The UK Cyber Governance Code of Practice (CGCP), published in April by the Department for Science, Innovation and Technology, is the outcome of a collaborative effort with industry and governance institutions. It brings the UK in line with global trends, where governments are increasingly setting clearer expectations around board-level responsibility for cyber risk.
The CGCP defines cyber governance through five principles: risk management, strategy, people, incident response, and oversight. Its purpose is to ensure that boards understand their responsibilities and embed cyber risk into the organisation’s overall risk management framework. Crucially, the CGCP uses non-technical language, reinforcing the message that effective cyber oversight does not require a background in technology.
Although the CGCP is aimed at board directors, it has clear implications for technology leaders. Boards committing to the CGCP will depend on input from their CIO, CTO or CISO to evaluate how well the organisation aligns with its principles. For technology executives, this presents an opportunity to lead by helping to shape governance practices and strengthening collaboration across the…
