Reading the latest House of Commons analysis of NHS spending, a familiar pattern emerges. The debate centres on funding levels — who was generous, who was austere, whether current plans represent continuity or change. For those governing NHS organisations, this framing is increasingly unhelpful.

The real question is not how much money the system receives, but whether it is structurally capable of converting funding into resilience. And that is a question Boards can influence.

The Complexity Ceiling

Analysis of 171 NHS trusts reveals a counterintuitive finding: organisations in the highest resource quartile underperformed the lowest quartile by 9.3 percentage points on mandatory security assessments. The largest trusts — with 4.8 times greater resources — achieved worse outcomes than the smallest.

This “complexity ceiling” emerges because coordination costs in large organisations grow faster than defensive capability. A DSIT study on cyber security in the UK critical infrastructure confirms the constraint is structural: skilled personnel remain unavailable regardless of budget. As one water sector manager put it: “Even if we had all the money in the world, we couldn’t recruit the people we needed”.

The pattern is recognisable in healthcare: capital repeatedly deferred to stabilise day-to-day delivery, transformation programmes launched without reducing baseline workload, and governance structures accumulating initiatives faster than execution capacity allows.

From Compliance to Velocity

If capacity is fixed, the governance question transforms. The goal cannot be to achieve a distant compliance target. It must maximise the rate of security improvement with the available resources.

Consider two organisations. Organisation A achieved 80% maturity three years ago but has since plateaued. Organisation B started at 30% but has progressed steadily to 55%, with established mechanisms for continued improvement. Traditional assessment rewards Organisation A. But in a dynamic threat environment where adversary capabilities continuously evolve, Organisation B’s sustained adaptation capability provides superior protection.

This shift — from state-based to velocity-based governance — has practical implications. Boards should ask not “what percentage compliance have we achieved?” but “what is our improvement velocity?” An organisation improving at 5% quarterly from a 50% baseline demonstrates a better security trajectory than one stagnating at 80%.

The Practical Shift

Healthcare is designated as critical national infrastructure under the NIS Regulations 2018. The 2024 ransomware attack on Change Healthcare — where a single payment intermediary’s failure cascaded across the US healthcare ecosystem — illustrates what infrastructure failure means in practice.

The evidence suggests that the constraint is no longer awareness or intent, but decision-making capacity under load. Systems accumulate commitments and dependencies faster than they can be governed. Additional funding can stabilise performance temporarily — but it cannot restore resilience.

For Boards, this means three things:

1. Constrain work-in-progress. Organisations that limit concurrent initiatives to sustainable capacity complete more than those attempting everything simultaneously. Finishing fewer things faster beats starting many things slowly.
2. Measure trajectory, not position. A trust improving steadily from a lower baseline may be better governed than one static at higher maturity. Ask whether improvement velocity is positive and sustainable.
3. Accept that more money won’t fix this. When skilled personnel are structurally unavailable, the question is not how much resource to allocate, but how to sequence improvements within fixed capacity.

The challenge for Boards is not to secure more resources, but to govern the resources they have toward maximum improvement velocity. In infrastructure terms: resilience is not purchased at the point of crisis. It is built — or lost — in the rate at which organisations adapt.

 

Author

Vsevolod Shabad

Vsevolod is a Fellow of the BCS and a researcher affiliated with the University of Liverpool. He specialises in the behavioural dynamics of security governance and decision-making under uncertainty in safety-critical sectors.

Declaration of Interests

The author declares no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Personal Capacity

The views expressed are those of the author in a personal capacity and do not represent the positions of any organisations.

Generative AI and AI-Assisted Technologies in the Writing Process

During the preparation of this work, the author used Claude (Anthropic) to improve readability and language quality as a non-native English speaker. After using this tool, the author reviewed and edited the content as needed and takes full responsibility for the publication’s content.