IT Essentials: The King’s Speech was a gift for CISOs

It won’t happen overnight, but the direction of travel is clear

CISOs need to decide how best to seize the moment, as the government hands them a weapon to fight the ‘security as a cost-centre' narrative.

The chaos engulfing the (nominally) Starmer-led government grabbed so much collective media energy that the King’s Speech last week went a little underreported.

But the speech, in which the government sets out its legislative agenda for the next Parliamentary year, was surprisingly useful for IT and cybersecurity leaders used to budget battles, because the government has signalled, as unambiguously as it can manage, that cyber resilience is a matter of national security and legislative obligation.

The Cyber Security and Resilience Bill is designed to strengthen protections for critical infrastructure and supply chains and is expected to expand the scope of existing regulations to cover a broader range of digital services, place regulators on firmer statutory footing and significantly tighten incident reporting requirements. The intent is clear: the government wants a clearer picture of the threat landscape and improved resiliency. Organisations are going to be legally obliged to provide it.

Equally significant is the announced reform of the Computer Misuse Act. It's legislation from a different era (1990) which has long hamstrung the very security researchers and ethical hackers tasked with testing our defences. These individuals have operated for decades in a legal grey area. Updating this law is long overdue, and its inclusion in the King's Speech is a meaningful concession to an industry that has been making this argument for what must feel like forever.

None of this is going to happen overnight and given the Labour Party’s unrivalled capacity for self-destruction it might not happen soon, but for IT leaders, the direction of travel is what matters, and the direction is clear. Regulatory obligations are expanding and reporting requirements are tightening.

The question is not whether your organisation will need to respond, the question is about how to use this moment. Boards that have historically viewed security as a cost centre might be more amenable to a different approach.

The government has, for once, handed Team CISO the argument on a velvet cushion.