Cyber Collaboration in the West Midlands: Skills, Strategy, and a Shared Future

Leave a Reply

On 29 April 2025, the West Midlands Cyber Working Group met at Gowling WLG in Birmingham to explore how collaboration can drive cyber resilience, skills development, and strategic growth across the region. Speakers, including Andy Hague (TechWM), Dan Rodrigues (CyberFirst), Dave Walker (AWS), Sarah Gray and Louise Macdonald (Gowling WLG), and Wayne Horkan (WM CWG Chair) shared insights on scaling regional leadership, building inclusive talent pipelines, addressing AI security risks, and navigating evolving legal frameworks. The event underscored a shared ambition to position the West Midlands not just as a participant but as a leader in the UK’s cyber ecosystem.

Content

Table of Contents

Introduction

On 29 April 2025, the West Midlands Cyber Working Group (WM CWG) gathered at Gowling WLG’s venue at 2 Snowhill, Birmingham for our quarterly meeting, an energised session focused on skills, security, and regional strategy.

We were grateful to be hosted by Gowling WLG and extend sincere thanks to their team for the warm hospitality. Special appreciation also goes to Pam Waddell and Ros Povilionis of the Innovation Alliance for the West Midlands (IAWM), whose coordination and continued support have helped shape both the ambition and the delivery of the WM CWG’s activities.

The event was expertly compered by Sevgi Aksoy of Psyber Inc. and the WM CWG. She kept the programme running to time, brought clarity and energy to the space, and ensured the environment was inclusive and welcoming, encouraging open dialogue from industry, academia, and government voices alike.

Speakers

This quarter’s event brought together respected leaders across strategy, education, technology, law, and community development:

Andy Hague – CEO, TechWM

A seasoned cyber executive and recent appointee to the top job at TechWM, Andy brought deep insight into the evolution of cyber strategy in the UK and positioned cyber as a key pillar in the West Midlands’ growth narrative.

Dan Rodrigues – IN4 Group / CyberFirst WM

Dan explained how CyberFirst and MEGA are delivering structured, inclusive routes into cyber careers, reaching young people earlier and building pathways to real industry engagement.

Dave Walker – Principal Specialist SA, AWS

Dave Walker delivered a technical deep dive on the evolving security risks posed by large language models (LLMs) and generative AI, grounding the discussion in verifiable research and formal engineering methods.

Sarah Gray & Louise Macdonald – Gowling WLG

Sarah and Louise delivered a comprehensive legal and regulatory update, centred on the implications of the UK Cyber Security and Resilience Bill and the EU’s NIS 2 Directive.

Wayne Horkan – moi! WM CWG Chair

As part of the closing session, I delivered a short reflection on where the WM CWG is heading and how our four strategic aims are beginning to translate into real outcomes.

Sessions

Included:

  • Cyber Leadership in the Region – Vision and Next Steps
  • Youth Skills, Education, and the Cyber Pipeline
  • AI, Security & Engineering Realities
  • Legal Perspectives in Cyber Collaboration – 2025 UK Outlook
  • WM CWG Update

Cyber Leadership in the Region – Vision and Next Steps

Andy began with a retrospective on his commercial experience. At NCC Group (2008–2010), he scaled the cybersecurity division from £12 million to £30 million, culminating in a £200 million acquisition by Kroll. He then served on the UK board of Wolters Kluwer (2010–2014), shaping national-level approaches to information security. In the years that followed, he worked as an independent advisor on cyber M&A, an experience that led directly to the creation of Cyberfort Group (2017–2023), which he scaled through acquisitions to over £12 million in annual revenue. He also supported the final development phase of 4Tsec before transitioning to advisory and public roles.

In recent years, Andy’s influence has grown beyond commercial leadership. In 2023, he launched the Neurodiversity in Business initiative to improve inclusion across the tech sector. By 2024, he had founded the SME Cybersecurity Forum, was elected to the Main Board of Tech UK, and took on advisory roles with the Centre for Digital Government (CDDO) and the Cabinet Office’s Digital Playbook initiative. In April 2025, he became CEO of TechWM and joined the Advisory Board for the National Cyber Awards.

