Source · Select Committees · Public Accounts Committee
Recommendation 16
16
Accepted
Departments demonstrate insufficient ownership of cyber risk and hinder information sharing.
Recommendation
Accounting officers in departments are responsible for protecting the security of their organisations and managing their department’s cyber risk, but they have not taken sufficient ownership of this responsibility. Often, membership of departments’ most senior boards does not include a digital expert.31 Some departments have been reluctant to share information about their cyber incidents with other parts of government. When departments are transparent about their cyber incidents, other organisations can learn from them and improve their own cyber resilience. In the 2021 Spending Review, the Government announced it would invest £2.6 billion in cyber and ‘legacy’ IT, of which it gave £1.3 billion to departments. Some departments have significantly reduced the scope of their cyber security improvement programmes to fund other priorities.32
Government Response Summary
The government agrees, stating that all public sector organizations will be required to have a digital leader on their executive committee and a digital non-executive director on their board by 2026. DSIT will further set expectations for appointing board members with cyber security expertise, ensure regular risk reporting, define roles, and specify mandatory actions within a new Target Operating Model.
Government Response
Accepted
HM Government
Accepted
3.1 The government agrees with the Committee’s recommendation. Target implementation date: Spring 2026 3.2 The government recognises the importance of embedding security expertise at the heart of departmental decision making. 3.3 There is a clear need for board-level expertise to ensure that digital and procurement considerations are fully factored into governance, investment and risk decisions. Government’s intent for this is stated in the Blueprint where all public sector organisations will be required to have a digital leader on their executive committee and a digital non-executive director on their board by 2026. 3.4 Building on this, DSIT will set expectations for departments to appoint a board member with expertise in cyber security and digital resilience, ensure that boards receive regular reporting on cyber security and digital resilience risks, define roles and responsibilities and specify mandatory risk management and governance actions in a Target Operating Model for Government Cyber and Digital Resilience.