Professionalism and Accountability: Why Cyber Needs Recognition like Law and Engineering

Leave a Reply

This article argues that DSIT’s Cyber Governance Code of Practice must embed professional recognition for cyber experts, just as directors rely on lawyers, accountants, and engineers. Without a register of recognised professionals, directors risk being accountable without credible support.

Contents

Table of Contents

Introduction

The DSIT Cyber Governance Code of Practice consultation (2024) makes directors accountable for cyber resilience. But accountability without support is a recipe for failure.

Boards already rely on recognised professionals in law, finance, and engineering. When directors sign off on accounts, they have auditors. When they face legal risk, they have solicitors. When they build critical infrastructure, they rely on chartered engineers.

In cyber, that safety net does not exist. Directors are told to govern, but left to navigate a fragmented market of consultants and certifications with no common benchmark of competence. That is a governance gap big enough to drive a breach through.

The Current Gap

Cyber remains fragmented and inconsistent:

  • Vendor certifications (CISSP, CISM, etc.) demonstrate knowledge, not accountability.
  • Consultancy standards vary widely; quality is hard to judge.
  • There is no register of recognised professionals that boards can trust.

For directors, this means uncertainty. Who is credible? Who carries liability? Who can they trust when the stakes are systemic?

Lessons from Other Professions

  • Law: Solicitors and barristers are regulated, bound by codes of ethics, and carry liability. Boards can rely on their advice.
  • Accountancy: Chartered accountants are recognised and accountable through professional institutes. Their assurance underpins market trust.
  • Engineering: Chartered engineers are registered, subject to standards, and trusted to safeguard critical systems.

In every case, professionalisation provides directors with a trusted interface between technical expertise and board accountability. Cyber has no equivalent.

Why Cyber Needs Recognition Now

Cyber is no longer a marginal risk. It is:

  • Financially material: breaches wipe millions off balance sheets and bankrupt smaller firms.
  • Legally material: regulatory fines and litigation follow failures of governance.
  • Systemically material: supply chain breaches and ransomware disrupt entire sectors.

If directors are to carry cyber responsibility, they need professionals they can trust — not just smart people with certificates, but recognised experts bound by professional duty.

Building Professional Recognition

The DSIT Code provides an opportunity to push professional recognition forward. This could include:

  • UK Cyber Security Council registration: a clear national register of competent, accountable cyber professionals.
  • Chartered status for cyber practitioners: through the Engineering Council or BCS, creating parity with accountants and engineers.
  • Mandatory use of recognised professionals for assurance: boards could be required to seek advice or validation from accredited experts, as they do for financial audits.

This is not gatekeeping. It is about giving directors a reliable path to credible advice.

The Role of the UK Cyber Security Council

The UK Cyber Security Council (UK CSC) has already been tasked by government with defining the Cyber Security Skills Framework — effectively the profession’s equivalent of the SFIA standard for IT workers. Its remit is to:

  • Map and codify the full range of cyber roles, competences, and career pathways.
  • Establish standards for professional registration, from associate through to chartered status.
  • Provide a national benchmark of competence and accountability for practitioners.

This is critical for governance. If boards are to rely on cyber professionals in the same way they rely on accountants or engineers, there must be a single authoritative standard underpinning the profession.

The Council’s work is still maturing, but the trajectory is clear. Once its framework is embedded, directors should be able to look to UK CSC registration in the same way they look to ICAEW for accountants or the Law Society for solicitors.

The DSIT Code of Practice could accelerate this by:

  • Requiring boards to seek assurance from UK CSC–registered professionals.
  • Linking Code compliance explicitly to the Council’s framework, ensuring directors know who is competent and accountable.
  • Using the Council to bridge between government guidance and board-level governance.

Without this linkage, the Code risks floating in abstraction. With it, cyber governance could be anchored in a professional framework that gives directors real confidence.

Risks of Ignoring Professionalisation

If government sidesteps professional recognition, three consequences are inevitable:

  1. Directors left blindfolded
    • They will carry accountability but lack trustworthy guidance.
  2. Weak assurance
    • Assurance remains fragmented, undermining credibility with regulators, investors, and insurers.
  3. Cultural stagnation
    • Cyber continues to be treated as a technical problem, not a governed profession.

Conclusion

The DSIT Code rightly shifts accountability for cyber into the boardroom. But without professional recognition, that accountability risks being hollow.

Law has lawyers. Finance has accountants. Engineering has chartered engineers. Cyber governance needs its own professional backbone — or directors will remain accountable but unsupported.

Embedding professional recognition into the Code is not optional. It is the difference between a framework that directors can use and one that they cannot act on. The UK Cyber Security Council’s role in defining skills and registration pathways must become central — otherwise, accountability will outpace the profession itself.

References