He then presented an overview of TechWM’s operating model: a hybrid funding structure combining public investment (primarily via the WMCA) with contributions from private patrons and events. TechWM works in close alignment with national strategy bodies, including DSIT, and connects into wider national ecosystems like TechUK and NCSC.

Importantly, TechWM is not only a regional convenor, it also actively contributes to shaping policy. The organisation has submitted responses to national consultations on topics such as ransomware, cyber resilience strategy, and regulatory design.

Andy closed by reframing TechWM not as a regional cheerleader but as a strategic driver of long-term infrastructure, investment, and innovation. His call to action was clear: only through alignment across public, private, and academic sectors can we effectively scale cyber leadership in the region.

Youth Skills, Education, and the Cyber Pipeline

Dan began by emphasising that the West Midlands isn’t just talking about cyber education, it’s doing it, at scale and with measurable outcomes. Since May 2024, the region has hosted 13 CyberFirst Days. These sessions took place at key venues such as STEAMhouse, the University of Worcester, and the Greater Birmingham & Solihull Institute of Technology (GBSIoT), providing students with hands-on, experiential taster days in cyber.

The impact is already visible: 387 young people have participated so far, with 52% identifying as female, a reflection of the programme’s focus on gender inclusion.

Dan highlighted the diversity of the schools involved. Among the thirteen are:

  • A CyberFirst Recognised School
  • A Special Educational Needs (SEN) school
  • A Pupil Referral Unit (PRU)

This signals a conscious effort to reach learners across multiple educational settings, with adaptive content and delivery models to meet their needs.

Dan confirmed that five additional CyberFirst Days are planned before the end of the school year:

  • 13–14 May
  • 16 June
  • 9–10 July, all taking place at GBSIoT

In parallel, a flagship MEGA Event in Worcester is scheduled for 11 June 2025 (pending final confirmation).

At the core of Dan’s talk was the MEGA Hub Model, a federated structure placing GCHQ and CyberFirst at the centre, with concentric rings of local authorities, schools, FE colleges, regional tech employers, and delivery partners. Each hub acts as a regional amplifier, tailoring delivery to local context while scaling a national model.

He then detailed the MEGA Programme, an eight-week enrichment course for KS3 students (Years 7–9) delivered outside school hours. The curriculum blends:

  • CyberFirst foundational training
  • Esports-led learning
  • Foundational development in problem-solving, communication, and wellbeing

For older learners aged 16–18, the programme offers £1,000 scholarships, awarded based on engagement and merit. This isn’t symbolic funding; it’s designed to materially shift career pathways.

One of the most forward-thinking aspects of Dan’s session was his overview of the MEGA Super Curriculum: a six-term narrative learning arc delivered across the academic year. It introduces cyber not as a subject, but as a journey:

Terms 1–3:

  • Introduction & tasters
  • Wellbeing & identity
  • Cyber literacy & foundational security

Terms 4–6:

  • Business & enterprise skills
  • Creative thinking & design
  • Final review, peer-led feedback, and tournament-style competitions

Students engage in year-round contests such as the Christmas Cup, Gaming Guardians, and the Esports Entrepreneurs Showcase, blending gamification with assessment to make cyber both visible and aspirational.

Dan closed with early impact data. Students involved in the MEGA programme have shown stronger attainment in GCSEs, A-Levels, and BTECs, as well as greater confidence in their post-16 decisions. More significantly, they see cyber as part of their future, not just as a career path, but as a space they belong in.

AI, Security & Engineering Realities

Dave Walker’s session offered a rigorous yet practical walk-through the risks and engineering implications of working with large language models (LLMs) and generative AI. His delivery was sharp and informed, grounding AI discussions in verifiable engineering realities rather than hype or marketing abstraction.

He opened with a stark point: generative AI is inherently nondeterministic. That means error is not a bug, it’s a structural feature. Walker referenced a key paper demonstrating that transformer-based models can never reduce their error rate to zero, no matter how large or well-trained they become (arxiv.org/pdf/2401.11817).

