Directors and Cyber Governance: My Practitioner’s Response to DSIT’s Consultation

Leave a Reply

This article revisits my practitioner-led response to DSIT’s 2024 consultation on the Cyber Governance Code of Practice. It highlights key issues I raised: supply chain risk, flaws in self-attestation, tool overload, lack of incentives, and the need for continuous governance. The argument is simple: cyber resilience belongs in the boardroom, but only if policy is grounded in practice.

Contents

Table of Contents

Introduction

When DSIT launched its Cyber Governance Code of Practice consultation in January 2024, the questions posed to boards and directors were deceptively simple: do you support these principles? Are they enough? What’s missing?

Behind these questions, however, sat a profound shift. For the first time, government was suggesting that cyber resilience might become a formal part of directors’ duties — potentially enshrined in company law. This was more than a technical exercise; it was about redefining governance in the digital age.

I responded to the consultation directly, submitting my own practitioner-led analysis. What follows is not just a summary of that response, but a reflection on why I argued for what I did — and why these points remain critical if cyber governance is to move from aspiration to impact.

Cyber Governance as Risk Management

I supported DSIT’s principle on risk management, but argued it had to go further. Boards should:

  • Identify critical assets and processes: This is not optional. Too many organisations still cannot articulate which systems and services are business-critical.
  • Integrate cyber into enterprise risk: Cyber cannot remain an IT department silo. It belongs in the same governance structures as financial, operational, and legal risks.
  • Define and act on risk appetite: Boards must be clear about what level of cyber risk they will tolerate — and what investment is needed to stay within those bounds.
  • Confront the supply chain problem: This is the elephant in the room. Directors are accountable for resilience across the chain, yet most organisations lack any meaningful oversight of supplier risk.

This last point, supply chain security, was a theme I pressed hard. With only 1 in 10 UK firms understanding their supply chain security (NCSC data), directors need structured ways of assessing hundreds, sometimes thousands, of suppliers. Without this, “resilience” is illusory.

The Flaws of Self-Attestation

A central critique I raised was around self-attestation. Cyber Essentials and ISO 27001, even with external auditors, too often reduce to a tick-box exercise. Self-attestation is inherently flawed because it lacks credibility and independence.

I argued that the Code must push beyond this — towards independent, professional assurance that boards can rely on, and that investors, regulators, and insurers will respect. Otherwise, we risk embedding false confidence at the highest levels of governance.

The Problem of Tool Overload

One of the less glamorous but very real challenges I highlighted was tool overload. Enterprises typically run 70+ security tools, generating thousands of alerts. Boards are told they are accountable, yet they are handed data they cannot interpret.

The result is analysis paralysis. Directors and executives freeze, unsure how to prioritise, and the governance conversation becomes abstract rather than actionable.

In my response I argued that the Code should help boards cut through noise: recommending simplification, prioritisation, and actionable intelligence over raw reporting. Without this, “board-level assurance” risks becoming an exercise in looking at dashboards, not making decisions.

Incentives, Not Just Obligations

Another theme I stressed was the need for incentives. Obligations alone would not drive uptake. In fact, obligations without incentives risk alienating the very SMEs that underpin the UK economy.

I suggested:

  • Tax incentives for regular risk assessments.
  • Insurance discounts linked to demonstrable governance.
  • Procurement levers: requiring governance standards for eligibility in government or CNI supply chains.

Cyber governance will only take root when boards see it as value-adding — improving resilience, lowering costs, opening contracts — not simply as another compliance burden.

Cyber as a Continuous Process

Perhaps the most important point I made was that cyber resilience is never finished. Too often, governance is framed as a one-off exercise: a report to the board, a line in the annual statement. That is not good enough.

I argued that the Code must position cyber governance as a continuous process:

  • Regular reviews of risk and strategy.
  • Quarterly reporting against risk appetite.
  • Annual exercising of incident response.
  • Post-incident learning loops.

Without continuity, cyber governance risks being reduced to “annual theatre” — a performance for regulators or auditors, rather than a lived discipline of resilience.

Why This Practitioner Perspective Matters

My response came not from theory but from lived practice:

  • Working with organisations struggling to interpret risk across sprawling supply chains.
  • Watching boards drown in dashboards and acronyms.
  • Seeing the limits of self-attestation, where false assurance breeds complacency.
  • Negotiating with SMEs for whom governance feels remote, expensive, and abstract.

This perspective matters because policy must be tested against practice. A code that looks elegant on paper will fail if it cannot be implemented by real boards, in real organisations, under real constraints.

Conclusion

My submission to DSIT’s consultation was supportive but critical: supportive of the ambition to put cyber into the boardroom, critical of the gaps that could make it ineffective.

The principles — risk, strategy, people, incident response, assurance — are the right ones. But unless they are underpinned by credible assurance, incentives for uptake, simplification for directors, and continuous governance, the Code risks being adopted in form but not in substance.

In the next article, I will look at how this practitioner perspective was translated into a professional body response with the IET — and what changed when practice met policy.

References