Stabilising the Base: From Patchwork to Platform in the UK Cyber Ecosystem

Leave a Reply

This article argues that stabilisation must be the UK’s priority. Drawing together the lessons of history and the critique of the DSIT Cyber Policy 2025, it calls for a practitioner-led ecosystem that ends programme churn, addresses regional imbalance, unlocks university IP, and resists government attempts to build commercial products. The vision is of hubs and networks rooted in delivery and credibility — a cyber base resilient enough to sustain long-term growth. Unless these foundations are secured, the UK will remain trapped in cycles of ambition without durability.

Contents

Table of Contents

Introduction

The UK cyber ecosystem is caught in a paradox. It is globally respected for its technical capability, its signals intelligence heritage, and the intellectual capital of its researchers, yet domestically it is plagued by programme churn, regional inequality, and institutional overlap. London, Cheltenham, and Manchester enjoy “cyber affluence,” while large parts of the UK remain underserved, with cyber relegated to a subset of “digital,” itself a subset of “tech.” This article argues that the UK must stabilise its cyber base by confronting three tensions: (1) centralism vs. regionalism; (2) resilience vs. growth; and (3) public-sector overreach vs. market development. It proposes a new model of continuity, evidence, and coherence, designed to position the UK as not just a player but a global exemplar — a diamond in the international cyber economy.

1. The Geography of Cyber Affluence

The UK’s cyber map is deeply uneven. Cheltenham thrives by proximity to GCHQ and NCSC; Manchester has the National Cyber Force and DISH; London dominates as a financial and policy centre. These are “cyber affluent” zones — places with density of expertise, anchor institutions, and privileged access to funding streams.

Elsewhere, cyber remains two levels down the food chain: a subset of digital, itself a subset of tech. Regional councils may fund “digital officers,” but cyber rarely has its own line. This structural marginalisation undermines resilience and growth. The West Midlands, Yorkshire, and the South West are cases in point: large populations, significant universities, and industrial bases, but starved of inbound cyber investment.

Diagnosis: Without correcting this affluence bias, regional hubs like the West Midlands Cyber Hub will always be running uphill against Cheltenham or Manchester’s head start.

2. Fragmentation and Churn

The stop–start cadence of UK cyber programmes creates instability:

  • CyberFirst → TechFirst: rebrands without addressing elitism or regional imbalance.
  • Cyber Runway: launched in 2021, evaluated in 2023, unprocured in 2025.
  • NCSC for Startups: hailed as a model, retired in 2023.
  • CyberASAP: still running, but with constrained budgets.
  • Cyber Essentials: 45,000 certifications after 10 years — a fraction of the UK’s business base.

Worse, government departments increasingly build products that compete with industry — e.g., NCSC’s services overlapping with private vulnerability tools; Police CyberAlarm duplicating monitoring products. These are cost centres muscling into commercial domains, distorting markets rather than enabling them.

Diagnosis: Churn wastes trust. Duplication undermines market confidence.

3. The Regional vs. Central Tension

NCSC sees the world as Cheltenham–London–Manchester. The cyber community sees it as Yorkshire, West Midlands, Scotland, Wales. The government’s geography is not the community’s geography.

Programmes like Cyber Local are meant to empower regions, yet their governance is fragmented. Reviews are conducted in silos, without peer review or shared quality benchmarks. Instead of learning from each other, regions duplicate effort — or worse, compete.

Diagnosis: Without a community of practice across Cyber Local regions, innovation is stifled, review quality is uneven, and DCIT learns less about what truly works.

4. Workforce, Neurodiversity, and Inclusion

Cyber is not simply a technical field. It is sociotechnical, psychological, behavioural. Yet industry and policy continue to frame it as a subset of digital engineering. This blinds the sector to its most powerful assets:

  • Neurodivergent talent: ADHD curiosity, autistic focus — the duality of rapid ideation and deep pragmatism.
  • Gender inclusion: Women remain underrepresented, despite evidence of diverse teams outperforming homogeneous ones.
  • Graduate mismatch: Employers complain of shortages but fail to hire newly minted graduates for lack of “experience.”

