The Midlands Defence & Security Blueprint presents itself as decisive and strategic, but in reality it repeats the same structural failures that undermined Midlands Engine. Cyber remains subordinated, underfunded, and ownerless, while coordination is mistaken for delivery. Written from the perspective of a practitioner who has built cyber capability on the ground, this article argues that resilience will not come from another blueprint, but from funded authority, real centres, and delivery.

In practice, the Blueprint collapses four different meanings of cluster into a single narrative: delivery bodies (UKC3-style cyber support), economic clusters (Combined Authority growth logic), funding constructs (LPIF-style consortia), and the plain-English idea of “a group of related things”. Each implies different ownership, funding, authority, and accountability, but the Blueprint treats them as interchangeable. The result is inevitable: responsibility diffuses, delivery stalls, and everyone assumes something exists that no one has actually been empowered to run.

Executive Summary (TL;DR)

The Midlands Defence & Security Blueprint is a competent translation of national defence industrial policy into regional coordination, but it is structurally incapable of delivering cyber resilience. Cyber is treated as a cross-cutting enabler of defence supply chains rather than as critical economic and resilience infrastructure in its own right.

The Blueprint collapses four incompatible meanings of “cluster” into a single narrative, diffusing ownership and avoiding delivery authority. It assumes coordination will substitute for funded mandate, repeating the same failure mode that undermined Midlands Engine.

Midlands Cyber is frequently referenced as a regional asset, despite being funded, mandated, and resourced primarily for Worcestershire. This is not a failure of the organisation or its leadership, but a structural mismatch between expectation and funding.

The East Midlands Cyber Security Cluster is doing valuable work, but faces inherent centre-of-gravity challenges due to regional dispersion, challenges the Blueprint does not acknowledge or address.

Cyber in the Midlands is not primarily an innovation opportunity. It is an infrastructure risk problem embedded in aerospace and manufacturing supply chains with low cyber maturity. Treating it as a subset of defence innovation misses the point.

The West Midlands Cyber Hub demonstrates what modest funding, physical presence, and delivery authority can achieve in weeks, not years.

The Midlands does not need another blueprint. It needs cyber to be recognised and treated as a cluster in its own right, economically, operationally, and and as a delivery system, with structures, funding, and accountability that reflect that reality.

In the West Midlands, that means a funded, accountable cyber centre aligned to the region’s industrial and risk profile, embedded in partnership with existing organisations, and empowered to deliver resilience rather than simply coordinate it.

Contents

1. Introduction: Or How We Keep Mistaking Coordination For Capability, And Cyber Keeps Getting Screwed In The Process

The Defence and Security Blueprint for the Midlands wants to sound decisive. It wants to sound strategic. It wants to sound like the Midlands has finally grown up and learned how to speak Whitehall.

What it actually is, is another coordination document pretending to be delivery, built on the same structural weaknesses that killed the Midlands Engine, with cyber once again treated as everyone’s responsibility and no one’s job.

This article is explicitly focused on cyber resilience and capability, not defence strategy writ large, a distinction that matters because the official Defence and Security Blueprint for the Midlands is clearly rooted in national defence industrial policy rather than a comprehensive cyber strategy.

As the West Midlands Combined Authority states, the Blueprint “translates the UK’s Strategic Defence Review and Defence Industrial Strategy into regional delivery”, positioning regional action as an extension of national defence priorities rather than recognising cyber as a stand-alone domain.

Meanwhile the East Midlands Combined County Authority highlights this plan’s support for “next-generation cyber resilience and secure communications infrastructure” as part of a broader package of defence technologies, effectively treating cyber as a component of defence supply chain capability rather than an independent resilience infrastructure.

Underlying the Blueprint is the UK’s Defence and Security Industrial Strategy (DSIS), which provides cross-government policy on industrial capability, procurement, and technology segments, but does not position cyber as a discrete sector in its own right; instead it is folded into broader defence and security industrial ambitions.

I’m writing this as someone who has spent years both inside policy conversations and on the ground building cyber capability in the region.

There’s a deeper issue running through this Blueprint, and it’s one I’ve seen repeatedly in cyber policy.

These documents are written about practitioners, informed by practitioners, but not written by practitioners. They are produced by people standing on the riverbank, asking those in the boat what the current feels like.

