This article, written in reaction to the DSIT Cyber Policy 2025, traces the uneven history of the UK’s cyber economy. From CESG’s secretive assurance role to NCSC’s public authority and DSIT’s contested remit, the story is one of incremental gains but persistent churn. Programmes such as Cyber Essentials, CyberFirst, CyberASAP, Cyber Runway, and Cyber Resilience Centres have delivered value but lacked continuity, scale, and coherence. Unless the government commits to stabilisation and long-term delivery, the UK will continue to recycle initiatives rather than build a durable cyber base.

Contents

Introduction

The United Kingdom’s cyber economy has developed unevenly over the past three decades, shaped by national security imperatives, shifting ministerial responsibilities, and episodic injections of political capital. This article traces the evolution of UK government (HMG) support for the cyber sector: from the Communications-Electronics Security Group’s (CESG) closed assurance functions, through the creation of the National Cyber Security Centre (NCSC), to the growth-oriented initiatives of the 2010s and 2020s, including Cyber Essentials, CyberFirst, CyberASAP, Cyber Runway, Cyber Resilience Centres, and UKC3. It argues that the UK’s cyber policy has been characterised less by continuity than by fragmentation and churn, with overlapping schemes launched and abandoned, and departmental turf wars between DCMS, DBT/BEIS, and DSIT. The resulting landscape is one of partial successes—internationally respected expertise, baseline certifications, emergent regional clusters—but also unrealised potential, particularly in SME adoption and long-term programme stability.

1. Origins: CESG and the Era of Assurance (Pre-2010)

The roots of the UK’s cyber posture lie in the Communications-Electronics Security Group (CESG), the National Technical Authority for Information Assurance within GCHQ. CESG’s remit was primarily defensive, focused on the assurance of classified government systems. It approved products for use in sensitive domains—such as the Home Office’s border control systems—through schemes such as CAPS (CESG Assisted Products Service).

Parallel initiatives included:

• CHECK (1990s–): a government-approved penetration testing scheme for critical systems.
• Tiger Scheme (2001–2013): designed as a commercial certification for penetration testers outside of CHECK. It ultimately lacked scale and credibility, later eclipsed by CREST and private-sector accreditations.

At this stage, “cyber” was seen through a national security lens. Economic or industrial policy was peripheral, if present at all.

2. Strategic Awakening (2010–2015)

The first UK National Cyber Security Strategy (2011) marked the beginning of cyber as an explicit policy domain. It positioned cyber both as a security risk and as an economic opportunity, though implementation leaned heavily toward national defence.

Key developments:

• Cyber Essentials (2014): Introduced as a baseline security certification for SMEs, managed initially by IASME. Its ambition was universal SME adoption; its reality, more modest (c.45,000 certificates by 2025, against a base of ~6 million UK firms).
• Ministerial Custody: Policy responsibility sat with the Department for Business, Innovation and Skills (BIS) and later DCMS as “digital” was appended to its portfolio. This created early fissures between “growth” (BIS/DCMS) and “security” (CESG/GCHQ).

Despite high-level strategy, delivery mechanisms remained fragmented.

3. The NCSC and Public-Facing Cyber (2016–2020)

The establishment of the National Cyber Security Centre (NCSC) in 2016 represented a watershed. CESG was subsumed into NCSC alongside parts of CPNI and other cyber units, creating a single public-facing authority under GCHQ.

NCSC innovations included:

• Cyber Assessment Framework (CAF): A structured approach to assurance for critical national infrastructure.
• CyberFirst (2016–): Flagship youth pipeline programme offering bursaries, summer schools, and apprenticeships.
• Public-Facing Advice: A marked cultural shift, positioning GCHQ expertise in service of SMEs, boards, and citizens.

This was the first genuine attempt to position cyber security as both a public good and a national industrial capability. By the start of the 2020s, attention shifted from resilience to growth, as the government sought to frame cyber not only as a security imperative but as an economic engine.

4. The Era of Growth Programmes (2020–2023)

By the early 2020s, cyber was increasingly reframed as a driver of economic growth.

• CyberASAP (2017–): “Cyber Academic Start-Up Accelerator Programme,” funded by DCMS and Innovate UK, bridging university research to market. Notable for fostering early-stage spinouts, though funding was modest.
• Cyber Runway (2021–): Branded as the UK’s largest cyber accelerator, operated by Plexal with partners. Positioned as a follow-on from CyberASAP, but suffered from limited continuity: by 2024/25, procurement was uncertain, raising concerns about HMG’s commitment.
• NCSC for Startups (2017–2023): Launched with Plexal, providing start-ups access to NCSC expertise. Widely celebrated, but quietly retired; a victim of shifting budgets and overlapping programmes.
• Cyber Resilience Centres (CRCs): Emerging from the Police Digital Service, CRCs aimed to provide affordable SME security via regional hubs. Modelled on police-business partnerships, they have raised awareness but struggled with long-term sustainability.
• UKC3 (2021–): The UK Cyber Cluster Collaboration was created to coordinate regional clusters (e.g., Hub8 in Cheltenham, Plexal in London, CSIT in Belfast). It signalled recognition of bottom-up innovation ecosystems.

This period was also marked by significant departmental flux. DCMS retained cyber industry policy, while BEIS (later DBT) controlled innovation funding. The tension was clear: economic levers sat with DBT/Innovate UK, narrative framing with DCMS, resilience with NCSC. This departmental flux set the stage for the creation of DSIT in 2023, intended to consolidate responsibilities, but in practice, it introduced fresh tensions between growth and resilience.

5. DSIT and the Churn of Programmes (2023–2025)

The creation of the Department for Science, Innovation and Technology (DSIT) in 2023 sought to consolidate responsibility. In theory, DSIT aligned digital, science, and cyber policy. In practice, it reinforced the duality: NCSC (resilience, under GCHQ) vs DSIT (growth).

