Accountability without Capacity Will Not Make Public Services More Secure

The UK’s new Cyber Security and Resilience Bill reflects a broader international shift toward tighter cyber governance, echoing the U.S. strategy released earlier this year. By mandating board‑level reporting for central government, local authorities and NHS entities, the legislation aims to elevate cyber risk to a strategic priority. Yet the public sector’s entrenched legacy systems, fragmented procurement processes and already‑heavy compliance load mean that simply adding another reporting line risks creating a compliance‑centric culture rather than a security‑centric one.

Shabad highlights a structural paradox: when accountability precedes operational capacity, organizations tend to optimize for audit defensibility instead of genuine risk mitigation. Dashboards become polished evidence packs, and teams prioritize meeting board expectations over addressing the most exposed assets. This dynamic can shift career incentives toward those who can present clean reports, while the underlying brittleness of the IT estate remains untouched. The result is a false sense of security that masks systemic vulnerabilities, especially in environments where the authority to stop risky work is absent.

To turn accountability into resilience, public‑sector leaders must embed actionable authority alongside reporting duties. Practical steps include separating resilience metrics (such as patch latency and recovery rehearsal quality) from assurance metrics, conducting absorptive‑capacity tests before accepting new obligations, and granting CISOs explicit power to halt unsafe changes. Protecting candor in upward reporting and pruning low‑value governance demands will ensure that board discussions translate into concrete security improvements rather than additional paperwork. By aligning oversight with the ability to act, the public sector can transform the bill’s intent into measurable risk reduction.