By practitioner, I don’t mean “someone from industry” in the abstract. I mean someone who has actually operated systems, built networks, shipped products, dealt with incidents, failed commercially, recovered, and understands cyber at the level where tools like netstat aren’t metaphors. That doesn’t mean everyone needs to be able to run or interpret a penetration test, but it does mean they should have grounding in the domain and be directly involved in delivery, whether their role sits in operations, engineering, risk, governance, or compliance.

That distance matters. Because cyber doesn’t fail in theory, it fails operationally. And policy designed without people who live in that operational reality will always default to coordination, abstraction, and optimism over delivery.

I’m not saying the authors are stupid. Far from it. This is a competent, careful, politically literate document. But competence is not capability, and alignment is not action. We have been here before. Recently.

And we didn’t learn the lessons.

2. We’ve Done This Dance Already: The Ghost Of Midlands Engine

The DSIS positions the defence industrial base as a whole, spanning procurement, productivity, resilience, technology, exports and international collaboration, and implicitly sees cyber work as part of technology and procurement reform rather than a sovereign resilience capability in its own right.

Meanwhile the more recent Defence Industrial Strategy 2025 emphasises “making defence an engine for growth” and strengthening resilience and innovation across the UK industrial base, but again does not elevate cyber to a strategic sector, even as it stresses innovation and supply-chain resilience.

Before EMCCA, before WMCA–EMCCA compacts, before “defence growth corridors” and “industry councils”, there was Midlands Engine.

Midlands Engine was supposed to be the East–West Midlands coordinating vehicle. It produced reports. It convened stakeholders. It wrote glossy PDFs about defence, cyber, advanced manufacturing, and innovation.

One of those was the Midlands Engine Cyber & Defence Report (April 2025), a document I tore apart in detail earlier this year because it suffered from a fatal flaw:

It described an ecosystem it had no structural power to shape.

That flaw is back. Bigger. Better dressed. Still lethal.

The new Blueprint repeats the same pattern:

• broad geography
• shared ownership
• multiple clusters
• no hard centre
• no single accountable delivery body
• no money attached to cyber
• and an assumption that goodwill will substitute for authority

Coordination without power is just networking. We already tried that.

3. “Midlands Cyber” Isn’t Actually Midlands Cyber

Let’s deal with this plainly, because the region deserves clarity.

Midlands Cyber is not, and has never been, a Midlands-wide cyber delivery body. That’s not a judgement: it’s a statement of fact about mandate, funding, and accountability. Yes, there was a time when this was the aspiration, and times when funding has been wider, but this hasn’t been true for some significant time.

Midlands Cyber is funded from Worcestershire, accountable within Worcestershire, and resourced to deliver activity primarily in Worcestershire. It is based out of the Beta-Den facility close to QinetiQ in Malvern, and is entwined with the local ecosystem. It does valuable work within that context. But it does not have a funded remit to deliver sustained activity across the West Midlands, and it should not be treated as if it does.

In the West Midlands, Midlands Cyber is a valued collaborator and partner. It is invited to contribute, connect, and support activity. But it is not paid to deliver. That distinction matters, and pretending otherwise helps no one.

When strategy documents talk about “leveraging Midlands Cyber”, what they are often really doing is assuming that an already stretched organisation can absorb additional regional responsibility without additional resource. That isn’t strategy. It’s a funding gap disguised as partnership.

None of this is a criticism of the people involved, quite the opposite. Midlands Cyber, and particularly Ryan Protheroe, have been constructive and important partners in the work we’re doing. But partnership only works when roles, remits, and resources are named honestly. The region deserves to understand the actual state of play.

4. The East Midlands Problem: Where The Hell Is The Centre?

The East Midlands Cyber Security Cluster is doing important work across Leicester, Derby, and Nottingham. That coverage is a strength, but it also creates a structural challenge that’s worth naming honestly.

The East Midlands is geographically dispersed. There is no single dominant city, no obvious convening centre, and no natural focal point equivalent to Birmingham, Manchester, or Bristol. That makes momentum harder to sustain, community harder to build, and visibility harder to signal, even when the people involved are doing the right things.

This isn’t a criticism of the cluster or the individuals leading it. It’s simply the reality of geography and economics. Clusters need centres. Without them, energy spreads thinly, coordination costs rise, and progress requires more deliberate effort.

That’s one of the reasons why I’ll be spending more time in Leicester. If we’re serious about building cyber capability across the Midlands, that work has to show up physically, repeatedly, and locally, not just in documents, steering groups, or well-intentioned regional abstractions.

