Freedom of Information laws were introduced to promote transparency and accountability but, as experienced cyber leader Vsevolod Shabad explains, the current public sector landscape is rife with inconsistency and confusion
Freedom of Information requests about cybersecurity governance create an impossible choice for public sector organisations. Full transparency risks enabling adversaries. Opacity undermines accountability. Without central guidance on how to navigate this trade-off, organisations are left to improvise — with chaotic results.
Analysis of public sector FOI responses reveals striking inconsistency. Imperial College Healthcare NHS Trust refused even to confirm whether it holds information about cyber programmes, stating this “would assist threat actors in determining the effectiveness of the trust’s defences against cyberattacks”.
A smaller specialist trust, by contrast, disclosed specific programme numbers and the date its board received specialist government training. West Midlands Fire Service claimed that the counting of board cyber discussions “exceeds the cost limit”. Another fire service confirmed all 12 oversight group members had completed training, and that cyber appeared on the agenda 12 times in two years.
This is not organisational incompetence. It is the predictable consequence of an absent framework.
The transparency paradox
FOI legislation rests on an assumption: more transparency produces better governance. In most domains, this holds. Citizens have a legitimate interest in knowing how public bodies make decisions and allocate resources.
Cybersecurity governance is different. Here, detailed explanations can become instructions for attackers.
FOI inconsistency is a symptom of this deeper problem: public sector organisations are expected to navigate complex transparency-security trade-offs without the tools to do so.
Consider what happens when an organisation discloses its incident escalation criteria — the thresholds that determine when a cyber event reaches board attention. An attacker reading this learns exactly how to calibrate intrusions to remain below the board’s attention threshold.
Warwickshire County Council recognised this risk, stating that disclosure would be “likely to assist cyberattackers in targeting and attacking the WFRS (Warwickshire Fire and Rescue Service) network and its users”.
University Hospitals Birmingham invoked Section 24 — national security — stating that disclosure “would make the UK or its citizens more vulnerable”. Other comparable organisations disclosed the same information without hesitation.
The inconsistency is not random. It reflects organisations making high-stakes judgment calls without guidance on what constitutes acceptable risk.
Three patterns stand out.
The size paradox. Large organisations with dedicated legal teams frequently refuse requests or claim an inability to provide data. University Hospitals Birmingham, one of England’s largest trusts, withheld information on grounds of national security. Smaller organisations often provide comprehensive responses. This is not about sophistication. It is about large organisations defaulting to denial when uncertain, while smaller ones default to transparency.
Accountability displacement. In federated structures, governance bodies routinely distance themselves from operational responsibility. Multiple police and crime commissioners responded that cybersecurity information “is not held — this is managed by the force” or by regional alliances. One trust stated “information not available” when asked about its basic governance framework — an extraordinary admission given that Data Security and Protection Toolkit (DSPT) compliance is mandatory. The bodies nominally responsible for oversight cannot demonstrate they are exercising it.
Compliance theatre. Perfect scores on mandatory training and completed audits coexist with minimal board attention to cyber risk. One organisation achieved full compliance on all standard metrics — yet cybersecurity reached the governing body’s agenda only twice in two years. The frameworks measure the presence of controls, not the quality of oversight.
What the government should do
The solution is not to weaken FOI. It is to replace chaotic transparency with calibrated transparency — strategic about what to disclose and what to protect.
The Cabinet Office and the Department of Science, Innovation and Technology should issue explicit guidance distinguishing three categories of cybersecurity information:
Governance processes should default to disclosure. The public has a legitimate interest in knowing that a board audit committee meets quarterly with cyber as a standing agenda item. This creates accountability without enabling gaming.
Aggregate outcomes should also be disclosed. Knowing that an organisation experienced 12 incidents last year, with three classified as critical, serves the public interest. The marginal gaming value to attackers is low.
Operational parameters — escalation thresholds, detection criteria, specific system configurations — should be protected. Here, gaming risk genuinely outweighs the transparency benefit.
This framework increases accountability rather than reducing it — by requiring explicit justification for every non-disclosure. The Information Commissioner’s Office should update its Section 24 exemption guidance to require organisations invoking national security to demonstrate which category applies and why the gaming risk outweighs the transparency benefit in the specific case.
While awaiting central guidance, board members should ask: could our FOI responses about cyber governance be read as instructions for attacking us? Governance teams should assess whether they have disclosed operational parameters that should be protected or refused governance information that should be disclosed. Documenting these choices creates an audit trail and builds the evidence base for formal government guidance.
WannaCry demonstrated what happens when cyber governance fails at scale. Since then, compliance has improved, but board-level attention has not kept pace. Organisations tick boxes on training and audits while cyber risk evolves faster than governance structures can respond.
FOI inconsistency is a symptom of this deeper problem: public sector organisations are expected to navigate complex transparency-security trade-offs without the tools to do so. The government designed FOI to enable accountability. That same government now needs to design the choice architecture that makes accountability compatible with security.
Until it does, chaotic FOI responses will continue — and some will continue to arm the very adversaries we are trying to defend against.
Vsevolod Shabad (pictured above) is a principal enterprise architect and cybersecurity leader with experience as CIO, CISO, and board adviser across critical infrastructure and financial services. He holds CISSP and CCSP certifications and is a Fellow of the BCS.
