UK government calls for enhanced cyber security system governance

As the digital economy expands, so do cyber threats, with potential attacks a common occurrence within modern business operations. To address this challenge, the UK government is working to improve cyber resilience across the UK. Examples of this can be seen in a currently ongoing consultation as well as a recent cyber security framework update from the NIST.

Christian Toon, cybersecurity expert at Pinsent Masons, said: “This supports industry trends we are seeing organisations focus more on cyber governance to evidence appropriateness of security programs, which is driven by increased legal scrutiny. I would also encourage anyone reading this to support the consultation and submit your views to help shape our cyber future”.

To improve existing procedures, the government is currently calling for views, opening a consultation on its Cyber Governance Code of Practice. The code sets out a primary objective of better protecting businesses, setting out actionable guidance to make it easier for leaders to understand the necessary steps.

The draft code sets out critical governance areas company directors are required to tackle to protect the overall business. It recommends that directors set out clear roles and responsibilities across the organisation to boost protection for customers as well as safeguarding their ability to operate safely and securely. The code also emphasises the need for boards and senior leaders within the business to take better accountability for cyber risk. For example, by engaging with the most critical areas, firms may be able to strengthen cyber resilience.

The government is currently inviting responses and views on the draft code until 19 March, with the final version aiming to include key points based on industry feedback.

In parallel with this consultation announcement, an updated Cyber Security Framework (CSF 2.0) (32 pages / 1.5 MB) was recently published by NIST, with both calling for enhanced governance of cyber security control management systems.

The CSF 2.0 does not prescribe specific methods of cyber security management but focuses on desired outcomes. This aims to allow organisations to be flexible in their approach when facing risk, with additional online resources provided by NIST for further guidance. The guidance sets out to help businesses understand their cybersecurity position and communicate effectively, introducing the concept of organisational profiles and tiers. Profiles allow customisation based on an organisation’s unique context, while tiers help gauge the maturity of its cybersecurity practices.

While the draft code and CSF 2.0 provide valuable frameworks for organisations to navigate the complex cyber landscape, “it’s vital that cyber, technology and legal teams come together to support these management systems and focus the conversation on ‘reasonable’ and ‘appropriate’ decisions around their cyber security controls that are best for business and customers alike”, Toon added.