Tag Archives: board accountability

From Consultation to Code Retrospective: Did We Influence the Outcome of the Cyber Governance Code of Practice

Leave a Reply

This reflection examines the Cyber Governance Code of Practice as published in April 2025. It compares government output with practitioner and IET responses from 2024, showing where influence carried through and where gaps remain. The conclusion: progress was made, but without law, incentives, and professional recognition, the Code risks becoming compliance theatre.

Continue reading

Did We Influence DSIT’s Cyber Governance Code of Practice?

Leave a Reply

This article compares my practitioner response, the IET’s institutional submission, and the final Cyber Governance Code of Practice published in April 2025. It shows where our ideas carried through (supply chain oversight, continuous process, assurance), where they were partly adopted (SME proportionality, professional recognition), and where they were ignored (incentives, legal duties). The conclusion: yes, we influenced the Code — but the hardest issues remain unresolved.

Continue reading

Cyber Governance Code of Practice 2024: What Government Finally Published

Leave a Reply

The UK’s Cyber Governance Code of Practice, published in 2025, sets out five principles for boards: risk management, strategy, people, incident response, and assurance. It places cyber in the boardroom and makes directors personally accountable, but stops short of embedding duties in company law. While clear and structured, the Code lacks incentives, SME pathways, and professional recognition — making uptake uncertain.

Continue reading

Cyber Governance at a Crossroads: Responding to DSIT’s Consultation

Leave a Reply

This framing article summarises a set of responses to DSIT’s Cyber Governance Code of Practice consultation in Jan/Feb 2024. It highlights practitioner and institutional submissions, alongside thematic deep dives on law, assurance, incentives, and professionalism. The message: DSIT asked the right questions, but the hardest answers were still missing.

Continue reading

Professionalism and Accountability: Why Cyber Needs Recognition like Law and Engineering

Leave a Reply

This article argues that DSIT’s Cyber Governance Code of Practice must embed professional recognition for cyber experts, just as directors rely on lawyers, accountants, and engineers. Without a register of recognised professionals, directors risk being accountable without credible support.

Continue reading

Incentives, Not Just Obligations: Driving Real Uptake of Cyber Governance

Leave a Reply

This article argues that obligations alone will not drive the adoption of DSIT’s Cyber Governance Code of Practice. To succeed, the Code must be backed by incentives — tax relief, insurance benefits, procurement levers, and reputational recognition — that make governance valuable to boards. Obligations can enforce compliance; incentives will create commitment.

Continue reading

From Cyber Essentials to Corporate Governance: Raising the Bar

Leave a Reply

Cyber Essentials has value as a baseline, but reaches only 0.3% of UK organisations and says little about governance. This article argues that DSIT’s Cyber Governance Code of Practice must raise the bar, from compliance to accountability, from self-attestation to credible assurance, and from one-off certificates to continuous governance. Cyber Essentials is the floor; governance must be the ceiling.

Continue reading

Why Self-Attestation Doesn’t Work: Lessons for the DSIT Code

Leave a Reply

This article argues that self-attestation has failed as a credible assurance mechanism, citing Cyber Essentials’ low uptake and ISO 27001’s limits. It warns that if DSIT builds the Cyber Governance Code of Practice on self-assessment, it will fail. To succeed, the Code must mandate independent, accredited assurance that directors, investors, and regulators can trust.

Continue reading

Directors and Cyber Responsibility: Towards a New Company Law

Leave a Reply

This article examines DSIT’s 2024 proposal to embed cyber responsibility into company law. It argues that directors should carry legal duties for cyber resilience, as they already do for finance and health and safety — but only if those duties are proportionate, professionalised, and practical. The consultation did not change the law, but the direction of travel is unmistakable.

Continue reading

From Practitioner to Professional Body: The IET Response on Cyber Governance

Leave a Reply

This article examines the IET’s joint response to DSIT’s 2024 consultation on the Cyber Governance Code of Practice. Building on my practitioner-led analysis, the IET added institutional weight: emphasising professional recognition, proportionality for SMEs, broader engagement, and integration into training. It shows how practitioner insight and professional consensus can work together to shape policy.

Continue reading

Directors and Cyber Governance: My Practitioner’s Response to DSIT’s Consultation

Leave a Reply

This article revisits my practitioner-led response to DSIT’s 2024 consultation on the Cyber Governance Code of Practice. It highlights key issues I raised: supply chain risk, flaws in self-attestation, tool overload, lack of incentives, and the need for continuous governance. The argument is simple: cyber resilience belongs in the boardroom, but only if policy is grounded in practice.

Continue reading

Before the DSIT Cyber Governance Code of Practice: What the Consultation Proposed

Leave a Reply

The DSIT Cyber Governance Code of Practice consultation (Jan 2024) proposed five principles for boards: risk management, strategy, people, incident response, and assurance. But it left key gaps: no incentives, little for SMEs, no professional recognition, and weak thinking on assurance. This article argues the consultation was historic, but incomplete — a foundation that required sharper, practitioner-led input.

Continue reading