Cyber, Growth, and Regional Futures: A Comparative Synthesis of Four 2025 Reports

Leave a Reply

2025 has seen an unprecedented wave of reports shaping the UK’s cyber and growth agenda: DSIT’s Cyber Growth Action Plan 2025, WMCA’s Futures Green Paper, the Tech Nation Report 2025, and the Midlands Engine Cyber & Defence Report. Each has strengths, each identifies real challenges, but taken together, they reveal fragmentation, regional imbalance, and an absence of practitioner voice. Added to this mix is the Cyber Security Skills in the UK Labour Market 2025 report, which provides the hard numbers: 143,000 in the workforce, a shortfall of 3,800, and critical gaps in specialisms such as forensics, secure architecture, and testing. This article compares the five reports, critiques their blind spots, and sets out a practitioner-led roadmap rooted in the West Midlands. The central argument is simple: cyber must be treated as economic infrastructure, not as an afterthought of “digital” or “defence”.

Contents

Table of Contents

Executive Summary (TL;DR)

2025 has delivered five major reports shaping the UK’s cyber and growth agenda: DSIT’s Cyber Growth Action Plan, WMCA’s Futures Green Paper, the Tech Nation Report, the Midlands Engine Cyber & Defence Report, and the Cyber Security Skills in the UK Labour Market 2025. Each identifies real challenges and opportunities, but none is sufficient on its own.

Taken together, they reveal fragmentation and imbalance. London remains dominant, regions like the West Midlands are underpowered, governance is thin, and the UK’s chronic stop–start policy culture continues to undermine continuity.

The Cyber Security Skills Report is pivotal. It provides the hard numbers, a workforce of 143,000, a shortfall of 3,800, and acute gaps in specialisms such as forensics, secure architecture, and testing. It makes clear that talent is the binding constraint on every other ambition.

What is missing across the reports is a practitioner-led roadmap: hubs, unified governance, a funding concierge for SMEs, skills conversion pathways, benchmarking, and narrative reform, plus innovation pipelines that move beyond pilots to platforms. These are the elements that can anchor delivery in practice rather than rhetoric.

The central argument is simple. Cyber must be treated as economic infrastructure, not an afterthought of “digital” or “defence.” Only then can the UK deliver growth that is resilient, inclusive, and globally competitive.

The ten-point plan set out here offers a clear roadmap for the West Midlands Cyber Hub to become the exemplar: a beacon that proves cyber can be anchored as true economic infrastructure. If the region gets behind it, the West Midlands can set the agenda for the UK, leading with continuity, credibility, and community instead of more churn.

Introduction

2025 has become a policy-heavy year for UK cyber and regional growth. In just a few months, four flagship documents landed: DSIT’s Cyber Growth Action Plan 2025, WMCA’s Futures Green Paper, the Tech Nation Report 2025, and the Midlands Engine Cyber & Defence Report. To these, we can now add the Cyber Security Skills in the UK Labour Market 2025 report, which reframes the talent debate.

This is not just a comparison of reports, but a practitioner-led roadmap for how cyber, especially in the West Midlands, must be stabilised as economic infrastructure.

This article does three things:

  1. Provides a structured analysis of each report.
  2. Brings in the skills and wider background.
  3. Sets out comparative findings, critique, and a roadmap for action.

Analysis

2025 is an inflexion point for cyber and technology policy in the UK. In the space of a few months, four major reports have landed: DSIT’s Cyber Growth Action Plan 2025, the West Midlands Futures Green Paper from WMCA, the Tech Nation Report 2025, and the Midlands Engine Cyber & Defence Report. Each is ambitious. Each diagnoses real problems. Yet none is sufficient on its own.

Taken together, they reveal the classic UK pattern: bursts of initiative, overlapping remits, regional imbalance, and a dangerous absence of continuity. The stop–start cycles of the last two decades, from CESG and CHECK, to NCSC Startups, Cyber Essentials, CyberFirst, and countless pilots abandoned midstream, are in danger of repeating themselves.

