From Practitioner to Professional Body: The IET Response on Cyber Governance

Leave a Reply

This article examines the IET’s joint response to DSIT’s 2024 consultation on the Cyber Governance Code of Practice. Building on my practitioner-led analysis, the IET added institutional weight: emphasising professional recognition, proportionality for SMEs, broader engagement, and integration into training. It shows how practitioner insight and professional consensus can work together to shape policy.

Contents

Table of Contents

Introduction

After submitting my own independent response to DSIT’s Cyber Governance Code of Practice consultation in early 2024, I worked with the Institution of Engineering and Technology (IET) on a joint response.

If my practitioner response was a field report — blunt, problem-led, informed by lived realities of supply chain chaos, assurance gaps, and dashboard paralysis — then the IET’s version was a policy instrument. It translated those practitioner concerns into the polished grammar of professional standards, regulatory frameworks, and institutional consensus.

Both matter. But the shift from v0.1 (my version) to v0.3.2 (the IET’s version) is instructive: it shows how ideas evolve as they move from practice to policy.

What the IET Carried Forward

The IET did not discard the core practitioner critique. Supply chain risk, flaws in self-attestation, and the need for continuous governance all survived. The DNA of the practitioner response is still visible in the final text.

But instead of presenting them as urgent pain points, the IET reframed them as policy priorities:

  • Supply chain oversight became a governance expectation, not a “looming crisis.”
  • Continuous governance was positioned as good practice, not “the only way this works.”
  • Assurance was a call for stronger mechanisms, but not a rejection of self-attestation in principle.

That’s not a loss of content — it’s a change of register. But it does matter, because urgency sometimes evaporates when smoothed into consensus language.

The Institutional Additions

Where the IET added most value was in areas only a professional body can credibly speak to.

Professional Recognition

The IET made the case for professionalising cyber expertise — putting it on a par with law, accountancy, and engineering. By referencing the UK Cyber Security Council, the Engineering Council, and the BCS, the response pointed towards a future where boards can rely on chartered cyber professionals in the same way they rely on chartered accountants.

This is something my practitioner response did not touch, but it was a smart addition. If cyber governance is to be credible, boards need assurance not just about processes, but about the standing of the people delivering them.

Proportionality for SMEs

IET made proportionality explicit. Where I acknowledged SME constraints implicitly, the IET insisted that the Code must be scalable, understandable, and proportionate.

That’s politically astute: a Code seen as “big company only” would be dead on arrival with SMEs, who make up the bulk of the UK economy. Yet, in my view, this proportionality risks being a double-edged sword — too much “scaling down” can weaken ambition and leave SMEs stuck at the bottom rung.

Broader Engagement and Promotion

My response focused on gov.uk and NCSC. The IET widened the net: IoD, Companies House, CBI, FSB, trade bodies, and regional clusters. This was the right call — a governance code only works if it’s seen, and directors do not trawl government websites for guidance.

Integration into Training and Accreditation

The IET also called for the Code to be embedded into director training and professional pathways — from IoD’s Chartered Director course to professional recognition schemes across engineering and IT.

This is powerful: governance change sticks when it’s baked into education and credentials, not just left as voluntary guidance.

What Was Lost in Translation

The institutional response had strengths, but it also carried omissions that matter.

  • Incentives: My strong argument for tax relief, insurance discounts, and procurement levers was softened, if not lost. Obligations remained the emphasis. That’s a mistake — obligations without incentives breed compliance fatigue.
  • Tool overload: My blunt observation that boards drown under 70+ tools and tens of thousands of alerts disappeared. The IET acknowledged complexity, but the raw reality of “analysis paralysis” was absent. In policy-friendly language, the sharpest pain point was dulled.
  • Urgency: Above all, the sense that boards are already failing at this in practice was muted. Professional bodies naturally favour constructive consensus — but there is a danger of sanding off the rough edges that policymakers most need to hear.

Conclusion

The IET response added legitimacy, reach, and professional framing to the practitioner critique. It broadened the conversation to SMEs, connected governance to professional recognition, and embedded cyber into the institutional fabric of director training and standards.

But in doing so, it inevitably softened the urgency of the original practitioner message. Supply chain fragility, tool overload, and the emptiness of self-attestation are problems boards face today, not abstract challenges for tomorrow.

The lesson is clear: practitioner insight needs institutional amplification — but institutional consensus needs practitioner edge. Both responses together gave DSIT a balanced view: the raw problems of practice, and the pathways for policy.

In the next article, I will turn to the final Cyber Governance Code of Practice (2025), and ask: how much of this combined thinking survived into government’s published framework?

References