Anthony Hines · July 2026
The accounts that reach an audit committee are signed by a statutory auditor, and the law is particular about who that can be. There is an examination regime behind the signature, a professional body with the power to strike the signer off, and a Companies Act provision that stops the firm deciding for itself who is qualified to do it. The cyber report that reaches the same committee has nothing like that behind it. Anyone may operate the controls it describes, assess whether they work, and write the report that says so.
The obvious answer is that none of this should worry anyone, because the controls get audited. Up to a point, they do. The statutory audit, the one with the licensed signature behind it, covers the accounts, and it reaches cyber controls only in so far as they support the systems that produce the financial reports. It has never been an opinion on whether the firm is secure. Internal audit goes deeper into the estate, and in regulated firms it carries real supervisory expectations, but it is not a licensed profession either. A firm that wants more assurance can buy it, a controls opinion from one of the audit firms, a SOC 2 report. However far the assurance travels up the chain, the credential never actually touches the cyber work.
Credentialing machinery does turn up in other areas when the work is high-stakes and the person relying on it cannot check it for themselves. A doctor's licence to practise sits with the General Medical Council and has to be revalidated every five years, on the strength of annual appraisals and feedback from colleagues and patients. The Legal Services Act 2007 names six reserved legal activities, and doing any of them without authorisation is a criminal offence. Defined benefit pension schemes are required by statute to appoint a scheme actuary, a named, personally qualified individual. In each case a body outside the employer decides whether the person is fit to do the work, continuously checks they remain fit to do so and can take away their licence if they don't maintain minimum standards.
Cyber security does have credentials, a great many of them in fact and some are genuinely demanding. I have held a CISSP since 2007. Earning it meant something at the time, but in nineteen years nobody has ever required it of me. The same goes for the rest of the industry's accreditations, the ISACA family, the SANS track, the vendor badges, and for the chartered titles the UK Cyber Security Council has begun issuing across eight specialisms. All of it real rigour but it's voluntarily acquired, and no law or regulator in the UK mandates any of it.
In the UK, the job title of Architect is protected and the Architects Registration Board keeps a statutory register and pursues people who use the word without being on it. The technology industry hands it out freely, cloud architects, security architects, enterprise architects, no register, no examination, nothing anyone can take away. Anyone can call themselves an architect, and often do.
Accountancy, oddly enough, went the other way round. In the UK anybody may call themselves an accountant, and most of what accountants do, the tax work, the management accounts, the general advice, anyone may do without a qualification to their name. Where the law stepped in was the handful of functions carrying the most reliance, signing a statutory audit opinion, taking appointments over insolvent estates, and it reserved those to qualified, supervised individuals. So the architects keep the word, the accountants keep the signature but cyber security has neither. There is no assertion about the security of a regulated firm, no attestation that a control operates, no sign-off on a remediation, that an unqualified person may not make. In the UK, the Department for Business and Trade keeps a register of the professions regulation touches, nearly three hundred of them. Search it for cyber and it comes back empty.
There is an exception. When the Bank of England wanted live, intelligence-led penetration tests run against the systemically important parts of UK financial infrastructure, it was not prepared to take the testing firms' word for their people. CBEST testers have to be individually certified, through named schemes, working for accredited providers. CHECK does the same for government systems, a team leader there is an examined status rather than a job title, and since late 2024 the scheme has required the Cyber Security Council's chartered titles. Even there, the licence exists to manage the danger of letting somebody loose on live systems, not to make anyone stand behind an opinion the way an auditor stands behind the accounts. So the profession can build proper credentialing when a regulator insists on it but the only people it has ever been asked to credential are the ones that periodically test it, not the ones defending it all year round.
People have been arguing about whether cyber security should professionalise for well over a decade. The Americans studied it in 2013, the UK government consulted on it in 2018, and the general conclusion was that it was too soon, the field too broad and too varied to charter as one profession. The chartered titles that exist today came out of that work and remain voluntary, and there the debate has more or less rested. That conclusion was probably right, nobody could charter a field this broad as one profession. But then nobody chartered finance as one profession either. The law picked out the individual jobs other people had to rely on, and dealt with them one at a time.
What the industry built instead is assessment frameworks. NIST CSF 2.0 treats awareness and training as outcomes a security programme should achieve, and ISO 27001 asks the organisation to decide for itself what competence its people need and keep the documents that prove it. All sensible but none of it a licence so every assessment has to evaluate competence through the production of training records. However, when control assessments become reports, reports become packs, packs go to committees and boards, and at no point on the way up does anyone's personal professional credibility ride on the work being right.
An auditor who signs something that turns out not to be true has more than an awkward conversation coming. The professional body can strike them off, and that ends the career, not just the job. It is a large part of why the signature is worth relying on in the first place, the person giving it has something real to lose. A cyber practitioner who stands behind an assessment that turns out to be wrong faces nothing equivalent. Unless they are senior enough that the regulator approves them personally, their accountability is only to their employer.
UK financial services spent a decade building its formal accountability at the top. Named senior managers attest under the Senior Managers regime and have their reasonable steps tested after an event. More broadly, the governance code has begun asking boards to declare on the effectiveness of their material controls. Those regimes settle who answers for cyber, but the law asks no qualification of the person answering, nor of anyone beneath them. The people carrying those obligations are often the furthest from the technology, and the answer that protects them everywhere else, that they relied on a qualified professional, is not available for cyber. A board signing off the financials knows that the people standing behind the signature, the auditor, the finance director, the actuary, have professional credibility of their own at stake; beneath the firm's cyber position there is no profession, just control frameworks, assessments, three lines of defence, and nothing in that machinery carries a licence anyone outside the firm can take away.
Some of the older professions' machinery arrived the hard way. Pension schemes got their statutory scheme actuary after Maxwell, and architects, title protected for the best part of a century, only got continuing-competence checks after Grenfell. Cyber security will get its version eventually, deliberately on its own terms, or the hard way, and in places it has already started, no longer just for the testers. Singapore has licensed penetration testing and security monitoring by law since 2022, and Malaysia followed in 2024 with prison terms attached. Nothing of the kind is on the table in the UK. Until it is, nobody will say the people running a firm's cyber controls are qualified, not the law, not a professional body, not the frameworks, and the personal accountability for being satisfied anyway will keep landing where the last decade of regulation has aimed it, on named executives and boards. A board cannot conjure a profession into existence, but it can start asking of its cyber assurance the question the professions it already relies on answered long ago. Who stands behind this, and what do they have to lose if it is wrong?