Software resilience and security for businesses and organisations (2023)

Our key points were:

• The rapid increase in software complexity and our everyday reliance on it can lead to vulnerabilities that are exploited by crime-focused, state-sponsored, or ideologically-based terrorism. This can result in business critical, financial, and reputational damage.
• Cyber risks need to be managed as a core element of the UK’s national recovery plan and as part of key company board decisions. Consistent resource investment is needed to maintain technological excellence and competitiveness.
• Greater government/industry intervention is required around barriers in the open source community; transparency and communication of software materials, vulnerabilities, and incident management; procurement supplier assurance/management; software maintenance, configuration, and management.
• Proportionate regulation would allow for innovation, whilst minimising risk levels.
• Software vulnerabilities also occur via accidental vulnerabilities through a lack of awareness of what software code is doing. This could get worse with the development of AI.
• Senior leaders and managers need to drive cultural change around software competence.
• There’s a challenge finding people with the required skills at competitive salary rates. Competency frameworks and lists of recognised qualifications would help provide organisational reassurance over developer competence in particular areas.
• Key cyber security roles should have protected status (in the same way as ‘medical doctor’) to help drive up and guarantee standards.