The Cyber Security Skills in the UK Labour Market 2025 report adds a stark layer of evidence. The UK cyber workforce now stands at around 143,000, with an estimated shortfall of 3,800 roles. This is far smaller than previous years, but the headline hides deeper problems. Demand for cyber roles is slowing, specialist shortages remain acute (forensics, secure architecture, security testing, threat intelligence), and regional alignment is weak. The skills challenge has shifted from “more people” to “the right people, in the right places, with the right pathways.” Conversion residencies, neurodiverse hiring, and university-to-industry transitions are no longer optional extras; they are the levers that decide whether the ecosystem can grow at all.

These four reports also need to be read against the broader frame. The National Cyber Strategy 2022 remains the UK’s formal anchor, but continuity has been repeatedly broken by policy churn. The UK Cyber Security Council is tasked with professionalisation and certifications, yet struggles to connect with practitioners. Abroad, ENISA (Europe) and CISA (US) offer sharper contrasts: enforceable obligations through NIS2 and the Cyber Resilience Act in the EU, and transparent live dashboards and “Known Exploited Vulnerabilities” lists in the US. Against these comparators, the UK risks appearing fragmented and opaque.

This article provides a structured comparison of the four 2025 reports. It highlights their strengths, calls out their weaknesses, and sets them against the backdrop of the National Cyber Strategy (2022), the work of the UK Cyber Security Council, and international comparators such as ENISA and CISA.

Most importantly, it sets out a practitioner-led roadmap: ten recommendations to anchor cyber in the West Midlands as a standalone economic cluster, supported by governance, investment, hubs, festivals, funding reform, skills conversion, and benchmarking. This roadmap is not a replacement for national policy or regional growth plans; it is the connective tissue that turns rhetoric into delivery.

The merged results are clear: the UK has scale, talent, and FDI momentum, but it lacks continuity, practitioner credibility, and regional balance. The West Midlands can show the way, but only if cyber is treated not as an afterthought of “digital” or “defence,” but as critical economic infrastructure.

DSIT Cyber Growth Action Plan 2025

Resilience as a driver of prosperity.

The 2025 Cyber Growth Action Plan sets out a bold vision for the UK cyber economy, positioning growth, resilience, and value for money as interdependent objectives. It echoes themes from prior strategies yet underplays the historical volatility of government programmes, the institutional frictions between NCSC and DSIT, and the limited adoption of flagship schemes such as Cyber Essentials and Cyber Runway.

Strengths

  • Frames resilience as a driver of economic growth.
  • Commits to safe environments and havens for testing.
  • Emphasises a “one team” national narrative.
  • Positions the UK as a global leader in standards and assurance.

Weaknesses

  • Light on continuity: repeats ambitions voiced in 2011, 2016, 2022.
  • Missing practitioner voice: shaped by policymakers, not operators.
  • Absent metrics: goals set, but no KPIs or binding accountability.
  • Regional blind spot: London, Cheltenham, Manchester dominate the imagination.

Commentary

The DSIT Cyber Growth Action Plan 2025 is aspirational but risks becoming another rhetorical layer. Its vision of “resilience as growth” is sound, but the delivery mechanics are absent. There is no binding continuity with the 2022 National Cyber Strategy; instead, we see familiar churn. For practitioners, the frustration is palpable: endless policy cycles, while SMEs still lack basic controls, and cyber hubs struggle for funding.

Analysed in depth in my articles:

WMCA West Midlands Futures Green Paper (2025)

Growth for Everyone.

The West Midlands Futures Green Paper (2025) sets out a ten-year pathway to “Growth for Everyone,” anchored in six interlocking components: (1) high-growth clusters and innovation, (2) business leadership and investment, (3) the everyday economy, (4) places (including a new Spatial Development Strategy), (5) people and skills, and (6) economic networks and narrative.

Strengths

  • Honest diagnosis of the productivity gap (GVA/hour £34.50 vs £39.50 UK).
  • Six-component structure: clusters, leadership, everyday economy, place, people, institutions.
  • Strong focus on FDI (127 projects in 2023, 7th in Europe).
  • Realism about polycentric geography: corridors, SDS, densification.
  • Governance upgrades: new economic vehicle, annual summit.

