Interested in our Cybersecurity Framework?
Visit our article on how to organise an effective cybersecurity strategy to download a copy of our framework.
The End of the Castle-and-Moat Approach for UK Organisations
Many small to medium organisations with 30–400 users are not compromised due to a complete lack of security.This illustrates a flaw in the traditional “castle-and-moat” approach. Read our full blog article to learn more.
Read our First Blog in our Resilient Charity Series
How do London charities operationalise that leadership, demonstrate accountability to trustees, and build defensible resilience in today’s regulatory and funding environment?
Many charities have rightly invested time in developing an IT roadmap. These documents can outline infrastructure upgrades, cybersecurity improvements, and digital transformation initiatives over a defined period. However, a common gap often remains: translating that strategy into something the Senior Leadership Team (SLT) and trustees can meaningfully oversee, measure, and govern accountability.
This first article in our Resilient Charity Series explores how charities can move beyond technical planning and embed technology into governance frameworks, ensuring that IT strategy directly supports organisational resilience, service delivery, and long-term sustainability.
The Disconnect Between IT Strategy and Governance
An IT roadmap, in isolation, is not enough. Whilst it may provide clarity for internal teams or external providers, it often fails to answer the key questions the SLT and trustees are responsible for. This challenge is reflected across the UK charity sector. Recent findings from the Charity Digital Skills Report show that only 44% of charities have a digital strategy in place, and many of those are not yet embedded into governance or decision-making.
This raises critical gaps at Executive level:
- What risks does our technology posture expose us to?
- How does IT investment support our charitable objectives?
- Are we spending appropriately, and what outcomes are we achieving?
Without clear answers, the SLT and trustees are left with limited visibility and reduced ability to fulfil their governance responsibilities. Technology becomes a “black box” rather than a strategic enabler.
Translating IT Strategy into Executive-Relevant Metrics
To bridge this gap, charities must convert technical plans into measurable, SLT and trustee-level insights. This involves reframing IT performance into metrics that align with governance priorities rather than operational detail.
1. Align Cyber Risk with the Organisational Risk Register
Cybersecurity should not sit outside the organisation’s formal risk framework. Instead, it must be integrated into the risk register alongside financial, operational, and reputational risks. This is particularly important in the UK charity sector, where cyber threats are both prevalent and often under-governed. According to the UK Government’s Cyber Security Breaches Survey, 30% of charities reported experiencing a cyber security breach or attack in the last 12 months, yet governance and formal risk integration remain inconsistent.
This means:
- Defining cyber risks in business terms (e.g. service disruption, data breach impact)
- Assigning clear ownership and mitigation strategies
- Reporting on risk likelihood and impact in a consistent format
When cyber risk is presented in this way, trustees can evaluate it alongside other strategic risks, rather than viewing it as a purely technical concern.
2. Present Digital KPIs in Plain, Outcome-Focused Language
Technical metrics such as patch compliance or firewall activity rarely resonate at Executive level. Instead, charities should focus on key performance indicators that demonstrate outcomes. This is particularly important given the current digital skills gap at leadership level. The Charity Digital Skills Report highlights that 28% of UK charities rate their boards as having poor digital skills, and only 7% consider them to have excellent digital capability.
Examples include:
- System availability: Percentage uptime of critical services
- Incident response and resolution time: How quickly issues are identified and resolved
- User security posture: Phishing simulation success rates or training completion
- Data protection metrics: Backup success rates and recovery testing outcomes
The objective is clarity. The SLT and trustees should be able to understand performance without needing technical interpretation.
3. Forecast Technology Spend with Financial Context
Technology budgets are often presented as standalone figures, disconnected from broader financial planning. This makes it difficult for the SLT and trustees to assess value or prioritise investment. This challenge is particularly acute in the UK charity sector, where financial pressure directly impacts digital decision-making. According to the Charity Digital Skills Report, 67% of charities cite financial constraints as the biggest barrier to digital progress, with 63% struggling to secure funding for systems and infrastructure.
A more effective approach includes:
- Multi-year forecasting aligned with the IT roadmap
- Clear distinction between operational and capital expenditure
- Demonstration of cost-benefit, including risk reduction and efficiency gains
- Scenario planning for different funding levels
By framing IT spend in financial and strategic terms, charities enable more informed decision-making at board level. In a sector where resources are constrained and scrutiny is high, linking technology investment to financial outcomes is essential for gaining SLT and trustee confidence and securing long-term funding.
Linking Technology to Mission Outcomes
Technology should never be viewed as an isolated function. Its value lies in how it enables the organisation to deliver its mission effectively and securely. This is especially critical in the UK charity sector, where impact and transparency directly influence public trust. Research from the UK Government’s Public Trust in Charities report shows that almost 60% of people report high trust in charities, while 70% say that demonstrating real impact is a key driver of that trust.
For example:
- Reliable systems support uninterrupted service delivery to beneficiaries
- Secure infrastructure protects sensitive data and maintains public trust
- Scalable platforms enable growth without disproportionate cost increases
When leadership teams explicitly connect IT initiatives to these outcomes, the SLT and trustees gain a clearer understanding of why investment matters.
Moving from Technical Planning to Accountable Governance
The shift required is cultural as much as operational. Leadership teams must take ownership of translating technical complexity into governance clarity.
This involves:
- Regular, structured reporting to trustees on IT performance and risk
- Defining accountability for digital outcomes at senior leadership level
- Embedding technology considerations into strategic decision-making
According to the Cyber Security Breaches Survey 2025, only about 27 % of UK businesses and 30 % of charities have board members or trustees with explicit responsibility for cyber security, and that proportion has been declining in recent years, a clear indicator that accountable governance of digital risk remains underdeveloped.
Ultimately, the SLT and trustees should not need to interpret technical detail to fulfil their role. Instead, they should receive clear, relevant information that enables oversight, challenge, and direction.
Laying the Foundation for Resilience
Resilience in the charity sector is not achieved through technology alone. It is built through the alignment of strategy, governance, and execution.
By converting IT roadmaps into measurable outcomes with SLT and trustee-level insight, charities can:
- Strengthen oversight and accountability
- Improve risk management
- Ensure technology investment delivers tangible value
This foundation is critical for navigating an increasingly complex digital and regulatory landscape.
What Comes Next
In the next article in our Resilient Charity Series, we will explore how charities can build a structured roadmap for implementing Zero Trust principles, balancing security with usability and resource constraints.