Tag Archives: Cyber Governance

Cyber Resilience Testing and Facilities: Mapping, Critique, and the Path Forward

Between February and March 2025, I analysed the UK’s Cyber Resilience Testing (CRT) initiative and its associated Cyber Resilience Test Facilities (CRTFs). From that research, I developed three articles: one mapping the global standards landscape, one examining CRT’s practical challenges, and one exploring its role as a trust label. Together, they present CRT as a promising but evolving approach: not yet a standard, but under active NCSC development and consultation, with the potential to reshape product-based assurance if given clarity, support, and ecosystem alignment.

Continue reading →

Major Cyber Vendors and Service Providers in the UK

The UK’s cybersecurity sector is home to thousands of providers, ranging from nimble startups and regional MSSPs to global consulting firms and homegrown risk intelligence platforms. While the National Cyber Security Centre (NCSC) sets the tone for policy and technical guidance, it’s these vendors that translate strategy into services: monitoring networks, managing risk, conducting audits, and responding to breaches in real time.

Continue reading →

The Future of Cyber Resilience Testing: Reflections on a Scheme in Transition

This blog article offers a critical yet constructive reflection on the UK’s Cyber Resilience Testing (CRT) initiative. While CRT is conceptually sound and timely, significant questions remain around cost, demand, usability, policy intent, and delivery responsibility. The article explores whether CRT is positioned to become a meaningful standard or risks being sidelined as another voluntary layer. It advocates for clearer articulation of purpose, audience targeting, and strategic alignment to unlock CRT’s full potential.

Continue reading →

Cyber Across Global Governments: International Cooperation and National Strategies

Cybersecurity has become a pillar of national security, digital economy growth, and global diplomacy. From ransomware attacks on hospitals to interference in democratic elections, governments worldwide now treat cyber threats as matters of statecraft, not just IT hygiene. While national strategies differ, a few shared patterns have emerged: defence of critical infrastructure, capacity building, and international coordination.

Continue reading →

Cyber Across US Government: Agencies, Frameworks, and Innovation Pathways

The United States is arguably the most influential force in global cybersecurity, but its governance model is sprawling, federal, and often opaque to outsiders. Responsibility is distributed across military, civilian, and intelligence agencies, each with their own authorities, funding mechanisms, and strategic priorities.

Continue reading →

Cyber Across European Governments: Key Bodies, Funding, and Coordination

The European cybersecurity landscape is layered, fragmented, and fast-evolving. Unlike the centralised approaches of some governments, the EU’s model of collective sovereignty means cybersecurity is coordinated, rather than controlled by Brussels. National governments still manage their defence and digital sovereignty, but major funding, regulation, and cross-border frameworks increasingly come from the EU level.

Continue reading →

From Consultation to Code Retrospective: Did We Influence the Outcome of the Cyber Governance Code of Practice

This reflection examines the Cyber Governance Code of Practice as published in April 2025. It compares government output with practitioner and IET responses from 2024, showing where influence carried through and where gaps remain. The conclusion: progress was made, but without law, incentives, and professional recognition, the Code risks becoming compliance theatre.

Continue reading →

Cyber Across UK Government: Departments, Programmes, and Policy Players

The definitive guide to who shapes cyber policy in Whitehall, and how to work with them.

Continue reading →

Inside the UK Cyber Ecosystem: A Strategic Guide in 26 Parts

An extensive guide mapping the networks, policy engines, commercial power bases, and future-shapers of British cybersecurity.

Continue reading →

The Insider’s Guide to Influencing Senior Tech and Cybersecurity Leaders in the UK

Influencing senior leaders in cybersecurity and technology is no small task, especially in the UK, where credibility, networks, and standards carry immense weight. Whether you’re a startup founder, a scale-up CISO, or a policy influencer, knowing where the key conversations happen (and who shapes them) can make the difference between being heard and being ignored.

Continue reading →

Did We Influence DSIT’s Cyber Governance Code of Practice?