Weaknesses

  • Overweights AI: risks making AI the talisman while ignoring cyber.
  • Underweights cyber: no treatment of cyber as economic infrastructure.
  • Lacks operational sharpness: outcomes without KPIs or delivery ledgers.
  • Thin treatment of supply chains: acknowledges Tier-1 weakness, but no mechanism to build depth.

Commentary

The Green Paper is the most honest regional strategy for years, but it makes the classic error: cyber is treated as a subset of digital, buried under AI hype. In reality, cyber is the foundation of everything the Green Paper champions: EV/battery supply chains, cleantech systems, health and med-tech, digital public services, and FDI confidence. Without cyber, none of it stands. The omission is glaring.

Analysed in depth in my articles:

Tech Nation Report 2025

Unlocking the UK’s growth potential.

The Tech Nation Report 2025 reaffirms the UK’s position as Europe’s number one tech ecosystem, with a combined market valuation of $1.2 trillion and more than 17,000 VC-backed startups. Growth continues at a 12.5% CAGR, outstripping European peers and making the UK larger than France and Germany combined.

Strengths

  • Captures the scale of the UK tech ecosystem: $1.2 trillion valuation.
  • Robust evidence base: 17,000 VC-backed firms, $7bn raised H1 2025.
  • Honest about capital gaps, talent shortages, and exit constraints.
  • Highlights London dominance but recognises fast growth in Scotland, East of England.

Weaknesses

  • London-centric: 59% of ecosystem value concentrated in the capital.
  • Over-concentration on AI and deep tech.
  • Ignores foundational sectors like cyber and SaaS.
  • Recommendations vague: sovereign wealth and tax incentives noted, but no design detail.
  • Underplays domestic reskilling and talent retention.

Commentary

Tech Nation remains the gold standard for data on UK tech, but its narrative continues to flatter London and AI. For practitioners in Birmingham, Wolverhampton, or Coventry, the report feels remote. It misses the messy reality of SMEs, underfunded hubs, and spin-outs trapped in university IP. Without cyber and without regional balance, the Tech Nation narrative risks fragility.

Analysed in depth in my article “Unlocking the UK’s Growth Potential: A Critical and Constructive Review of the Tech Nation Report 2025

Midlands Engine Cyber & Defence Report (2025)

Cyber and defence as strategic assets.

The Cyber & Defence in the Midlands report (available in PDF), commissioned by Midlands Engine, outlines the strengths, challenges, and strategic potential of the Midlands as a national hub for cyber and defence innovation. With over 600 cyber and defence firms, a GVA exceeding £5bn, and a workforce of 54,000, the Midlands is identified as the UK’s largest cyber cluster outside the South East. The report is a comprehensive mapping of the regional ecosystem, from business parks and supply chains to talent pipelines and investment bottlenecks.

Strengths

  • Acknowledges cyber as strategically important.
  • Connects cyber to defence and industry.
  • Attempts to position Midlands as a cyber/defence cluster.

Weaknesses

  • Conflates cyber with digital and defence, muddling the identity.
  • Weak on practitioner voice and operational delivery.
  • No real investment, governance, or community model.
  • Reads as defensive rather than ambitious.

Commentary

The Midlands Engine report is the weakest of the four. It recognises cyber’s importance but fails to articulate a roadmap. Its conflation of cyber with defence dilutes both, and it misses the chance to define cyber as a standalone cluster. For a region with WMG, MTC, UBIC, Aston, BCU, and a deep manufacturing base, this is a missed opportunity.

Deeper analysis here: “Cyber as a Cluster: A Critical Review of the Midlands Engine Cyber & Defence Report (April 2025)“.

Cyber Security Skills 2025 and Background Anchor

The Cyber Security Skills in the UK Labour Market 2025 report reframes the entire debate. Where the four flagship reports talk in generalities about “skills gaps” or “youth inactivity,” this one puts numbers and specialisms on the table.

  • The UK cyber workforce now stands at 143,000, with a shortfall of 3,800 practitioners — smaller than previous years, but still structurally significant.
  • Demand growth has slowed, reflecting broader economic headwinds, but the pressure is concentrated in specialist roles: forensics, secure architecture, security testing, and threat intelligence remain the hardest to recruit.
  • Employers continue to prioritise “experience over certificates,” creating a barrier for graduates and mid-career switchers — a point underplayed in the other four reports.
  • Regional mismatch is stark: training provision is concentrated in London and the South East, while demand is rising in the Midlands, the North, and Wales.

