills they will use |
| Task |
| Use the suggestions in the article to review the current cyber security training available to staff across your organisation. What could be done to improve it’s effectiveness? |
| Read |
Artificial intelligence is becoming increasingly integrated into workplace systems, services and organisational processes. Whilst AI introduces new opportunities and risks, many of the principles required to secure AI are the same principles organisations already use to protect people, systems and information. In this article, Microsoft explores how established cyber security concepts such as Zero Trust, identity management, least privilege access and data governance can help organisations adopt AI safely and securely. The article encourages leaders to think of AI as a highly capable but inexperienced colleague that requires appropriate oversight, permissions and safeguards. Link: Applying security fundamentals to AI: Practical advice for CISOs | Microsoft Security Blog |
| Reflection |
The article argues that AI often exposes existing weaknesses in cyber security, identity management and data governance rather than creating entirely new security challenges. How prepared is your organisation to manage the risks associated with AI-enabled systems and services, and are existing cyber security controls sufficient to support their safe adoption? |
| Explore Further |
| To further develop your understanding of what AI is and how it is shaping the national workforce, consider exploring the Artificial Intelligence Pathway. |
You have now completed the Shape pathway.
You can register to receive our monthly Digital Workforce Update. This will keep you informed when pathway content is updated or new resources are added. You will also receive details of events, news, opportunities and updates from our wider national resources and learning networks.
To share any comments or questions you have about the pathway, please use this Feedback Form. You can also let us know if any of the links aren’t working, or the resources aren’t available.
Click here to go to the homepage