New cyber guidance calls for more defined roles and responsibilities when it comes to managing risk. For example, the latest UK Government cyber guidance, the DSIT Cyber Governance Code of Practice confirms CEOs and the board can no longer entirely delegate cybersecurity to the chief information security officer (CISO). How can other business leaders take ownership of their role in cybersecurity using this guidance?
Faced with ongoing cyber threats to public and private institutions, the UK’s Department for Science, Innovation and Technology (DSIT) published its Cyber Governance Code of Practice 2025, plus accompanying guidance. The guidance seeks to help senior leaders manage and mitigate their organizations’ exposure to malicious cyber activity. It emphasizes the role directors and board members play in cyber governance, distinct from that played by dedicated cybersecurity professionals, such as the CISO.
In this insight, we examine the key implications of the guidance, before looking at the benefits for strategic leaders of following the DSIT cyber code and its parameters, whether you are an organization based in the UK, or if you have a subsidiary or partner based there. We then suggest practical ways senior leaders can seek assurance on cybersecurity in line with the DSIT cyber governance code.
The DSIT’s cyber governance code underscores the foundational role of governance in any information security management program.
Key language in the code includes phrases such as, “agree senior ownership of cyber security risks…”, “define and clearly communicate the organization’s cyber security risk appetite…” and “undertake training to improve your own cyber literacy and take responsibility.” The clear emphasis is that cybersecurity and cyber risk management aren’t the sole responsibility of cybersecurity professionals within your business; senior leadership needs to own them too.
The DSIT cyber governance code is divided into five areas, each with underlying actions and all of which speak to senior leaders’ responsibilities. In summary, the key implications for your organization are:
01
You should agree on the ownership of cybersecurity risks and define your organization’s cybersecurity risk appetite. This involves understanding and communicating the level of risk your organization is willing to accept, ensuring stakeholders are aligned on both this and the measures needed to manage your acceptable risk.
02
Your cybersecurity strategies should be aligned with business objectives to support the overall goals of your organization and avoid cybersecurity being seen as a separate and isolated function.
03
Improving cyber literacy among senior leaders through training is crucial to leading the organization through complex cybersecurity challenges.
04
The business should establish robust plans for incident response and recovery that provide for regular updating and testing. Conducting regular drills and simulations can stress-test the effectiveness of your plans and identify areas for improvement.
05
Your cyber security risk owners should seek assurance on aspects of your cybersecurity program, such as security controls, regulatory compliance and incident response. You should also establish a robust oversight mechanism, including regular audits and reviews to check your cybersecurity program remains effective and aligned with industry best practices and regulatory requirements.
Following the DSIT cyber code can help your organization strengthen its cyber resilience and position for enduring success. Put simply, senior leaders taking ownership of cyber governance can reduce the likelihood and impact of cyber incidents, thereby protecting your organization from significant financial and reputational damage.
By aligning your cybersecurity strategy with business goals, you can ensure your security measures aren’t only effective but also support your overall business mission. Creating a cohesive and integrated approach to cybersecurity can enhance your organization’s ability to achieve its strategic objectives.
The better communication between senior leadership and cybersecurity teams supported by the code can help break down silos, in turn, supporting both more effective risk management and greater decision-making across the organization. Crucially, senior leaders with an understanding of the cyber risks affecting their organization can allocate resources more effectively and prioritize investments that provide the greatest return on investment.
A strong cybersecurity posture, particularly when compared to peers impacted by cyber incidents, can build trust with your customers, partners and stakeholders, leading to increased business opportunities and stronger market position potential.
And by having robust plans in place, as set out in DSIT’s code, if you’re impacted by a cyber incident, you can minimize the damage, get back to operating quickly and, again, protect your customers’ trust and confidence.
Many of the actions set out in DSIT’s governance code ask leaders to “seek assurance” on various areas of cybersecurity, from security controls to regulatory compliance and incident response.
To have such assurance, you will need to facilitate good two-way communications between senior leadership and those who implement your cybersecurity program. As the DSIT guidance recommends, senior leadership should improve their own knowledge of cybersecurity matters, while CISOs should learn to communicate their concerns and requirements in terms directors and boards can understand, rather than in bits and bytes or other overly technical jargon. Financial quantification of cyber risk can serve as that common language between technical teams, risk managers, and senior leaders, and joint enterprises between cyber specialists and business leaders can help bridge gaps.
Recruiting an external specialist to assess the maturity of your cybersecurity programs and associated risk levels can connect leadership and cyber business functions while offering guidance on additional security mitigations, as well as risk transfer solutions.
Working together to quantify the likelihood and impact of cyber incidents using industry-specific scenarios can also support closer alignment between teams and more efficient allocation of resources to optimal investments in cyber controls, mitigations and risk transfer.
Breaking down silos between the c-suite and key enablers of IT and cybersecurity helps demonstrate your CEO and board understands that when it comes to cybersecurity, they can no longer afford to say, we have someone who does that for us.
Today, cybersecurity is a team sport; one your senior leadership needs to be ready to play.
Do you need help to get the assurance you need on cybersecurity? Get in touch with our cybersecurity and cyber risk management specialists for tailored support and to quantify cyber risk in actionable ways.