This report exposes what the others omit: that without specialist pipelines and conversion pathways, policy ambitions will stall. It is not enough to say “AI is the driver” or “resilience creates growth” if the workforce to deliver these outcomes does not exist. My deeper analysis of the report is at “Cyber Security Skills in the UK Labour Market 2025: A Critical Analysis“.

The background context reinforces this point. The National Cyber Strategy 2022 remains the official baseline, but continuity has been broken by DSIT’s new policy paper. The UK Cyber Security Council is charged with professionalisation and certification, yet struggles for visibility outside specialist circles. Meanwhile, international comparators show what is missing: ENISA underpins the EU’s NIS2 and Cyber Resilience Act with binding obligations, while CISA in the US publishes live, practitioner-facing dashboards such as the Known Exploited Vulnerabilities (KEV) catalogue. By comparison, the UK approach remains fragmented, opaque, and prone to churn.

Against this backdrop, practitioner-led work in the West Midlands has already been pushing in the right direction. Reviews of the Midlands Engine Cyber & Defence Report, Stabilising the Base, and Cyber as a Cluster have all argued for a unified, practitioner-led model of governance, skills conversion, and community-building. The West Midlands Cyber Hub Diaries and Cyber Collaboration in the West Midlands show how hubs, festivals, and networks can act as visible anchors for delivery.

Taken together, the skills report and this background context underline the central gap across all four 2025 reports: continuity, credibility, and regional balance. Without a skills pipeline, professionalisation, and practitioner leadership, the UK risks repeating the same cycle of ambitious rhetoric and shallow delivery.

Comparative Overview of the Four Reports (with Skills Overlay)

DimensionDSIT Cyber Growth Action Plan 2025WMCA Futures 2025Tech Nation 2025Midlands Engine Cyber & Defence 2025Skills Report Overlay / Comment
Primary FocusNational cyber resilience as a foundation for prosperity; delivery of safe environments and global standards.Regional growth and productivity via six interlocking levers (clusters, leadership, everyday economy, place, people, institutions).Scaling a $1.2 trillion UK tech ecosystem; mapping 17,000 VC-backed firms and £7bn raised in H1 2025.Positioning Midlands as a cyber/defence hub, tied to industrial and security strengths.Skills baseline: ~143,000 workforce, shortfall of 3,800. Workforce growth has slowed — major reports underplay this structural reality.
Core Narrative“Resilience drives growth” and the UK can lead in standards and assurance.“Growth for Everyone” — inclusive, polycentric, corridor-based.“Unlocking the UK’s growth potential” through capital flows and innovation.“Cyber and defence as strategic assets for the Midlands.”Skills narrative adds: growth cannot occur without matching demand to specialist supply; training mismatch undermines all four.
Treatment of CyberCentral, but always framed through threat and resilience lens.Cyber subsumed under “digital/AI,” not recognised as standalone.Barely mentioned; cyber overshadowed by AI and deep tech.Named but blurred with defence and digital, muddling boundaries.Shows the omission is systemic: cyber is either downgraded, conflated, or sidelined — despite it being critical infrastructure.
Talent & SkillsMentions CyberFirst pipeline, visas, and training, but detail thin.Strong on Level-3+ and youth inactivity (9.1% vs 5.5% national).Notes immigration/talent shortages, weak on domestic reskilling.Mentions skills but vaguely, with no delivery plan.Strongest dataset here: specialisms hardest to recruit are forensics, secure architecture, security testing, threat intel. Employers report “experience over certificates” bias.
Regional Focus / EquityImplicitly London/Cheltenham/Manchester; little on Birmingham, Wolverhampton, Coventry.Explicitly polycentric; corridors and SDS recognise Black Country, Coventry & Warwickshire, Solihull.59% of ecosystem value in London; some nods to Scotland and East of England.Midlands-focused but lacks granular delivery detail.Skills data: mismatch sharpest in regions outside London. Supply of training strong in London/South East; demand unserved in Midlands, North, Wales.
Investment / CapitalCommits to “safe havens” for innovation; innovation pilots but no binding mechanisms.FDI momentum (127 projects in 2023, 7th in Europe), plus joint International Strategy.VC/PE-heavy: calls for sovereign wealth, pension capital reform, better exit markets.Weak capital structuring; ambition without detail.Skills shortage flagged as an investment risk: VCs cite lack of specialist teams as barrier to scaling cyber startups.
Governance / Delivery“One team” national ethos but light on binding KPIs; echoes 2011, 2016, 2022.New economic development vehicle, annual Partnership Summit.Frames ecosystem, but no governance mechanism.Very weak: no governance model, no delivery vehicle.Skills report implicitly demands stronger institutional coordination: sector skills councils, accredited pipelines, SME linkages.
Specialisms & Future SkillsBroad, policy-driven, not role-specific.Mentions AI skills and higher-level attainment, but not cyber specialisms.Heavy focus on AI/deep tech; cyber not addressed.Mentions defence and security training in passing.Data points: forensics, secure architecture, and testing most difficult to recruit; AI-cyber fusion (adversarial ML) an emerging gap.
Operational MechanismsSafe environments, standards, some pilots.Growth corridors, brownfield-first housing, SDS.Investment incentives, VC environment, valuations.Reads as aspirational positioning rather than delivery.Skills report: all four lack operational levers to align training with employer demand; highlights absence of paid placements, residencies, and bridging schemes.