From there, he underscored the importance of auditing training data. What you put in directly shapes what you get out, and that applies to bias, toxicity, and unpredictability. Yet, as he pointed out, many providers are reluctant to share full visibility into their model training pipelines. He referenced:

Walker then walked through the problem of model provenance and integrity. Foundation models, he argued, are intrinsically untrustworthy unless they are cryptographically signed and verifiably constructed, something most of today’s open model platforms don’t enforce. He pointed to two alarming studies:

A particularly strong section of Walker’s talk tackled the conceptual limitations of classic cybersecurity models. The CIA triad (Confidentiality, Integrity, Availability), he suggested, is insufficient for LLMs. Instead, he advocated using the Parkerian Hexad, which adds:

  • Utility
  • Authenticity
  • Possession or Control

He also provided a comprehensive review of the latest regulatory and security frameworks surrounding AI:

In terms of architecture and mitigation, Walker explained two approaches:

  • Outside-In – security measures applied at the interface:
    • API and WAF filtering
    • Prompt moderation (language, sentiment, PII)
    • Integrated MLOps pipelines
  • Inside-Out – measures focused on training data quality and structure:
    • Curate and sanitise before use
    • Avoid sub-word tokenisation where possible
    • Delete corrupted data outright, don’t try to impute or correct it

He illustrated how training ambiguity can persist in models, using the word “bomb” as an example: does it mean an explosive device or a box office flop? Reference: arxiv.org/pdf/2305.14456. This kind of ambiguity isn’t just semantic; it’s cultural, and models need linguistic variation properly accounted for (e.g., en-gb vs. en-us vs. en-ie).

He also addressed model modularity, arguing for smaller, targeted models that can be combined at runtime using Mixture of Experts (MoE) or agentic decision layers.

Finally, he covered a range of testing and formal verification tools:

He closed with a reference to formal verification in system security, including AWS’s own approach (aws.amazon.com/security/provable-security) and recommended the book Principles of Model Checking for those looking to dive deep.

Walker’s talk was grounded, technically robust, and a valuable contribution to any conversation about operationalising AI security in cloud-native environments. It was great to be able to hear him speak and it was the highlight of my inner geek’s day.

Legal Perspectives in Cyber Collaboration – 2025 UK Outlook

Sarah and Louise began by outlining how the UK’s cyber legal landscape is adapting to reflect increased risk exposure across supply chains, cloud platforms, and critical infrastructure.

Key implications of the forthcoming Bill include:

  • Widened scope: Managed service providers (MSPs) and data centres will fall within the scope of regulated entities
  • Stronger supply chain responsibilities: Organisations will be accountable for their tech stack and vendor ecosystem
  • Refreshed Cyber Assessment Framework (CAF): NCSC will publish updated sector-specific codes of practice
  • New incident reporting model:
    • Early warning report within 24 hours
    • Follow-up report on a defined timeline
  • Expanded ICO enforcement: With potential cost recovery provisions introduced to support regulatory enforcement
  • Toward adaptive regulation: The Bill may evolve through a “Statement of Strategic Priorities” model, allowing faster alignment with emergent risk

The key takeaway: legal frameworks are becoming proactive drivers of resilience, not just compliance mechanisms. Regulatory change is catching up, and in some areas, leading.

WM CWG Update

We’re now driving forward:

  1. Improved collaboration, communication, and coworking
    • Looking at delivering a Cyber Festival, backed by a Cyber Local bid and supported by TechWM, will bring the region together post–Birmingham Tech Week.
  2. A dedicated home for cyber in the region
    • We’re answering the question: “Where do you go when you step out of New Street if you work in cyber?”
    • We’re hoping that our Launchpad Hub will provide a physical base in Birmingham for collaboration between startups, enterprises, academia, and government.
  3. Increased investment into the West Midlands cyber ecosystem
    • We’re positioning the region as a recognised cyber cluster, in alignment with DSIT, TechUK, and national investment strategies.
  4. Greater resilience through shared intelligence and coordination
    • We’re continuing to build trust and alignment between organisations to improve readiness and response across sectors.

I also gave a progress update on our Cyber Local funding bids, submitted by the 30 April deadline. These focus on skills, innovation, investment, and cross-sector ecosystem development.

We’re also supporting a Cyber Cluster Feasibility Study, with the aim of securing future designation, resourcing, and influence. I invited the room to contribute to this important next step.

During the Q&A, we explored several important themes:

  • How to support neurodiverse professionals in cyber
  • How to address the gaps in the early-stage skills pipeline
  • How to measure and demonstrate ecosystem impact to attract sustainable investment

What emerged was clear: we have a shared ambition to lead, not just regionally, but nationally. That requires organisation, trust, and momentum. The room confirmed our shared ambition: the West Midlands is not just participating, it’s positioning itself to lead.

