The UK’s cyber policy has made progress but suffers from churn, overlap, and regional imbalance. The 2025 Cyber Policy sets out ambition but lacks continuity and practitioner voice. This three-part series traces the history, critiques the new policy, and argues for a practitioner-led, regionally balanced ecosystem to stabilise the base finally.

The UK’s cyber landscape is at a turning point. Over the last two decades, we’ve seen an alphabet soup of programmes, overlapping remits, regional imbalances, and policy churn. Some progress has been made — but the question remains: how do we stabilise the base and build a cyber ecosystem that is resilient, inclusive, and globally competitive?

This series of three articles is both a culmination of ideas and a direct reaction to the 2025 Cyber Growth Action Plan. That report sets the tone for the next phase of government intervention in cyber, but it also leaves key questions unanswered. The articles that follow are my attempt to provide a practitioner-led response: part history, part critique, part roadmap.

Contents

The Three Articles

The UK’s cyber landscape is at a turning point. Over the last two decades, we’ve seen an alphabet soup of programmes, overlapping remits, regional imbalances, and policy churn. Some progress has been made — but the question remains: how do we stabilise the base and build a cyber ecosystem that is resilient, inclusive, and globally competitive?

To answer that, I’ve written a three-part series; together, these pieces are intended as an anchor: both a critical reflection and a constructive roadmap. They challenge policy orthodoxy while offering a practical, practitioner-led vision for what comes next.

Article 1 – A Potted History of UK Cyber Policy and Economy

A Potted History of the UK’s Cyber Economy: From Secrecy to Sector

Traces the arc from CESG to NCSC, Cyber Essentials, CRCs, and accelerator schemes like Cyber Runway and Cyber ASAP. It highlights the stop–start cycles, the legacies of abandoned programmes, and the enduring gaps.

Article 2 – The 2025 Cyber Policy: Review and Critique

Reviewing the 2025 UK Cyber Policy Paper: Promise, Blind Spots, and the Challenge of Continuity

Reviews the government’s latest cyber policy paper. It sets out what the policy gets right — resilience framed as growth, safe havens, and a one-team narrative — and what it misses, including metrics, continuity, and practitioner voice.

Article 3 – Stabilising the Base: Towards a Practitioner-Led UK Cyber Ecosystem

Stabilising the Base: From Patchwork to Platform in the UK Cyber Ecosystem

Brings it all together. It argues that the UK must end churn, rebalance regions, unlock university IP, and put practitioners in the lead. Only then can we create hubs and networks that drive resilience and growth at scale.

My Findings Across the Three Articles (TL;DR)

Over two decades, the UK’s cyber policy has been defined less by continuity than by churn. We’ve seen CESG evolve into NCSC, Cyber Essentials introduced and sustained but with limited adoption, and programmes like CHECK, Tiger Scheme, and NCSC for Startups either diluted or abandoned. This stop–start cycle leaves enduring gaps in resilience and growth (Article 1).

The 2025 Cyber Policy makes some big strides: it frames resilience as a driver of growth, pushes for safe environments and havens for testing, and sets out a “one team” vision. But it also misses critical elements: measurable outcomes, continuity of effort, and, above all, the voice of practitioners. Without those, policy risks becoming another layer of rhetoric (Article 2).

The way forward is clear: stabilise the base. That means ending programme churn, addressing regional inequity, unlocking university IP, and building practitioner-led hubs with credibility rooted in delivery. If government focuses on convening and enabling, and leaves product-building to the market, the UK can create a cyber ecosystem that is both resilient and globally competitive (Article 3).

In short:

we’ve made progress, but we’ve wasted too much by reinventing the wheel. The new policy has promise, but unless practitioners lead and regions are empowered, we’ll be back here again in five years asking the same questions.

The West Midlands as a Beacon

The goals of the West Midlands Cyber Working Group (WM CWG) and the emerging West Midlands Cyber Hub align closely with the new 2025 Cyber Policy Review. Where the policy sets out aspirations, the WM CWG is already putting them into practice.

• One team, many voices: The WM CWG convenes practitioners, SMEs, universities, public bodies, and community groups — exactly the cross-sector collaboration called for in the policy’s “one team” principle.
• Safe environments: The WM Cyber Hub is designed as a safe haven: a space for students, startups, enterprises, and public sector partners to test, co-create, and role-play responses to real-world cyber challenges.
• Regional rebalancing: While Cheltenham, London, and Manchester benefit from long-standing ties to national agencies, the West Midlands demonstrates how a practitioner-led hub can close the gap in underserved regions.
• Growth through community: The WM CWG’s aims — to increase inbound investment, build a Cyber Festival, celebrate diversity, and explore future-facing domains like cyber psychology, quantum, and AI — translate national rhetoric into local impact.
• Practitioner-led credibility: Above all, the WM Hub is not policy-driven or consultant-run; it is led by practitioners with lived experience of scanning, building, and delivering. That credibility is its anchor and its differentiator.