Comparison Commentary

Key Takeaways:

  • Cyber invisibility: Three of the four reports either sideline or muddle cyber, despite it being critical. The Skills Report exposes this gap by showing that demand is both specialist and urgent.
  • Talent mismatch: DSIT, WMCA, and Tech Nation all mention “skills” but without acknowledging the depth of specialism shortages. Forensics, architecture, and testing are red-flag areas, and none of the four provides mechanisms to fix them.
  • Regional distortion: WMCA is the only one to explicitly mention polycentricity; the rest are London- or Cheltenham-skewed. Skills shortages map more heavily to the regions, further proof that cyber affluence distorts delivery. Worryingly Tech Nation identify the poor start-up ecosystem support vis-a-vis access to funding in the West Midlands.
  • Governance vacuum: Every report is delivered lightly. The Skills Report calls implicitly for skills alignment institutions — something your roadmap directly proposes.
  • Capital at risk: Tech Nation and WMCA see investment momentum, but without specialists, scaling is blocked. Skills shortages themselves become a capital constraint.

Critique Across The Reports

When you strip away the branding, the graphics, and the consultations, a hard truth emerges: the UK remains stuck in a stop–start cycle of cyber policy and delivery. Each of the 2025 reports captures a fragment of the picture. None provides the whole. And none, on its own, will deliver continuity, credibility, or regional balance.

Stop–Start Culture

The UK has a bad habit of launching schemes, rebranding them, and then abandoning them midstream. From CHECK and the Tiger Scheme, to NCSC for Startups, Cyber Runway, and the short-lived accelerator programmes, the pattern is familiar. Ambition without follow-through. The DSIT Cyber Growth Action Plan 2025 reads like déjà vu from 2011, 2016, and 2022. Continuity, the single most valuable ingredient, is missing.

Cyber Affluence and Regional Inequity

Certain places thrive because of proximity to national institutions: Cheltenham (GCHQ/NCSC), Manchester (DiSH, NCF), Bristol (MOD, QinetiQ, aerospace), and now Milton Keynes (with HMGCC). These are cyber affluent centres. Meanwhile, regions like the West Midlands, with universities, OEMs, and a manufacturing base, are left underpowered. The WMCA Futures report at least acknowledges polycentricity, but even there, cyber is buried beneath AI hype. The imbalance distorts investment, talent flow, and perception.

Practitioner Exclusion

Too much policy is written by officials and consultants, not by those who actually run scans, build products, or respond to incidents. The result? Beautiful strategies that fail at the first point of contact with reality. The Midlands Engine Cyber & Defence report is a classic case: cyber is acknowledged, but the practitioner voice is absent. Instead, we get categories blurred, ambitions diluted, and delivery absent.

