The DSIT Cyber Governance Code of Practice consultation (Jan 2024) proposed five principles for boards: risk management, strategy, people, incident response, and assurance. But it left key gaps: no incentives, little for SMEs, no professional recognition, and weak thinking on assurance. This article argues the consultation was historic, but incomplete — a foundation that required sharper, practitioner-led input.
Contents
Introduction
When the Department for Science, Innovation and Technology (DSIT) launched its consultation on the proposed Cyber Governance Code of Practice in January 2024, the questions looked straightforward. Do you agree with these principles? What’s missing? How should they be delivered?
But behind those questions sat something bigger: a signal that government was ready to make directors personally responsible for cyber resilience — potentially even embedding it into company law. That was the real shift. This wasn’t about patching servers or updating policies. It was about governance, liability, and culture at the very top of UK organisations.
The Five Principles
The draft Code was organised around five principles, each with a set of questions aimed at boards and directors.
Risk Management
Boards were asked to identify critical assets, integrate cyber into enterprise risk management, define risk appetite, and oversee supplier assurance. This was the clearest indication that cyber was no longer to be left in the IT silo.
Strategy
Directors were asked to embed cyber into organisational strategy, allocate resources appropriately, and monitor outcomes. In effect, DSIT was saying: cyber is not an afterthought, it is a strategic driver.
People
This principle landed heavily: directors themselves were expected to take cyber literacy training and promote cultural change across the organisation. In other words, accountability was now personal.
Incident Planning and Response
The consultation made clear that cyber incidents are not “if” but “when.” Boards were asked to oversee planning, test it annually, and take responsibility for regulatory obligations and crisis communications. This was a deliberate attempt to move cyber incidents out of the technical back-office and into the boardroom.
Assurance and Oversight
Finally, DSIT proposed that cyber should be built into governance structures: quarterly reporting, clear executive ownership, integration into audits, and consistent oversight. This was about putting cyber resilience on the same footing as financial governance.
What Was Missing
Even at the consultation stage, the gaps were clear.
- Incentives: There was no serious discussion of how to drive uptake. Obligations were there, but carrots — tax relief, insurance discounts, procurement levers — were absent.
- SME proportionality: The draft was written with large boards in mind. SMEs were an afterthought, even though they make up the majority of UK business and the bulk of supply chains.
- Professional recognition: Nowhere did the consultation ask how boards could know who to trust. Without professional standards for cyber practitioners, directors risk being accountable without credible advice.
- Practicality of assurance: The consultation floated self-assessment, spot checks, and independent audits — but avoided confronting the failures of self-attestation.
These omissions mattered because they risked turning the Code into another worthy framework that boards would nod through without changing behaviour.
Why the Consultation Mattered
For all its gaps, the consultation was historic. It asked boards to treat cyber like finance, health and safety, and environmental governance: as a director-level duty with systemic impact. It acknowledged that supply chains are fragile, that incidents are inevitable, and that governance structures must adapt.
But it also showed how far we still had to go. The questions were the right ones — yet the toughest answers (incentives, SMEs, professionalisation) were still ducked.
Conclusion
The DSIT consultation opened the door to a new era of corporate accountability. It was an essential scene-setter, but it left critical gaps unresolved. That’s where the responses came in — from practitioners like me, and from professional bodies like the IET.
What mattered next was ensuring that those missing pieces — incentives, proportionality, professional recognition, and credible assurance — were not forgotten.
In the next article, I turn to my practitioner response: what I told DSIT directly, and why the realities of cyber risk demand more than polite principles.
References
- Before the DSIT Cyber Governance Code of Practice: What the Consultation Proposed
- Directors and Cyber Governance: My Practitioner’s Response to DSIT’s Consultation
- From Practitioner to Professional Body: The IET Response on Cyber Governance
- Directors and Cyber Responsibility: Towards a New Company Law
- Why Self-Attestation Doesn’t Work: Lessons for the DSIT Code
- From Cyber Essentials to Corporate Governance: Raising the Bar
- Incentives, Not Just Obligations: Driving Real Uptake of Cyber Governance
- Professionalism and Accountability: Why Cyber Needs Recognition like Law and Engineering
- Cyber Governance at a Crossroads: Responding to DSIT’s Consultation
- Cyber Governance Code of Practice 2024: What Government Finally Published
- Did We Influence DSIT’s Cyber Governance Code of Practice?
- From Consultation to Code Retrospective: Did We Influence the Outcome of the Cyber Governance Code of Practice
- Cyber Governance Code of Practice – published 8th April 2025