This article compares my practitioner response, the IET’s institutional submission, and the final Cyber Governance Code of Practice published in April 2025. It shows where our ideas carried through (supply chain oversight, continuous process, assurance), where they were partly adopted (SME proportionality, professional recognition), and where they were ignored (incentives, legal duties). The conclusion: yes, we influenced the Code — but the hardest issues remain unresolved.

Continue reading →

Cyber Governance Code of Practice 2024: What Government Finally Published

The UK’s Cyber Governance Code of Practice, published in 2025, sets out five principles for boards: risk management, strategy, people, incident response, and assurance. It places cyber in the boardroom and makes directors personally accountable, but stops short of embedding duties in company law. While clear and structured, the Code lacks incentives, SME pathways, and professional recognition — making uptake uncertain.

Continue reading →

Professionalising Cyber: Reflections from Conway Hall

A first-hand reflection on the UK Cyber Security Council’s recent “The Journey to Professionalisation” event at Conway Hall, exploring the ongoing professionalisation of the cyber security sector. Highlights include the expansion of recognised specialisms, the development of the UK Cyber Skills Framework, and discussions on AI, early-career challenges, and the need for a more inclusive, realistic skills framework to support a growing cyber economy.

Continue reading →

Cyber Governance at a Crossroads: Responding to DSIT’s Consultation

This framing article summarises a set of responses to DSIT’s Cyber Governance Code of Practice consultation in Jan/Feb 2024. It highlights practitioner and institutional submissions, alongside thematic deep dives on law, assurance, incentives, and professionalism. The message: DSIT asked the right questions, but the hardest answers were still missing.

Continue reading →

Professionalism and Accountability: Why Cyber Needs Recognition like Law and Engineering

This article argues that DSIT’s Cyber Governance Code of Practice must embed professional recognition for cyber experts, just as directors rely on lawyers, accountants, and engineers. Without a register of recognised professionals, directors risk being accountable without credible support.

Continue reading →

Incentives, Not Just Obligations: Driving Real Uptake of Cyber Governance

This article argues that obligations alone will not drive the adoption of DSIT’s Cyber Governance Code of Practice. To succeed, the Code must be backed by incentives — tax relief, insurance benefits, procurement levers, and reputational recognition — that make governance valuable to boards. Obligations can enforce compliance; incentives will create commitment.

Continue reading →

From Cyber Essentials to Corporate Governance: Raising the Bar

Cyber Essentials has value as a baseline, but reaches only 0.3% of UK organisations and says little about governance. This article argues that DSIT’s Cyber Governance Code of Practice must raise the bar, from compliance to accountability, from self-attestation to credible assurance, and from one-off certificates to continuous governance. Cyber Essentials is the floor; governance must be the ceiling.

Continue reading →

Why Self-Attestation Doesn’t Work: Lessons for the DSIT Code

This article argues that self-attestation has failed as a credible assurance mechanism, citing Cyber Essentials’ low uptake and ISO 27001’s limits. It warns that if DSIT builds the Cyber Governance Code of Practice on self-assessment, it will fail. To succeed, the Code must mandate independent, accredited assurance that directors, investors, and regulators can trust.

Continue reading →

Directors and Cyber Responsibility: Towards a New Company Law

This article examines DSIT’s 2024 proposal to embed cyber responsibility into company law. It argues that directors should carry legal duties for cyber resilience, as they already do for finance and health and safety — but only if those duties are proportionate, professionalised, and practical. The consultation did not change the law, but the direction of travel is unmistakable.

Continue reading →

From Practitioner to Professional Body: The IET Response on Cyber Governance

This article examines the IET’s joint response to DSIT’s 2024 consultation on the Cyber Governance Code of Practice. Building on my practitioner-led analysis, the IET added institutional weight: emphasising professional recognition, proportionality for SMEs, broader engagement, and integration into training. It shows how practitioner insight and professional consensus can work together to shape policy.

Continue reading →