Policymakers as Product Builders

Another distortion is government agencies stepping into the commercial space. NCSC’s vulnerability services, Police CyberAlarm, overlap with what the industry already provides. Government is a cost centre, not a product house. When it tries to build, it crowds out innovation, undercuts SMEs, and confuses the market. The role of government is to set policy, standards, and incentives, not to sell tools.

Weak Talent Pipelines

The skills report makes the problem unavoidable: 143,000 in the workforce, 3,800 missing, with shortages in forensics, architecture, testing, and threat intel. Yet employers still insist on “experience over certificates.” DSIT talks visas, WMCA talks Level-3+, Tech Nation talks immigration, Midlands Engine mumbles vaguely, none provide mechanisms to bridge the experience gap. Early-career professionals, returners, and neurodiverse talent are excluded by design.

Benchmarking Deficit

Perhaps the most indefensible gap: no transparent resilience metrics. No regional dashboards. No benchmarking of SME supply-chain maturity. No KPIs on conversion rates or resilience uplift. ENISA has binding obligations, CISA has KEV dashboards, but the UK still operates in opacity. Without data, delivery cannot be measured, and without measurement, rhetoric thrives while resilience stagnates.

A Holistic Way Forward

The five 2025 reports, taken together, form a patchwork: colourful, ambitious, but frayed at the edges. Each has merit. Each has blind spots. What is needed is a synthesis that connects resilience, growth, skills, and regional equity into one trajectory. That means building bridges — moving from diagnosis to delivery.

1. Capital: From Diagnosis to Delivery

  • What the reports say: Tech Nation diagnoses capital bottlenecks; WMCA highlights FDI wins; DSIT hints at safe havens.
  • The missing link: None explain how capital reaches SMEs or scale-ups outside London.
  • The bridge: A regional investment concierge, OEM-led procurement compacts, and a West Midlands Productivity & Inclusion Fund blending sovereign, pension, and private capital.

2. Skills: From Numbers to Pathways

  • What the reports say: DSIT cites CyberFirst and visas; WMCA emphasises Level-3+ education; Tech Nation points to immigration; the Skills Report provides hard numbers (143,000 workforce, 3,800 shortfall).
  • The missing link: No mechanism converts graduates, returners, or mid-career entrants into jobs at scale.
  • The bridge: Paid residencies, neurodiverse pathways, returner schemes, and onboarding hubs tied to NCSC role profiles and UK Cyber Security Council certifications.

3. Regions: From Affluence to Equity

  • What the reports say: WMCA Futures acknowledges polycentric corridors; DSIT and Tech Nation remain London-centric; Midlands Engine conflates cyber with defence.
  • The missing link: Regional cyber hubs are underpowered compared to Cheltenham, Manchester, or Bristol.
  • The bridge: A West Midlands Cyber Hub, an annual Cyber Festival, and corridor-based cyber services embedding cyber in manufacturing, health, and energy zones.

4. Governance: From Rhetoric to Practitioner-Led

  • What the reports say: DSIT champions a “one team” ethos; WMCA proposes a new delivery vehicle; Tech Nation offers no governance model; Midlands Engine lacks detail.
  • The missing link: No practitioner-led governance spine connecting clusters, universities, SMEs, and investors.
  • The bridge: A unified governance model, practitioner-led, linking Midlands Cyber, WM CWG, WMCRC, and others into a coherent ecosystem aligned — but not subsumed — into national frameworks.

5. Benchmarking: From Opacity to Accountability

  • What the reports say: Targets are set, but with no transparent dashboards, KPIs, or resilience metrics.
  • The missing link: Without measurement, delivery cannot be tested or trusted.
  • The bridge: A West Midlands Cyber Resilience Benchmarking Index, publishing quarterly dashboards aligned with ENISA’s NIS2 obligations and CISA’s KEV model.

6. Narrative: From Fragments to Infrastructure

  • What the reports say: Tech Nation celebrates unicorns; WMCA talks productivity; DSIT frames resilience; Midlands Engine gestures at cyber/defence.
  • The missing link: No single story presents cyber as economic infrastructure.
  • The bridge: A narrative shift: “cyber-led, digitally enabled, commercially grounded.” Cyber as the connective tissue of modern growth.