Notable dynamics:

• Cyber Runway’s uncertain renewal (2024–25) left a vacuum in scale-up support.
• CyberFirst rebrand to TechFirst (2025–) reflected attempts to broaden skills pipelines beyond cyber. Critics argue this risks diluting focus.
• Cyber Essentials at 10 years (2024): Despite being promoted, adoption remained low relative to the SME base.
• Cyber Resilience Bill (2025) and PSTI regime (2024) showed regulatory muscle, yet SMEs often lacked capacity to comply.

This phase exemplified the volatility of HMG cyber support: celebrated pilots (Runway, NCSC for Startups) were not institutionalised; schemes proliferated without clear sequencing (CyberASAP vs Runway vs Startups); and metrics remained sparse.

6. Assessment

The UK has succeeded in:

• Establishing the NCSC as a globally respected authority.
• Embedding Cyber Essentials as a recognisable baseline (if modest in uptake).
• Supporting academic-commercial pipelines (CyberASAP) and regional ecosystems (clusters, CRCs).

But it has struggled with:

• Continuity: Programmes launched, celebrated, then abandoned (Tiger, NCSC for Startups, uncertain Runway).
• Coherence: Overlaps between DCMS, DBT, DSIT, and NCSC blurred accountability.
• Scale: SME penetration of certifications remains low; skills initiatives are patchy; accelerators are fragmented.
• Sovereignty: Foreign acquisitions of UK cyber firms raise concerns about retaining domestic capability.

Conclusion

The history of the UK’s cyber economy is one of incremental gains against a backdrop of institutional churn. From CESG’s secretive assurance, through NCSC’s public authority, to DSIT’s contested policy space, the journey illustrates competing imperatives: security vs growth, centralisation vs regionalism, continuity vs novelty.

The challenge ahead is stabilisation: moving from episodic, politically contingent programmes to a platform approach that compounds rather than fragments. Without that, the UK risks eroding both resilience and competitive advantage in a domain that underpins national sovereignty. The publication of the DSIT Cyber Policy 2025 provides a moment of reckoning, an opportunity to learn from this history of churn and to finally commit to long-term, practitioner-led foundations for the UK’s cyber economy.

References

• The launch of the National Cyber Security Centre
  • https://www.ncsc.gov.uk/files/The%20launch%20of%20the%20National%20Cyber%20Security%20Centre.pdf
• National Cyber Security Strategy 2016–2021
  • https://assets.publishing.service.gov.uk/media/5a81914de5274a2e8ab54ae9/national_cyber_security_strategy_2016.pdf
• NCSC For Startups
  • https://www.ncsc.gov.uk/section/ncsc-for-startups/overview
• Cyber Essentials Scheme Impact Evaluation (DSIT, 2024)
  • https://www.gov.uk/government/publications/cyber-essentials-scheme-impact-evaluation/cyber-essentials-impact-evaluation
• A decade of Cyber Essentials – the journey towards a safer UK
  • https://www.ncsc.gov.uk/blog-post/cyber-essentials-decade
• Evaluation of the Cyber Runway Programme (DSIT)
  • https://www.gov.uk/government/publications/an-evaluation-of-the-cyber-runway-programme
• Cyber Runway – Plexal
  • https://www.plexal.com/our-work/cyber-runway/
• CyberASAP Programme – Innovate UK Business Connect
  • https://iuk-business-connect.org.uk/programme/cyberasap/
• Evaluation of the CyberASAP Programme – Final Report (June 2025)
  • https://www.gov.uk/government/publications/evaluation-of-the-cyberasap-programme/evaluation-of-cyberasap-final-report-june-2025
• CyberASAP 2023/24 Cohort 7 Announcement – TechUK
  • https://www.techuk.org/resource/cyberasap-2023-2024-cohort-7-programme.html
• UK Cyber Cluster Collaboration (UKC3)
  • https://ukc3.co.uk/
• Police Cyber Resilience Centre model – National Police Chiefs’ Council / Police Digital Service
  • https://www.protectuk.police.uk/advice/business/cyber-resilience-centres
• UK Cyber Security Sectoral Analysis 2025 (DSIT, Ipsos & Perspective Economics)
  • https://assets.publishing.service.gov.uk/media/67cad8b18c1076c796a45c25/Cyber_Security_Sectoral_Analysis_Report_2025.pdf
• CHECK Scheme Standard – NCSC
  • https://www.ncsc.gov.uk/files/CHECK-Scheme-Standard.pdf
• CHECK Buyer’s Guide – NCSC
  • https://www.ncsc.gov.uk/files/check-buyers-guide.pdf
• Who is CREST? – CREST Approved
  • https://www.crest-approved.org/about-us/who-is-crest/
• The Evolution of the CREST Accreditation Process
  • https://www.crest-approved.org/the-evolution-of-the-crest-accreditation-process/
• A Brief History of Penetration Testing: From Tiger Teams to PTaaS
  • https://horkan.com/2025/06/19/a-brief-history-of-penetration-testing-from-tiger-teams-to-ptaas
• Cyber Essentials – Wikipedia
  • https://en.wikipedia.org/wiki/Cyber_Essentials
• Cyber Security in the United Kingdom – Wikipedia
  • https://en.wikipedia.org/wiki/Cyber_security_in_the_United_Kingdom
• 2011 Census Security: Report of the Independent Review Team (mentions Tiger Scheme)
  • https://www.scotlandscensus.gov.uk/media/kr4nbc2s/2011-census-security-report-irt.pdf
• CESG Listed Adviser Scheme (context alongside Tiger Scheme) – Wikipedia
  • https://en.wikipedia.org/wiki/CESG_Listed_Adviser_Scheme