ISC2, the non-profit cyber professional membership association, has joined the UK government’s recently launched Software Security Ambassador Scheme as an expert adviser.
Set up at the beginning of the year by the National Cyber Security Centre (NCSC) and the Department for Science, Innovation and Technology (DSIT), the scheme forms part of a wider £210m commitment by Westminster to remodel approaches to public sector cyber resilience from the ground up, acknowledging that previous approaches to the issue have basically gone nowhere and that previously set targets for resilience are unachievable.
It is designed to incentivise organisations to pay more attention to the security of software products, and supports the wider adoption of the Software Security Code of Practice, a set of voluntary principles defining what secure software looks like.
ISC2 joins a number of tech suppliers, including Cisco, Palo Alto Networks and Sage; consultancies and service providers including Accenture and NCC Group; and financial services firms including Lloyds Banking Group and Santander. Fellow cyber association ISACA is also involved.
“Promoting secure software practices that strengthen the resilience of systems underpinning the economy, public services and national infrastructure is central to ISC2’s mission,” said ISC2’s executive vice-president for advocacy and strategic engagement, Tara Wisniewski.
“The code moves software security beyond narrow compliance and elevates it to a board-level resilience priority. As supply chain attacks continue to grow in scale and impact, a shared baseline is essential and through our global community and expertise, ISC2 is committed to helping professionals build the skills needed to put secure-by-design principles into practice,” she said.
Software vulns a huge barrier to resilience
A study of wider supply chain risks conducted last year by ISC2 found that a little over half of organisations worldwide reported that vulnerabilities in their software suppliers’ products represented the most disruptive cyber security threat to their overall supply chain.
And the World Economic Forum’s (WEF’s) Global Cybersecurity Outlook report, published on 12 January, revealed that third-party and supply chain vulnerabilities were seen as a huge barrier to building cyber resilience by C-suite executives.
A total of 65% of respondents to the WEF’s annual poll flagged such flaws as the greatest challenge their organisation faced on its pathway to resilience, compared to 54% at the beginning of 2025. This outpaced factors such as the evolving threat landscape and emerging AI technology, use of legacy IT systems, regulatory compliance and governance, and cyber skills shortages.
Pressed on the top supply chain cyber risks, respondents were most concerned about their ability to assure the integrity of software and other IT services, ahead of a lack of visibility into their supplier’s supply chains and overdependence on critical third-party suppliers.
The UK’s Code of Practice seeks to answer this challenge by establishing expectations and best practices for tech providers and any other organisations that either develop, sell or buy software products. It covers aspects such as secure design and development, the security of build environments, deployment and ongoing upkeep, and transparent communication with customers and users.
As part of its role as an ambassador, ISC2 will assist in developing and improving the Code of Practice, while championing it by embedding its guiding principles into its own cyber education and professional development services – the organisation boasts 10,000 UK members and associates.
It will also help to drive adoption of the Code of Practice through various awareness campaigns, incorporating it into its certifications, training and guidance, engaging with industry stakeholders and members to encourage implementation, and incorporating its provisions into its work with its own commercial suppliers.