Reflections on Notes from the Day

Throughout the day, I captured insights from presentations and side conversations, ideas that reflect where cyber is in the West Midlands is heading.

  • “Cyber will be the fifth pillar of TechWM strategy.” – Andy Hague
    • This reflects a structural shift: cyber is no longer a vertical, but a foundational pillar of regional economic and digital development.
  • “Models policing models… Turtles all the way down.” – Dave Walker
    • LLMs may require oversight by other models, raising issues of recursion, trust, and opacity.
  • “Guardrails are language-specific.”
    • AI safety is context-sensitive. Mechanisms that work in one language or culture may fail in another.
  • “RefChecker… Hallucination Checker… What’s in the model?”
    • Tools for model introspection and auditing are becoming essential, not optional.
  • “Does the LLM have training on bomb making?”
    • This blunt question surfaces an urgent need for content screening and provenance tracking.
  • “Cultural meaning is embedded in training data.”
    • Bias, ideology, and misinterpretation often come baked into models, not by design, but by absorption.
  • “ISO 42001” and “DBOM (Data Bill of Materials)”
    • Expect compliance frameworks like ISO 42001 and data lineage tracking to become standard.
  • “Virtual Mobile Phone Desktop – like a SunRay.”
    • Reimagining secure access with thin-client principles, mobile-first, not desktop-retrofitted.
  • “Security Guardians – Steve Smitt, AWS.”
    • A proactive governance model embedding ethical responsibility into AI workflows.
  • “Micro teams always include a Security Architect.”
    • Security isn’t a centralised function. It belongs within every delivery team.
  • “Security by Design is an architectural issue.”
    • Security isn’t a bolt-on, it starts at the whiteboard, not at the firewall.
  • “If you can guarantee time, you can semi-predict hash outcomes.”
    • Timing attacks and data integrity are more interconnected than we often admit.
  • “Checkmarx and Black Duck – IP risks.”
    • Toolchain consolidation raises ownership and compliance concerns, not just technical ones.
  • “Self-replicative models: Only the model that builds models should replicate.”
    • Recursive AI development demands control mechanisms. Not all models should spawn successors.

Taken together, these observations chart where our focus should go: technical transparency, regulatory readiness, architectural thinking, and ecosystem integrity.

Final Thanks

To everyone who joined us, thank you. From Ryan Protheroe (Midlands Cyber), Adrian (ROCUWM), Michelle Ohren (WMCRC), Gwilym (DSIT), Ros Povilionis (SWM), and the team at Innovation Alliance for the West Midlands (IAWM), who provide a regional home for the WM CWG, plus the many educators, founders, and policymakers present, your presence made it matter.

Assorted gratitude:

  • To our speakers: Thank you for the depth.
  • To Sevgi: Thank you for holding the room.
  • To Gowling WLG and IAWM: Thank you for your steadfast support.
  • To the WM CWG steering group: Thank you for your commitment.
  • To everyone helping shape the West Midlands’ cyber future: Thank you for showing up.

Closing Thoughts

This event reminded me of two important things:

  • First, we’re a broad church. Events like this give us a chance to flex as a region, to bring together voices from across the cyber spectrum: technical practitioners, policy leaders, educators, investors, strategists, and founders. That diversity is our strength, and it’s what makes the West Midlands cyber community distinct.
  • Second, we have an enormous growth opportunity. The West Midlands currently has one of the lowest levels of inbound cyber investment in the UK, but that also means the greatest headroom. If we get this right, by organising, collaborating, and scaling with purpose, we don’t just catch up. We have the potential to lead and to eclipse other regions.

What’s Next: Joint Session with Health Sector

Our next event takes place on 30 June 2025, in partnership with the health innovation community:

Cybersecurity in Healthcare: Securing Health in a Digital World

We’ll explore how cyber intersects with clinical safety, regulatory demands, and innovation in care delivery. It’s also a chance to build connections with the NHS, researchers, and health tech startups. Join us if you can.

Together, we’re laying foundations that will define the next decade of cyber resilience in the West Midlands.