The Blueprint doesn’t acknowledge this challenge, let alone address it. But ignoring centre-of-gravity problems doesn’t make them go away. It just makes delivery harder than it needs to be.

5. A Brief Detour: What The Hell Do We Actually Mean By “Cluster”?

Before going any further, we need to address another elephant in the room, because a lot of this confusion starts here.

The word cluster is doing far too much work, and different parts of the system mean very different things by it.

5.1 Cluster As Cyber Delivery Infrastructure (UKC3 Model)

In the UK cyber ecosystem, particularly under UKC3 (the UK Cyber Security Cluster Collaboration), a cluster usually means a delivery body. Something analogous to the Police’s National Cyber Resilience Centre model: organisations that take cyber to SMEs, support adoption, build capability, and try to drive cyber maturity into the wider economy.

Midlands Cyber and the East Midlands Cyber Security Cluster sit broadly in this definition. Historically, many of these bodies were heavily supported by central government funding (including DSIT and its predecessors). That funding has largely gone. The expectation, however, has not.

The poster children here, Cheltenham and Manchester, come from cyber-affluent regions with deep public funding, national institutions, and strong gravitational pull. There’s also a South West / South East defence-centric model that works precisely because cyber there is tightly coupled to defence supply chains.

None of that maps cleanly onto the West Midlands, where cyber is not primarily a defence supplier ecosystem, but instead feeds indirectly into defence through broader aerospace and manufacturing supply chains.

5.2 Cluster As An Economically Significant Sector (Combined Authority Logic)

In Combined Authority and regional growth policy terms, cluster means something else entirely.

Here, a cluster is:

• an economically significant concentration of activity,
• visible at scale,
• strategically prioritised,
• and recognised explicitly in funding, policy, and growth plans.

Below that sit industries. Below that, sub-sectors.

This is where a major structural problem emerges: cyber is not recognised as a cluster by WMCA. It sits beneath digital, which itself sits beneath tech, in funding, support, and visibility. Cyber is therefore absent from many regional conversations by default.

That is a serious error.

Cyber may be cross-cutting, but it also has:

• scale,
• volume,
• labour intensity, and
• distinct workforce characteristics.

Estimates from practitioner-led surveys suggest up to 30% of the cyber workforce is neurodivergent, compared to roughly 20% across tech more broadly, while only ~16% of autistic people are in long-term employment nationally. Cyber is one of the few sectors that already works for this community at scale, and yet it is structurally invisible in regional policy.

Add to that the clear, demonstrated demand seen through the West Midlands Cyber Hub, footfall, SME engagement, students, placements, events, and the idea that cyber is merely a sub-category of digital becomes increasingly indefensible.

5.3 Cluster As A Funding Construct (LPIF And Similar Programmes)

In some funding contexts, LPIF and similar, cluster simply means a loose consolidation of organisations delivering against a common goal. This is neither a delivery body nor an economically defined sector. It’s an administrative convenience.

The problem is that strategy documents often slide between this definition and the others without noticing, treating a funding construct as if it were an economic reality, or a delivery body as if it had sector-level authority.

5.4 Cluster As The Plain-English Meaning

Finally, there’s the dictionary definition, what the person on the street hears when you say cluster: a group of related things, close together, forming something recognisable.

Ironically, this is often closer to how cyber actually behaves on the ground than any of the formal definitions.

5.5 Why This Matters For The Blueprint

The Defence & Security Blueprint never states which definition it is using.

Instead, it drifts between all four:

• treating delivery bodies as if they were economic clusters,
• assuming economic significance without granting visibility or authority,
• implying coordination where no delivery mandate exists,
• and relying on a shared understanding that simply isn’t there.

The result is conceptual slippage that looks like coherence on paper and turns into confusion in delivery.

Until we are explicit about which meaning of cluster we are operating under, and align governance, funding, and accountability accordingly, cyber will continue to fall between stools. Not because it lacks importance, but because it is being described in mutually incompatible ways.

That confusion sits at the heart of why this Blueprint feels busy, careful, and well-intentioned, and yet still fails to grapple with cyber as the economic and resilience reality it actually is.

This definitional confusion underpins almost every weakness that follows.

6. The Structural Answer Is Regional Clarity, Not Territorial Sprawl

The obvious response to these issues isn’t to criticise Midlands Cyber, or to point fingers at the East Midlands. The problem isn’t effort or intent. It’s mandate, geography, and structural design.

