Home / Sources / Select Committees / Recommendation 17
Index live · Last sync 22 May 2026
← Rec 16
Rec 18 →
Source · Select Committees · Public Accounts Committee

Recommendation 17

17 Accepted

Require every government department to appoint a very senior Chief Information Officer.

Recommendation
We asked the Cabinet Office if departments have underestimated the cyber risk. It told us that until recently it had not done enough to ensure leaders across government understood the cyber threat, but that it had made 28 Q 17 29 C&AG’s Report, para 4.16 30 Qq 17–18 31 C&AG’s Report, para 4.2–4.4 32 C&AG’s Report, para 4.9–4.12 11 significant improvements in the last three years.33 These included bringing all the permanent secretaries together to discuss their responsibilities for cyber risk and writing to them to remind them of their duties.34 We suggested to the Cabinet Office that all departments needed to have a Chief Security Officer operating at senior levels. The Cabinet Office agreed that government should have senior people accountable and there was a need to have a very senior Chief Information Officer in every single department as standard.35 We asked the Cabinet Office if its senior board had a digital expert and it explained that it was recruiting new non–executive members and that these would include at least one digital expert. The Cabinet Office expected every department to do the same.36 The Cabinet Office reassured us that as part of the 2025 Spending Review, government was undertaking a comprehensive review of its technology budget and how it is spent.37
Government Response Summary
The government agrees to the recommendation, with a target implementation of Spring 2026. It will require all public sector organisations to have a digital leader and a digital non-executive director by 2026, and DSIT will set expectations for departments to appoint board members with cyber expertise and define associated responsibilities and reporting.
Government Response Accepted
HM Government Accepted
3.1 The government agrees with the Committee’s recommendation. Target implementation date: Spring 2026 3.2 The government recognises the importance of embedding security expertise at the heart of departmental decision making. 3.3 There is a clear need for board-level expertise to ensure that digital and procurement considerations are fully factored into governance, investment and risk decisions. Government’s intent for this is stated in the Blueprint where all public sector organisations will be required to have a digital leader on their executive committee and a digital non-executive director on their board by 2026. 3.4 Building on this, DSIT will set expectations for departments to appoint a board member with expertise in cyber security and digital resilience, ensure that boards receive regular reporting on cyber security and digital resilience risks, define roles and responsibilities and specify mandatory risk management and governance actions in a Target Operating Model for Government Cyber and Digital Resilience.

Source

Report
24th Report - Government cyber resilience
09 May 2025
HC 643
View on Parliament website ↗

Addressee Bodies

HM Treasury

Timeline

Recommendation age 1.0 yr
Report published 09 May 2025