This article compares my practitioner response, the IET’s institutional submission, and the final Cyber Governance Code of Practice published in April 2025. It shows where our ideas carried through (supply chain oversight, continuous process, assurance), where they were partly adopted (SME proportionality, professional recognition), and where they were ignored (incentives, legal duties). The conclusion: yes, we influenced the Code — but the hardest issues remain unresolved.
Reflecting on the journey from practitioner response to published policy
Contents
Introduction
In January 2024, the Department for Science, Innovation and Technology (DSIT) launched a consultation on its proposed Cyber Governance Code of Practice (CoP). It was a bold step: signalling that boards and directors might soon carry explicit responsibilities for cyber resilience — potentially even through changes to company law.
I submitted an independent practitioner’s response, later developed further in collaboration with the Institution of Engineering and Technology (IET). The IET version drew heavily on my practitioner analysis, but framed it in the language of professional bodies and institutional consensus.
Now, with the final Code of Practice published in 2025, we can ask: did we influence the outcome?
Practitioner Perspective
My original response stressed several practical realities:
- Supply chain risk: Boards must assess and secure suppliers at scale, or risk systemic exposure.
- Flaws of self-attestation: Tick-box schemes (like Cyber Essentials or ISO 27001) fail without credible external assurance.
- Tool overload: Enterprises drowning in 70+ security tools face analysis paralysis. Guidance must help boards prioritise.
- Incentives matter: Carrots (tax breaks, insurance discounts, procurement eligibility) are needed alongside obligations.
- Continuous process: Cyber resilience is never “done”; it must be embedded into governance as an ongoing practice.
Institutional Perspective
The IET response retained all of the above but added further depth:
- Professional recognition: Cyber practitioners should be treated like lawyers or chartered engineers, through recognition from the UK Cyber Security Council, Engineering Council, and BCS.
- Proportionality for SMEs: Governance guidance must be scalable, otherwise smaller organisations will disengage.
- Broader engagement: Publication and promotion should go beyond gov.uk/NCSC to include Companies House, CBI, FSB, trade bodies, and regional clusters.
- Integration into training: Embedding cyber governance into Director training and professional courses (e.g. IoD’s Chartered Director).
This version effectively translated practitioner pain points into policy-ready language — aligning with how government and regulators expect to receive evidence.
The Final Published Code (2025)
The published Code sets out five principles with concrete actions for boards:
- Risk management: identify critical assets, define risk appetite, assess suppliers.
- Strategy: align cyber with organisational strategy, allocate resources, monitor outcomes.
- People: build culture, ensure training, directors take personal responsibility for cyber literacy.
- Incident response: maintain and exercise response plans, ensure regulatory obligations are met, conduct post-incident reviews.
- Assurance and oversight: embed cyber into governance structures, require quarterly reporting, integrate with audits.
The Code is aimed at medium and large organisations, but explicitly notes that SMEs play a vital role and should seek to apply the principles “proportionately.”
Where Influence Shows
Looking across all three documents, several clear lines of influence emerge:
- Supply chain: Present in Practioneer response, reinforced by the IET, and strongly embedded in the final CoP (Risk management Action 4).
- Continuous process: Both responses stressed cyber as ongoing; the final Code frames governance as iterative, with regular assessments and reviews.
- Professional recognition: Explicit in IET version; only partly reflected in final Code (training/toolkit, but no formal recognition).
- Proportionality for SMEs: Added in IET version; reflected in final Code’s acknowledgement of SMEs, though without tailored guidance.
- Assurance: Both responses pushed beyond self-attestation; the final Code calls for embedding cyber into audits and quarterly reporting — but stops short of mandating independent external audits.
- Incentives: Strongly advocated in responses; absent from final Code, which remains obligation-driven.
What Government Left Out
- Explicit company law changes: While floated in consultation, the final CoP does not directly amend directors’ duties. It remains guidance, not legislation.
- Incentive mechanisms: No mention of tax relief, insurance discounts, or procurement levers to drive uptake.
- Professional accreditation: Recognition of chartered cyber professionals was not adopted, despite the IET’s emphasis.
Conclusion: Did We Influence the Thinking?
Yes — to a point.