What’s missing in the West Midlands is regional clarity around cyber delivery, a clear focal point aligned to how the region actually functions: its industrial base, its defence–aerospace supply chains, its universities, its workforce, and its risk profile.

Without that clarity, responsibility diffuses. Coordination substitutes for delivery. Organisations are asked to stretch beyond their remit, and everyone quietly assumes someone else is in charge.

In a healthier model, delivery happens close to the economic reality it’s meant to serve, while region-spanning organisations play a connective role, convening, sharing insight, and supporting collaboration across boundaries, rather than acting as unfunded delivery proxies for areas they aren’t resourced to cover.

This isn’t about carving up territory. It’s about aligning structures with reality. When regional cyber activity has clear ownership, funding that matches geography, and permission to deliver, collaboration becomes meaningful rather than aspirational. Without that alignment, we keep asking the same organisations to do more with less, and calling it partnership.

7. Stop Conflating Defence And Cyber: They Are Not The Same Fucking Thing

This is the most serious conceptual failure in the document.

Defence ≠ cyber.
They overlap. They interact. They are not the same.

In the West Midlands especially, defence means:

• aerospace
• tier-2 and tier-3 manufacturing
• fasteners
• components
• machining
• precision engineering
• logistics

The real risk profile here is not “cyber innovation”.

It is:

• fragile supply chains
• over-reliance on just-in-time delivery
• single points of failure
• low cyber maturity among critical suppliers

Cyber here is not a sector.
It is infrastructure risk.

Treating cyber as a subset of defence innovation misses the point entirely. Cyber in the Midlands is primarily about resilience, not shiny dual-use tech demos.

The Blueprint talks about cyber like it’s a skills category or a hygiene factor. That is dangerously inadequate.

8. The Structural Weakness Nobody Wants To Name

Here’s the pattern, laid bare:

1. We create a large regional narrative
2. We reference clusters and create councils
3. We avoid creating a funded delivery body
4. We assume coordination will “emerge”
5. Cyber gets spread thinly across everything
6. No one is accountable
7. Nothing structurally changes

This is not a Midlands problem. It’s a UK regional policy problem. But the Midlands is particularly good at repeating it.

Clusters without authority.
Strategies without centres.
Councils without budgets.

And cyber, every time, loses.

9. What The Blueprint Gets Right: And Yes, There Are Positives

To be fair, and accuracy matters, the document does some things well:

• It correctly frames defence as long-term economic infrastructure
• It recognises supply chain resilience as a national issue
• It avoids inventing pointless new institutions
• It understands Whitehall incentives better than Midlands Engine ever did
• It treats SMEs more realistically than most defence policy

This is a better document than the Midlands Engine work.

But “better” is not “sufficient”.

10. What It Gets Wrong, Fundamentally

But:

10.1 Cyber Has No Owner

Cyber appears everywhere and belongs nowhere.

No lead body.
No funding line.
No delivery authority.
No metrics.

That is not accidental. It is structural avoidance.

10.2 Coordination Is Mistaken For Capability

You cannot coordinate your way into resilience.
You have to build it.

10.3 Geography Is Treated As Politics, Not Economics

The East/West Midlands split is real. Pretending otherwise doesn’t make it go away.

10.4 Defence Supply Chains Are Misdiagnosed

This is not about innovation theatre. It’s about brittle systems and cascading failure.

11. This Isn’t A New Critique, I’ve Been Saying This For Years

None of what I’m arguing here is new, and it’s important to be explicit about that.

Over the last few years I’ve worked across regional and national cyber policy, delivery, and analysis: from direct engagement with DSIT cyber governance consultations, through a detailed three-part analysis of NCSC’s Cyber Resilience Testing, to hands-on involvement supporting Cyber Local delivery and critical reviews of Midlands Engine’s cyber and defence work.

Different departments. Different programmes. Different political language.

The same failure mode every time.

Cyber is consistently treated as:

• a subset of digital,
• or an enabler of defence,
• or a feature of innovation policy,

but almost never as critical economic and resilience infrastructure in its own right.

What changes from document to document is the tone. What doesn’t change is the structure. Cyber is analysed, consulted on, and referenced, but structurally subordinated. Ownership is diffuse. Authority is unclear. Delivery responsibility is assumed to emerge through coordination rather than being designed and funded deliberately.

This is not a Midlands-specific problem, but the Midlands has a particular talent for repeating it. Midlands Engine did it. This Blueprint risks doing it again, just with better branding and more careful language.