7. Innovation: From Pilots to Platforms

  • What the reports say: DSIT mentions “safe environments” for testing, WMCA names innovation as one of its six levers, and Tech Nation equates innovation with VC-backed startups. Midlands Engine nods to cyber/defence R&D but doesn’t operationalise it.
  • The missing link: Innovation is treated as a by-product of capital or clusters, not as a system. Pilot programmes are launched but rarely scaled, SMEs often innovate in isolation, and pathways from research to market are fragmented.
  • The bridge: Institutionalise innovation as a pipeline: sandboxes and testbeds feeding accelerators, residencies, and scale-up programmes. Use the West Midlands Cyber Hub and Festival as engines for this, convening universities, practitioners, and investors to test, refine, and commercialise solutions. Position the region as the UK’s proving ground for cyber innovation that is export-ready and globally credible.

Pulling It Together

The holistic way forward is not about replacing DSIT policy or WMCA strategy. It is about connecting them with practitioner-led delivery, skills conversion, regional hubs, and transparent benchmarking.

  • DSIT provides the national frame.
  • WMCA provides the regional growth narrative.
  • Tech Nation provides the ecosystem data.
  • Midlands Engine gestures to cyber and defence.
  • The Skills Report provides the hard numbers.

What is missing, and what this roadmap supplies, is the platform model: hubs, governance, skills, investment, benchmarking, and narrative tied together into a single, practitioner-led architecture.

Only then will the UK move beyond churn to continuity, beyond rhetoric to results, and beyond pockets of affluence to a genuinely inclusive cyber economy.

Recommendations & Vision

If “Critique Across The Reports” diagnosed the failures and “A Holistic Way Forward” built the bridges, then this section sets out the platform: ten practitioner-led recommendations that transform fragmentation into delivery. Each maps directly back to the critiques.

1. Formally Recognise Cyber as a Standalone Economic Cluster

  • Stop treating cyber as a subset of “digital” or a bolt-on to defence.
  • Embed cyber explicitly in regional growth strategies (WMCA, Midlands Engine, LEPs).
  • Use consistent language: cyber is economic infrastructure, critical to manufacturing, healthcare, utilities, FDI aftercare, and AI adoption.

2. Establish Unified Cluster Governance

  • Create a regional Cyber Cluster Lead Body to act as convener, strategist, and delivery anchor.
  • Ensure it is practitioner-led — grounded in lived operational experience, not consultancy decks.
  • Build a governance spine that links Midlands Cyber, WM CWG, WMCRC, EMCSC, and others into a coherent ecosystem with defined roles.
  • Align with DSIT and NCSC frameworks while retaining regional autonomy and practitioner credibility.

3. Foster the Regional Cyber Community

  • Fund grassroots networking, innovation sprints, and cross-cluster forums, including innovation sprints, hackathons, and accelerator-style residencies to convert ideas into prototypes and products.
  • Support underrepresented groups: women in cyber, neurodiverse pathways, and returners.
  • Create inclusive community infrastructure so cyber feels open, not elite.

4. Increase Inbound Investment into West Midlands Cyber

  • Publish a West Midlands Cyber Investment Proposition, mapping assets, clusters, and success stories.
  • Leverage innovation zones, scale-up support, and international delegations to pitch the region.
  • Position the region as a cyber assurance hub for manufacturing, med-tech, and smart energy supply chains.

5. Create a Home for Cyber in the Region

  • Back a physical West Midlands Cyber Hub at Enterprise Wharf.
  • Provide co-working, incubator space, training labs, and convening rooms.
  • Use the hub as a visible symbol of credibility, a one-stop shop for SMEs, and a platform for skills conversion.

6. Launch a Two-Day Cyber Festival

  • Deliver a flagship annual event to showcase regional talent, policy, and innovation.
  • Include commercial, academic, skills, and policy tracks.
  • Position it as the SXSW of UK cyber, a magnet for investors, innovators, and policymakers. Model it on Slush with an innovation showcase and startup pitch track to attract investors and corporates.

