How boards can boost resiliency with the updated U.K. cyber code

Cybersecurity is a core business risk that can impact finances, reputation, and operations, and boards of directors are increasingly held accountable for their organization's cyber resilience. The U.K. has released new guidance on how boards can do just that — take informed action, strengthen accountability, and ultimately reduce risk across their organizations.

The Department for Science, Innovation and Technology (DSIT) issued its new Cyber Governance Code of Practice on April 8. Although the Cyber Governance Code targets medium to large public and private sector organizations, smaller organizations can use these principles as a valuable framework for their own cybersecurity strategy.

While the U.K.’s code is currently voluntary, it echoes a growing global focus on board-level cyber governance, such as recent SEC rules in the U.S. Feryal Clark, parliamentary under-secretary of state, AI and Digital Government, said in a statement, "Our new Cyber Governance Code of Practice does exactly that — setting out in clear terms steps organisations should take to safeguard their day-to-day operations, while also securing the livelihoods of their workers and protecting their customers."

That new cyber code: What you need to know

So, what are the nuts and bolts of this Cyber Governance Code? It highlights five core principles — essential components for a strong cybersecurity strategy, particularly when considering board responsibilities.

• Risk management: Understand, assess, and manage cybersecurity risk as part of the overall business risk framework, including proactive identification of threats and vulnerabilities.
• Strategy: Integrate cybersecurity into your organization's overall business strategy, ensuring it’s a fundamental consideration in strategic decision-making and resourcing.
• People: Foster a cyber-aware culture across the organization through training, awareness programs, and clear roles and responsibilities.
• Incident planning, response, and recovery: Ensure well-defined plans are in place to minimize disruption and facilitate swift remediation of cyber incidents.
• Assurance and oversight: Review and monitor the organization's cybersecurity posture to ensure effectiveness and adaptation to the evolving threat landscape.

To support the Cyber Governance Code, the U.K. government also released resources on cyber governance training and a cybersecurity toolkit for boards.

The Cyber Governance Code provides a framework intended to help directors take informed action, strengthen accountability, and ultimately reduce risk across their organizations. The core principles outlined in the Code resonate with guidance in "Perspectives on Security for the Board," our regular report on board-level cybersecurity issues where we cover topics including cyber risk as a business imperative, robust incident response and recovery capabilities, and establishing effective committee oversight. The importance of fostering a cyber-aware culture and navigating digital transformation risks like cloud adoption, post- quantum cryptography, and AI are also vital considerations for effective governance.

Boards should also consider their strategies to maintain digital sovereignty. The specific aspects of digital sovereignty that matter to an organization can vary, and these needs can shift over time. It’s crucial for board members to regularly assess their current strategies and collaborate with leaders across the organization to ensure their approach to digital sovereignty aligns with their evolving business objectives and risk appetite.

How boards can build a cyber-resilient future

As board members, you are at the forefront of navigating today's complex risks. At Google Cloud’s Office of the CISO, we recommend prioritizing robust resilience strategies that can help safeguard your organization's future, and enable it to withstand and recover from inevitable cyber incidents.

We also advise that creating truly formidable defenses requires fostering a security-aware culture that actively engages with management to confront evolving threats. Board oversight is the critical driver to ensure that security, IT, risk and compliance, legal, and business teams work in concert to establish clear pathways that weave security and resilience into every aspect of your operations.

To further strengthen your organization's resilience, proactively invest in key areas to bolster your security: modernizing infrastructure, using cloud-first resilience, and exploring the potential of AI-driven security tools. To that end, engage in an ongoing dialogue with your CISO and the business, asking:

• Regarding our organization's resilience, what is our strategy and current investment plan for modernizing our core infrastructure to enhance security?
• How are we currently using and planning to use cloud-first resilience capabilities to strengthen our security posture and operational continuity?
• What is our assessment of the potential benefits and risks associated with adopting AI-driven security tools, and what is our roadmap for exploring or implementing these technologies?

For more information on implementing the U.K.’s Cyber Governance Code of Practice, please follow the guidance above and contact the Office of the CISO with any questions from our Board of Directors Security Insights Hub.