The reason I’m not especially impressed by “alignment” or “ecosystem language” anymore is that I’ve seen how little of it survives contact with delivery. If cyber does not have a home, a budget, and accountable leadership, it does not matter how many times it appears in strategy documents. Nothing structural will change.

12. The Pattern I Keep Seeing

Across all of this work, regional, national, consultative, and operational, the same four problems keep surfacing. They are not incidental. They are structural.

12.1 First, Cyber Governance Is Consistently Subordinated

In the West Midlands in particular, cyber is framed as a subset of digital, which is framed as a subset of tech, which is then embedded inside defence, which is ultimately justified through economic growth. By the time cyber reaches the point of decision-making, it has been abstracted into a skills line or a hygiene requirement. There is no clear owner, no delivery authority, and no political weight behind it. Everyone is responsible, which in practice means no one is.

12.2 Second, Funding Collapses At The Low End

There is no shortage of national strategy, pilot programmes, or innovation-scale funding. What is missing is money where cyber resilience is actually built: small amounts of funding to support readiness, assurance, certification, secure-by-design uplift, and early operational maturity. Sub-£50k interventions don’t fit innovation logic, don’t excite investors, and don’t sit comfortably in policy portfolios, but without them, SMEs absorb cost and risk, and resilience stalls.

12.3 Third, Support Disappears Across The Lifecycle

Cyber policy is obsessed with entry: startups, new firms, first contracts. Almost no attention is paid to what happens next. Scaling into regulated or defence-adjacent markets, maintaining certifications, surviving procurement friction, or exiting cleanly through acquisition or integration are all treated as someone else’s problem. The result is churn, stagnation, and quiet failure, not a resilient sector.

12.4 Fourth, Practitioners Are Consulted But Rarely Empowered

Practitioner insight is regularly harvested during consultations and roundtables, but delivery models are still designed elsewhere. Feedback loops are weak. Operational reality is acknowledged and then filtered out. When practitioner input does make it into final policy, as I’ve seen happen on occasion, it’s the exception, not the norm.

Put together, these aren’t implementation gaps. They’re a coherent pattern of avoidance. We keep talking about cyber because we know it matters. We keep refusing to give it structural weight because doing so would force difficult decisions about ownership, funding, and power.

That is the context in which this Blueprint should be read.

13. The Uncomfortable Conclusion

The Midlands does not need another blueprint.

It needs:

• a real cyber centre in the West Midlands
• funded, visible, physical
• with authority to convene, benchmark, and intervene
• separate from but connected to defence
• focused on resilience, not vibes

Until cyber is treated as critical economic infrastructure, not a policy seasoning sprinkled across other agendas, we will keep producing documents that sound impressive and change very little.

We’ve already run this experiment once.

Midlands Engine proved that coordination without power fails.

This Blueprint risks proving it again, unless someone is brave enough to stop being polite and start building something real.

And yes:
that will require money, ownership, and the courage to say no to bad abstractions.

The Midlands deserves better than another glossy PDF.

14. An Open Invitation: Grounded In Delivery

I come at this from the point of view of a practitioner. I’ve seen the gaps up close, not just from policy tables but from the sharp end of trying to build things that actually work. I’ve spun up multiple cyber businesses over the years, and I carry the warts-and-all knowledge that comes with that: what scales, what breaks, what procurement really does to SMEs, and where well-intentioned policy collides with commercial reality.

I’ve spent years building community where strategy documents assume it will simply exist. I’ve argued with government for investment in the West Midlands Cyber Hub, helped secure it, and then delivered it. In just two months of operation the Hub has already seen over 400 visitors, five SMEs based on site, a drop-in centre in daily use, eight events delivered, and a further fifteen scheduled through to March. We’ve placed seven students into apprenticeships, supported multiple placements with regional companies, championed women in cyber, neurodivergent practitioners, and young learners, and contributed directly to job creation and early-stage innovation. This is what happens when cyber has a physical home, modest funding, and permission to act.

So when I say the Midlands doesn’t need another blueprint, I’m not saying it as an outsider throwing stones. I’m saying it as someone who has built the thing policy keeps gesturing towards and then walking away from. I’m open to conversation, with policymakers, funders, and regional leaders, but only if we’re prepared to talk honestly about ownership, funding, and power. Coordination without authority doesn’t build resilience. Delivery does. If that’s a conversation you genuinely want to have, I’m open. If it isn’t, we should at least stop pretending that another document will fix what the structure keeps breaking.