Diagnosis: The talent pipeline is not a shortage but a misalignment. Policy needs to focus less on generating raw numbers and more on aligning demand with available supply.

5. Innovation, Exploitability, and IP

The UK has produced world-class research, but university IP often languishes. Academics are rewarded for papers, not commercialisation. Spin-outs are hamstrung by licensing terms that enrich universities but starve founders. Programmes like CyberASAP help, but IP culture remains a drag.

At the same time, some innovation centres operate as rent-seeking machines: tax arbitrage, inflated valuations, mentors dipping equity slices. Cylon (Cyber London) promised community but leaned into extraction.

Diagnosis: Without reforming IP transfer and demanding transparency from accelerators, the UK risks being a farm for foreign acquirers, not a sovereign cyber powerhouse.

6. Towards Stabilisation

Stabilising the base requires three commitments:

  1. Continuity — End the cycle of pilots and rebrands. Institutionalise long-term funding streams for accelerators, CRCs, and CE.
  2. Evidence — Publish dashboards: CE adoption, CRC engagement, accelerator outcomes, regional distribution. Replace slogans with numbers.
  3. Coherence — Resolve institutional overlaps (NCSC vs DSIT), merge CRCs with clusters, embed regions in national strategy.

Concrete Mechanisms

  • A Cyber Growth & Resilience Ledger: annual publication tracking adoption, funding, outcomes across programmes.
  • A Venture Passport: a structured pipeline (CyberASAP → Runway → NCSC Startups) with transparent continuity.
  • Regional Hub-and-Spoke: validate local hubs (WM, Scotland, Wales) as peers, not satellites, of Cheltenham and London.
  • IP Liberation Charter: mandate fair licensing and sovereign funding for university spin-outs.
  • Market Integrity Clause: government departments should enable markets, not compete with them.

7. Beyond Stabilisation and towards the Diamond Standard

The UK has the ingredients: research excellence, intelligence pedigree, and entrepreneurial spark. But without stabilisation, it remains a patchwork of pilots, rebrands, and duplications. To become the diamond of the world — durable, brilliant, multi-faceted — the UK must:

  • Treat cyber as its own sector, not a digital subcategory.
  • Rebalance cyber affluence by investing in underserved regions.
  • Align workforce supply and demand through inclusivity and neurodiversity.
  • Reform IP regimes and hold accelerators accountable.
  • Stop government departments from competing with industry.

Stability, evidence, and coherence are not optional. They are the preconditions for the UK to lead in cyber not just as a defensive necessity, but as a sovereign growth engine.

Alignment, Dissonance, and the Practitioner-Led Model

Agreement with the 2025 Cyber Policy

There are points of genuine alignment:

  • Resilience and growth as one coin — Yes. Cyber is not a cost-only exercise; it’s a growth engine and a sovereign capability.
  • Safe environments — Yes. Co-creation spaces and sandboxes matter, and they should exist outside the “classified only” silos of Cheltenham.
  • One-team mentality — Yes. The UK cyber sector needs to act with coherence, and building social capital is critical.
  • Regional investment — Yes. The nods to DISH, Hub8, and the idea of “growth centres” are steps in the right direction.

Disagreement with the 2025 Cyber Policy

But there are sharp points of divergence:

  • Programme churn ignored — The policy acts as if the last 15 years of pilot → rebrand → abandonment didn’t happen. NCSC Startups, Cyber Runway, Runway’s non-procurement in 2025 — these matter.
  • Metrics absent — Without adoption dashboards (Cyber Essentials uptake, CRC engagement, accelerator outcomes), claims of impact are hand-waving.
  • Regional inequality unaddressed — Cyber affluence zones (London, Cheltenham, Manchester) are entrenched; places like the West Midlands, Yorkshire, and the North East remain underfunded.
  • Practitioner voice missing — The policy is drafted by policymakers and consultants, not practitioners who deliver security, run scans, or build companies. That gap erodes credibility.
  • Market distortion — Government still builds services that should be left to the private sector, competing with industry rather than enabling it.