This is happening right now thanks to the teams at TechWM, who are delivering a Cyber Festival and an Innovation Festival as part of BirminghamTechWeek (BTW) and the Innovation Alliance for the West Midlands (IAWM) who are hot on the innovation ecosystem.

7. Rebuild the Regional Narrative

  • Shift perception from “digital with cyber inside” to “cyber-led, digitally enabled, commercially grounded.”
  • Work with local media, councils, and universities to champion cyber as a driver of opportunity.
  • Counter ESG scepticism: cyber underpins safety, sovereignty, and innovation.

8. Reform Funding Access and SME Engagement

  • Create a regional funding concierge to help SMEs navigate DSIT, Innovate UK, DASA, NATO DIANA, and defence opportunities.
  • Advocate for dual-use eligibility in cyber programmes (e.g., CyberASAP).
  • Push primes to open procurement pipelines to Tier-2/3 suppliers.

9. Enhance Talent Strategy with Retention and Transitions

  • Expand apprenticeships and secure-by-design engineering pathways.
  • Support mid-career transitions from adjacent sectors.
  • Use the hub to connect employers, graduates, and training providers, with shared onboarding and residencies.
  • Embed UK Cyber Security Council certifications in all pathways.
  • Target retention: keep graduates in-region by promoting cost-of-living advantages and leadership opportunities.

10. Develop a West Midlands Cyber Resilience Benchmarking Index

  • Publish anonymous benchmarking on Cyber Essentials adoption, breach exposure, and phishing resilience.
  • Incentivise SMEs to progress up the maturity ladder.
  • Align with NCSC and CISA models to ensure credibility and comparability.

Vision: From Patchwork to Platform

These ten recommendations are not isolated fixes. Together, they create a platform model for UK cyber:

  • Cyber is formally recognised as an economic cluster.
  • Governance is unified and practitioner-led.
  • Community is inclusive and regionally balanced.
  • Investment flows into visible hubs and propositions.
  • Skills are converted into jobs at scale, with pipelines aligned to employer demand.
  • Benchmarking and dashboards provide transparent accountability.

The vision is clear: stability, credibility, and continuity. The West Midlands can be the prototype. If we get this right, the region will not only close its productivity gap but also redefine what cyber-led growth looks like for the UK. Innovation is the bloodstream of this platform: hubs, residencies, and festivals must not only showcase but accelerate the next generation of cyber tools, standards, and services.

Conclusion

The four 2025 reports, DSIT Cyber Growth Action Plan, WMCA Futures, Tech Nation, and Midlands Engine Cyber & Defence, each make valid contributions. But none is sufficient. Together, they still miss the core truth: cyber is not a subset of digital or defence. Cyber is economic infrastructure.

If cyber is not recognised as a standalone cluster, if governance remains fragmented, if practitioners are not in the lead, the UK will repeat the same stop–start cycles in 2030.

The West Midlands has the assets, institutions, and convening power to show a different path. With a Cyber Hub, a Cyber Festival, unified governance, SME engagement, and benchmarking, the region can become the prototype: a cyber ecosystem that is resilient, inclusive, and globally competitive.

Continuity, credibility, and community are the tests. The rest is noise.

If the West Midlands can prove this model, it becomes a template not just for the UK but for regions globally wrestling with the same challenge. The question is how to anchor cyber as infrastructure in a way that is credible, inclusive, and growth-driven.

Acknowledgements

This vision is not built in isolation. Thanks are due to DSIT and Innovate UK for believing in and funding the West Midlands Cyber Hub, and to the partners who have made it real: TechWM, Innovation Alliance for the West Midlands (IAWM), Midlands Cyber, the West Midlands Cyber Resilience Centre (WM CRC), Aston University, and the West Midlands Combined Authority (WMCA). Thanks also to Cyber Tzar and Psyber Inc., whose commitment has anchored delivery in practice.

Finally, a special thanks to the members and community of the West Midlands Cyber Working Group (WM CWG), whose openness has allowed us to engage with the ecosystem, hear directly what people need, and shape a roadmap that is not only credible but inclusive.