Resources

Who’s ready for the Cyber Governance Code of Practice?

Written by Robert Hall | Feb 7, 2024 2:51:30 PM

The Government is pushing businesses to beef up their cybersecurity defences. It’s part of the broader National Cyber Strategy to improve the UK’s resilience to growing threats.

The latest development came on the 23rd of January, when the Department for Science, Innovation and Technology (DSIT) announced its Cyber Governance Code of Practice. At this stage, it’s in draft form. But it’s a significant step, with big implications for all UK businesses.

For the channel, it creates both an opportunity and an obligation. I’ll explain why shortly. But first, let’s quickly look at what the Code is.

The Code: a quick introduction

First, the Code is in draft form, and DSIT is encouraging feedback from business leaders. You can share your views here. It’s hard to say how much it will change after consultation, but we can expect the structure and intent to remain on similar lines.

It’s presented as a set of five principles, with recommended action points under each one. The Code’s five principles are as follows:

A: Risk management: This is about identifying, assessing, and prioritising risks.

B: Cyber strategy: This principle is about creating, monitoring, and reviewing a resilience strategy.  

C: People: As the name suggests, this is all about the critical step of internal training and communication on the threats.

D: Incident planning and response: This principle covers backup and disaster recovery.

E: Assurance and oversight: The fifth and final guideline recommends creating a structure to ensure continuous good practice.

That’s a very brief summary. Whether or not you work in the cybersecurity industry, I recommend reading the Code thoroughly. It’s short, and you’ll find it slightly hidden in Annex A here. Now, let’s move onto how this affects the channel.

What the Code means for the channel

Cybersecurity awareness is growing. This is just the latest example of that. First, it seems reasonable to assume that business leaders will become more security-conscious, which is good news. Ultimately, we have a shared interest in addressing the rising threat level. Attacks can have a devastating effect, whether that’s on businesses or public sector organisations.

It’s also an opportunity for the channel. But we should be careful about how we understand that opportunity. Growing awareness will inevitably lead to greater demand for cybersecurity products and services. But it’s not just about the sale. It’s about using our industry’s collective expertise to put businesses in a better position to protect themselves.

This goes back to my point about opportunity and obligation. Our shared responsibility is to provide the protection that businesses need. That’s always been our goal at Brigantia. It’s why we select vendors the way we do – prioritising quality over quantity or reputation. So, with that in mind, I’ll finish with a few pointers on how the channel should react.

How should MSPs respond?

First, I’d encourage anyone in the cybersecurity channel to contribute feedback. The Government calls for responses, and our industry’s expertise should contribute to the final Code.

Even if we don’t contribute, we should all at least understand what the Code says. People will ask us about it. It’s a good set of general principles, but they’re broad-brush guidelines. That’s not a criticism – it comes with an acknowledgment that there’s no one-size-fits-all approach.

Here, I’d like to highlight Brigantia’s layered approach to cybersecurity. What do I mean by “layered”? In short, it’s about identifying specific layers within an organisation that could be vulnerable to attack (for example, networks, endpoints, applications, or people). Then, having identified the risks and vulnerabilities, you recommend solutions that complement each other.

Why is this effective? Because it allows you to gain a comprehensive view of the business and tailor a coherent, effective solution to the customer. With this approach in mind, we’ve built our portfolio of vendors, and it works – for our partners and their customers.

Want to find out more about our layered approach or any of our vendors? You can get in touch here, or message me on LinkedIn.