Cyber governance practices are maturing - and reshaping leadership expectations

The UK Cyber Governance Code of Practice (CGCP), published in April by the Department for Science, Innovation and Technology, is the outcome of a collaborative effort with industry and governance institutions. It brings the UK in line with global trends, where governments are increasingly setting clearer expectations around board-level responsibility for cyber risk.

The CGCP defines cyber governance through five principles: risk management, strategy, people, incident response, and oversight. Its purpose is to ensure that boards understand their responsibilities and embed cyber risk into the organisation’s overall risk management framework. Crucially, the CGCP uses non-technical language, reinforcing the message that effective cyber oversight does not require a background in technology.

Although the CGCP is aimed at board directors, it has clear implications for technology leaders. Boards committing to the CGCP will depend on input from their CIO, CTO or CISO to evaluate how well the organisation aligns with its principles. For technology executives, this presents an opportunity to lead by helping to shape governance practices and strengthening collaboration across the executive team.

Technology leaders are often well positioned to introduce the CGCP to their board, highlight existing strengths, and identify areas for improvement. Cyber governance is still frequently associated with compliance or certification frameworks. However, its scope has evolved to encompass strategic alignment, organisational culture, expected behaviours and informed oversight. This broader framing helps board members connect cyber risk with familiar governance responsibilities and gives technology executives a platform to engage more meaningfully across the leadership team.

According to The Cyber Leadership Playbook, 41% of board members report difficulty in overseeing cyber risk effectively. Addressing this challenge, technology leaders must move from technical stewardship to strategic partnership. Anticipating the conversations that the CGCP will trigger allows CISOs and CIOs to build credibility and help the board make better-informed decisions.

Five practical steps for technology leaders:

1. Be proactive: Collaborate across the business on strategy, workforce engagement and incident response planning — before the board requests it.
2. Use a shared language: Leverage the CGCP’s terminology as a guide for engaging with board directors and aligning cyber with the broader risk management agenda. 
3. Seek board support: Use the CGCP as a basis to request backing – for example, for better policy enforcement, aligning budgets, or business-wide engagement.
4. Build trust through realism: Don’t promise “security” where you realistically cannot. Commit to preparedness, responsiveness and continuous improvement. 
5. Share insights, not just indicators: Help the board assess risks, trade-offs and options. Offer alternatives and criteria that should guide the board’s decision-making. 

Importantly, responsibility doesn’t rest with technology leaders alone. The CGCP calls on board members to improve their own cyber literacy and to establish a strong dialogue with the executive team on cyber risk. Many technology leaders have long argued that improving cyber knowledge in the boardroom is essential – and the CGCP explicitly creates space for that shift. As cyber governance matures, board expectations are changing too. Technology leaders have a powerful opportunity to guide the conversation.