The Practitioner-Led Model: A Role-Model for Stabilisation

The UK does not need another programme designed in Whitehall. It needs practitioner-led hubs — rooted in lived cyber expertise, not policy handbooks or consultancy slide decks.

A practitioner-led hub has three defining features:

  1. Credibility — When industry founders, security engineers, academics, and resilience practitioners lead, trust follows. SMEs, corporates, and boards engage because they hear from people who do, not people who project manage.
  2. Capability — Practitioners know where the pain points are: adoption bottlenecks, skills mismatches, the CE vs. SME dilemma. They can design interventions that work.
  3. Connectivity — Practitioners are already embedded across clusters, CRCs, accelerators, and universities. A hub of networks, not a siloed centre, is how regions like the West Midlands can truly scale.

Such a hub becomes not just a venue but a cyber network of networks: a convening point for clusters, CRCs, SMEs, corporates, universities, and local government. It channels regional funding into tangible cyber outcomes, while contributing back into the national “one team” picture.

This is not theory. It is the ideal role model: regional, practitioner-led, and networked. It shows how cyber should be stabilised — not by programme churn from the centre, but by compounding social capital at the edge.

Conclusion

To stabilise the UK cyber base, we need more than aspirations from policy papers. We need practitioner-led, regional hubs of networks — credible, capable, and connected. These hubs are the living embodiment of “one team,” not because Whitehall declared it, but because practitioners build trust across boundaries every day.

It is telling that the 2025 Cyber Policy was authored by the University of Bristol. Bristol has real strengths — proximity to GCHQ, MARD, IBM, and a world-class university cluster. They are not neutral actors; they have skin in the game, and to their credit they would likely admit it. But we must recognise this for what it is — another instance of policy narratives being written from centres of affluence. Where is Cambridge? Where is Aston, Warwick, or Manchester Metropolitan? Why does Bristol become the mouthpiece? This is not a critique of their quality but a call for balance: a national cyber strategy should not be written solely from cyber-affluent postcodes.

The alternative model — the role model — is practitioner-led and regionally rooted. In the West Midlands, the Cyber Working Group has defined its aims clearly:

  • Inbound investment — to shift the balance of cyber capital into regions outside London and Cheltenham.
  • Community building — to grow the cyber community into a cohesive, self-reinforcing network.
  • Celebration and visibility — a Cyber Festival that showcases cyber in all its diversity, from engineers to artists, from neurodivergent practitioners to women leaders.
  • Cyber futures — advancing conversations on cyber psychology, quantum, AI weaponisation, and the inevitable rise of automation in tools that will reshape workforce demands.
  • Spaces for everyone — hubs that are not just for “nerds,” but for communities, students, SMEs, and corporates; spaces that convene and democratise cyber.

Such a hub becomes not just a venue but a cyber network of networks: a convening point for clusters, CRCs, SMEs, corporates, universities, and local government. It channels regional funding into tangible cyber outcomes, while contributing back into the national “one team” picture.

This is the model that must replace the stop–start, centrally scripted cycle of initiatives. It integrates professional bodies, non-graduate skills routes, assurance frameworks, and civil society confidence. It acknowledges the affluence bias of centres like Bristol while showing how other regions can build credible alternatives.

In short: stabilisation will not come from another rebranded programme. It will come from a practitioner-led movement, grounded in the regions, tied into the national strategy, and measured by evidence. Without it, the UK will continue to lurch from pilot to pilot, losing both trust and competitive edge. With it, the UK can become the diamond of global cyber: brilliant, resilient, multi-faceted — and genuinely national.