Yesterday's King's Speech revealed a new incoming Security and Resilience Bill.
King Charles III outlined plans to move the UK’s cyber security presence forward by leaps and bounds. But following the King’s Speech, what can we expect from the bill, and how might it affect UK organisations? Two of th4ts3cur1ty.company‘s technical experts share their initial reactions.
Rich's thoughts
Doctor Who jokes notwithstanding, (and let’s be honest, it was a bit of a stretch anyway), King Charles III has made his State Opening of Parliament speech yesterday. This is where he sets out a whole flotilla of tasks for the new government to fulfil over their term.
One of the items mentioned in the King’s speech is to roll out the Security and Resilience Bill, designed to essentially force public sector organisations to protect themselves against cyber threats. We’ve all seen how incredibly weak public sector cyber defences are in recent months with large-scale attacks on both the Ministry of Defence and the NHS.
The last government laid the foundation for this bill, and you can consider this a top-up. This bill will beef up regulatory bodies abilities to not only enforce certain requirements but also around enforcing better reporting back to the Government around cyber threats. Essentially, this is a regulatory update.
This sounds promising, but is it really going to change anything? Let’s be honest, the rate of change within organisations like the NHS is positively glacial. It can be measured in terms of ice ages. When you consider the speed at which both malicious actors and the private sector move, I personally can’t see a time when these public sector orgs will get to where we were last year, let alone where we currently are.
Obviously, it’s a case of “your mileage may vary”. Some public sector bodies are well on their way to being very secure. However, many are not. Whether giving the regulators more bite will bring about meaningful change remains to be seen.
What will be interesting to see is whether this loosens up procurement processes in the public sector. Against the backdrop of the Horizon scandal, I wonder if we’ll see more innovative cyber security companies start winning contracts. After all, those big companies who have been awarded these contracts for decades appear to move at the same pace as the public sector. The tech sector has as much snake oil as genuinely valuable technologies that public sector organisations could benefit from; it all hinges on the procurement processes and the expertise of the people that make decisions.
Thinking about the enhanced reporting requirements that will soon be in force, I fully expect to see news of big breaches hitting the cyber press more frequently. Awareness of these things is good for everyone, public, private, third sector and the general public could all benefit from greater awareness.
I’m all for the new Security and Resilience Bill; my only questions are, will it go far enough? And who’s going to foot the bill?
Raf's thoughts
The initiatives outlined in the King’s speech come at a crucial time, highlighting the nation’s commitment to securing its digital infrastructure and fostering a safer, more resilient society. However, simply adding more “blinky boxes” and advanced detection systems – supported by marketing terms like “military-grade encryption” and “sophisticated algorithms” – won’t solve the problem. In fact, not every organisation needs those sophisticated solutions; effective cyber security is not about extravagant budgets and high-end products.
Our role as cyber security professionals is to enable the workplace so that people can focus on their primary responsibilities without worrying about cyber threats. People who are not in cyber security should not have to think about these issues when designing clothes or performing other tasks. They should feel empowered to do their jobs, trusting that we are effectively managing the security aspects.
This brings us to a critical point: while we need everyone’s involvement, it is up to us to engage them in a reasonable way. Providing actionable and easy-to-understand intelligence is key. Effective communication, trust, and good relationships are vital. Practical and relatable security awareness training can transform employees from potential vulnerabilities into active defenders, integrating cyber security seamlessly into everyday operations.
I am optimistic about the future. There has been so much good work done, and initiatives like Cyber Essentials have been hugely successful. I have seen a shift towards more down-to-earth discussions about security, and this momentum is encouraging. We must keep securing our way of living and use this progress to continue improving.
In conclusion
We generally think that the King’s speech sets a promising direction for the UK’s cyber security and planning reforms. It is a call to action for everyone to increase their awareness of cyber breaches, take responsibility and work together to build a safer, more secure digital future.
With the government taking more interest in cyber security affairs, we fully expect there to be conversations in boardrooms around the country. If you are having these conversations, and need some support in making informed, credible proposals around your security, then please get in touch.
