Software security has quietly become one of the most critical foundations of public services in the UK. From border operations and transport to healthcare and local government, software now underpins how services function, scale and recover when things go wrong.

That reality was front and centre at a recent event hosted by the Department for Science, Innovation and Technology (DSIT). It brought together policymakers, security leaders and delivery partners to mark the launch of the Software Security Code of Practice. More importantly, to discuss what it will take to turn guidance into action.

Zaizi was part of the collaborative industry group that helped shape the Code, working alongside organisations including Lloyds Banking Group, Palo Alto Networks, Sage, Accenture, NCC Group, ISC2, Nexor and Cisco. Contributing as an SME mattered. Secure software standards only succeed if they work not just for large primes, but for the smaller organisations embedded across public sector supply chains.

For Zaizi, the conversation at the launch event strongly reinforced something we see every day working in high-assurance environments: software security is not just a technical problem. It is a delivery, skills and accountability challenge that runs through entire supply chains.

A shared problem, a shared responsibility

Opening the event, Irfan Hemani, Deputy Director at DSIT, described the Code as the result of four years of work — and the beginning of a longer journey to reduce insecure software across the UK.

Rather than positioning the Code as a compliance exercise, it was framed as a signal of leadership. A way for organisations to demonstrate maturity, resilience and commitment in an increasingly volatile threat landscape.

That urgency was reinforced in the ministerial keynote from Baroness Liz Lloyd, who grounded the discussion in real-world impact. She referenced a ransomware attack that disrupted UK airports, reminding the audience that software vulnerabilities no longer sit quietly in the background. When systems fail, everyday life is affected.

With 43% of businesses reporting a cyber breach, and £210m being invested in cyber security across the UK, the message was clear: secure software is now essential national infrastructure.

“Software underpins all public services — and it’s embedded right across UK supply chains.”

Baroness Liz Lloyd

What delivery teams are really up against

The first panel focused on government–vendor collaboration and surfaced a consistent theme: supply chain complexity.

For Stephen West, Director of Secure Government & Critical Infrastructure at Zaizi, the issue starts with how software is built and operated in practice.

Secure software, he argued, cannot be “bolted on” at the end of delivery. It has to be embedded from the outset, supported by clear ownership, capable teams and realistic expectations.

“Software security isn’t something you add at the end. It has to be part of how you design, build and run services from day one.”

Stephen West, Zaizi

Other panellists echoed this delivery reality. Gustavo Zeidan, CISO at Sage, highlighted the importance of a culture of accountability, while Carla Barker stressed the need for organisations to understand the wider impact of cyber risk beyond their own balance sheets.

From an engineering perspective, Larry Lidz pointed to a growing skills gap, noting that many graduates are entering the workforce without the foundations needed to write secure code.

The implication for public sector leaders is significant: expectations on security must be matched by investment in skills, consistency and support across the market.

From awareness to baseline practice

The second panel explored how baseline measures can be embedded across supply chains — and what gets in the way.

Speakers highlighted persistent challenges around vulnerability disclosure, transparency and visibility across complex supplier ecosystems. Several noted that risk often sits not inside organisations, but between them.

There was strong support for voluntary adoption of the Code of Practice, supported by self-assessment and clearer signalling to buyers, investors and partners.

Badging and certification were discussed as potential mechanisms to build trust, particularly in high-assurance and regulated environments — provided they are meaningful and proportionate.

“Transparency has to run through supply chains — not just sit inside organisations.“

Jon France, ISC2

The conversation also turned to AI. While AI is accelerating development and security research, it is also increasing the speed and scale at which vulnerabilities can be created and exploited. As several panellists noted, AI amplifies both good and bad practice — making strong foundations even more important.

Fixing root causes, not just symptoms

In the closing keynote, Chris Ensor from the National Cyber Security Centre (NCSC) offered a powerful analogy.

In the 1950s, aircraft failures caused by square windows were only resolved when engineers focused on root causes rather than surface symptoms. Software security, he argued, is no different.

We already know how systems are exploited. We understand where bugs come from. Yet vulnerabilities continue to be designed in.

The Code of Practice, with its 14 principles, is designed to tackle those root causes — and, crucially, they should not come as a surprise to responsible organisations.

“We know why systems get exploited — the challenge is stopping ourselves from building the same vulnerabilities again.“

Chris Ensor, NCSC

What this means for public sector leaders

For us at Zaizi, the event reinforced a simple truth: secure software is a delivery outcome, not a document.

The Code of Practice sets a clear baseline. But real progress will come from:

• consistent application across supply chains
• investment in skills and capability
• clarity of ownership and accountability
• collaboration between government, vendors and delivery partners

Most importantly, it requires sustained commitment. Not just to meeting today’s standards, but to raising them over time.

Learn more about the Code of Practice for Software Security, including its 14 principles and guidance for adoption.

• 

  Designing in secure spaces: How to be user-centred when user access is limited

  Blog
• 

  Modernising government for AI: What key challenges do departments face?

  Blog
• 

  Which AI workflow works best to train public sector developers? Our Cyberfirst interns find out

  Blog
• 

  Digitisation and legacy modernisation: Setting the foundations for government AI

  Blog
• 

  The great legacy escape: Ditch the spreadsheets, drop the paper

  Blog
• 

  From ScanApp to Lego demos — What you need to know about Security & Policing 2025

  Blog