The core practitioner themes (supply chain, continuous process, assurance beyond self-attestation) are visible in the final Code. The institutional framing from the IET (proportionality, broader engagement, professional recognition) is partly reflected — but in diluted form.
Where we fell short was in pushing government to embrace incentives and legal duties. The Code remains a governance framework, not a legislative instrument.
Still, the trajectory is clear: what began as practitioner pain points and professional body advocacy has been embedded into a national standard for directors. The influence may not be complete, but it is visible.
The next challenge will be ensuring uptake — moving from guidance on paper to changed behaviours in boardrooms.
Annex: Comparison of Responses and Final Code
| Theme | Practitioner Response (v0.1) | IET Response (v0.3.2) | Final CoP (2025) |
|---|---|---|---|
| Supply chain risk | Called for guidance on engaging with third-party vendors; highlighted the challenge of assessing hundreds/thousands of suppliersResponse to DSIT Code of Practi…. | Same, with added suggestion of supplier risk frameworks and sector guidance. | Included – Risk Management Action 4: boards must gain assurance suppliers are routinely assessedCyber_Governance_Code_of_Practi…. |
| Self-attestation flaws | Critiqued tick-box/self-certification; argued for credible independent assurance. | Echoed, plus urged registry of accredited assessors. | Partly included – CoP integrates cyber into audits and oversight, but no mandatory independent audit. |
| Tool overload & analysis paralysis | Highlighted 70+ tools, overwhelming boards; called for simplification. | Added guidance on optimising toolsets. | Not explicit – CoP silent on tool overload, but refers boards to NCSC toolkit. |
| Incentives for uptake | Proposed tax breaks, insurance discounts, procurement levers. | Reiterated and expanded. | Absent – no incentives, obligation-driven only. |
| Continuous process | Stressed cyber as ongoing, not one-off compliance. | Same, emphasised governance as iterative. | Included – Code mandates regular reviews, quarterly reporting, annual exercising of plans. |
| Professional recognition | Not central. | Introduced recognition via UK Cyber Security Council, Eng Council, BCS. | Not included directly – training & literacy stressed, but no formal recognition. |
| Proportionality / SMEs | Implicit but not explicit. | Stressed proportionality: scalable guidance for SMEs and larger orgs. | Partly included – CoP notes SMEs “play a critical role” and should apply principles proportionately. |
| Broader engagement / promotion | Suggested NCSC & gov.uk. | Expanded to IoD, Companies House, CBI, FSB, trade bodies, regional clusters. | Not explicit in Code – but DSIT/NCSC have since signposted to training/toolkits. |
| Incident planning | Annual testing, post-incident review, executive comms. | Same, framed in policy language. | Included – Incident Response principle with actions on exercising, regulatory reporting, reviews. |
| Integration with strategy | Cyber must align with business strategy and risk appetite. | Reinforced, emphasised embedding into director training. | Included – Strategy principle ensures alignment with org strategy and resource allocation. |
| Company law changes | Highlighted potential embedding in directors’ duties. | Not expanded, but acknowledged direction. | Not included – remains guidance, not legislation. |
At a Glance
- Strong carry-through: Supply chain, continuous process, strategy alignment, incident planning.
- Partial adoption: Assurance beyond self-attestation, proportionality for SMEs, professional recognition.
- Missing: Incentives, explicit company law changes, tool overload.
References
- Before the DSIT Cyber Governance Code of Practice: What the Consultation Proposed
- Directors and Cyber Governance: My Practitioner’s Response to DSIT’s Consultation
- From Practitioner to Professional Body: The IET Response on Cyber Governance
- Directors and Cyber Responsibility: Towards a New Company Law
- Why Self-Attestation Doesn’t Work: Lessons for the DSIT Code
- From Cyber Essentials to Corporate Governance: Raising the Bar
- Incentives, Not Just Obligations: Driving Real Uptake of Cyber Governance
- Professionalism and Accountability: Why Cyber Needs Recognition like Law and Engineering
- Cyber Governance at a Crossroads: Responding to DSIT’s Consultation
- Cyber Governance Code of Practice 2024: What Government Finally Published
- Did We Influence DSIT’s Cyber Governance Code of Practice?
- From Consultation to Code Retrospective: Did We Influence the Outcome of the Cyber Governance Code of Practice
- Cyber Governance Code of Practice – published 8th April 2025