In this sense, the WM CWG and Hub can act as a beacon model: a demonstration that national ambitions can be realised if grounded in regional leadership, practitioner delivery, and community inclusivity. Rather than waiting for perfect policy frameworks, they show what “pulling together” actually looks like in practice.

If national government wants proof that its cyber policy can succeed, it need only look to the West Midlands.

Why I’m Responding

This series isn’t written in a vacuum. Over the past few years, I’ve contributed to and critically reviewed several national consultations and initiatives that directly shape the UK’s cyber landscape:

• DSIT Cyber Governance Code of Practice Consultation (with the IET) — where I engaged directly with the process and saw practitioner input reflected in the final published Code.
• The evolution of NCSC’s Cyber Resilience Testing (CRT) — analysed in depth across a three-part series, mapping standards, assessing costs and adoption barriers, and debating its role as a trust label.
• DSIT’s Enterprise Device Security Consultation — a key attempt to embed resilience principles into the hardware and telco supply chain, which I critiqued for ambition but noted risks around adoption and enforcement.
• And a variety of regionally related thought leadership, reviews and critiques (with recommendations), including:
  • Cyber as a Cluster: A Critical Review of the Midlands Engine Cyber & Defence Report (April 2025)
  • Cyber, Digital, and Tech: Understanding the West Midlands Perspective
  • Steering Regional Resilience: Reflections on Two Years Supporting DSIT’s Cyber Local Programme
  • West Midlands Cyber Hub Diaries: Day One (Or Perhaps Day Sixty)
  • Cyber Collaboration in the West Midlands: Skills, Strategy, and a Shared Future
  • Restructuring the West Midlands Growth Company: Reform or Rebrand?
  • Cybersecurity Meets Health Innovation: Rethinking Risk at the OT Frontline
  • Women Shaping Cyber: Reflections from Aston University

Each of these earlier pieces helped surface practitioner concerns and shaped my perspective. This series builds on that foundation, acting both as a continuation of my prior analyses and as a direct response to the 2025 Cyber Policy Review.

Am I Being Fair? – Checks and Balances

Before closing, it’s essential to highlight the assumptions underlying this analysis. In practice, this means asking five critical questions.

Am I Missing Something?

Every analysis leaves something out. Here, one area often overlooked is the role of professional membership bodies — the BCS, IET, CIISec, and the UK Cyber Security Council. They are less visible than NCSC or DSIT, but they represent standards, certifications, and professionalisation efforts. Omitting them would leave the account open to the charge of ignoring an entire layer of the ecosystem.

What Are Others Doing Abroad?

To test the UK’s position, we need to look outward:

• United States: CISA integrates policy and operations, publishing live dashboards and “Known Exploited Vulnerabilities” lists — practitioner-facing and transparent.
• European Union: ENISA anchors NIS2 and the Cyber Resilience Act, creating enforceable obligations for SMEs and suppliers.
• Israel: Long-term continuity through integration of military, academia, and industry, with Unit 8200 spinoffs fuelling innovation.
• Singapore: A single Cyber Security Agency with both policy and operational remit, designed for durability.
  

The UK’s model looks fragmented by comparison — but practitioner-led regional hubs, such as those emerging in the West Midlands, echo approaches in Canada (provincial hubs), the US (state ISACs), and Germany (Fraunhofer institutes).

Will Technologists Flush It Away?

This asks whether practitioner-led regional models will be dismissed by the technical community as irrelevant or unsustainable. The answer is: not if credibility is demonstrated. Practitioners respect practitioners. What fails is when consultants or policymakers try to “own” delivery. Hard evidence — number of SMEs engaged, scans completed, or skills delivered — is the currency that sustains respect.

Checks Against Elitism

The UK has clear centres of “cyber affluence”: Cheltenham, Manchester, Bristol, London. They thrive because of proximity to national agencies and historic investment. The challenge is not to resent these hubs, but to replicate their success elsewhere. A fair critique would be that this series leans heavily on regional arguments — but that is deliberate, as regional equity is one of the UK’s unresolved weaknesses.

My Own Bias

This work is written through a practitioner’s lens: building startups, running scans, and convening regional networks. That perspective cuts through policy jargon, but it also risks under-valuing the slower, less visible contributions of standards-setting, compliance, and academic governance. Acknowledging this bias is essential: it is both a strength and a limitation.

Conclusion

The 2025 Cyber Policy Review sets the agenda for the next phase of the UK’s cyber journey, but whether it succeeds depends on how we respond. This series has traced the history, critiqued the new policy, and proposed a practitioner-led, regionally balanced model to stabilise the base.

My view is clear: progress has been made, but unless continuity is established, regions are empowered, and practitioners lead, the UK will keep repeating the same cycle. The West Midlands shows what can be done differently — and if national government is serious about building resilience and growth, it should look to practitioner-led hubs as the way forward.