The UK Cyber Policy 2025 and the West Midlands Futures Green Paper 2025 set bold agendas but risk gaps without practitioner-led delivery. The national policy offers ambition but lacks continuity, metrics, and practitioner voice. The regional plan lays strong scaffolding but underweights cyber, leaning too heavily on AI. A ten-point roadmap shows the way forward: formally recognise cyber as a standalone cluster, unify governance, foster community, attract investment, establish a hub, launch a festival, rebuild narrative, reform SME funding access, enhance talent strategy, and create a regional benchmarking index. Anchored in the West Midlands Cyber Hub, this approach can balance national ambition with regional delivery, making resilience a driver of inclusive growth.

Contents

Introduction

2025 has brought two heavyweight strategies that will shape the next decade: DSIT’s Cyber Policy 2025 and the WMCA’s West Midlands Futures Green Paper. Each speaks to resilience, productivity, and inclusive growth, but they emerge from very different vantage points. One looks nationally, through the lens of cybersecurity as a driver of trust and prosperity. The other looks regionally, through the economic fundamentals of clusters, FDI, skills, and place.

Both documents are important, but neither is sufficient on its own. The Cyber Policy risks repeating the churn of past initiatives — ambition without continuity, rhetoric without metrics. The Green Paper risks leaning too heavily on AI and underplaying cyber as a horizontal enabler. Taken together, however, they open the door to something more powerful: a roadmap that binds national ambition to regional delivery, with practitioner-led hubs acting as the anchor.

1. The National Frame: DSIT Cyber Policy 2025

The Cyber Policy represents the government’s attempt to reset. It talks the right language — resilience framed as growth, the creation of “safe environments” for testing, and a unifying “one team” narrative. It recognises that cyber underpins economic activity, supply-chain trust, and national resilience.

But the weaknesses are familiar. Like earlier initiatives (CHECK, Tiger Scheme, NCSC for Startups), it risks drifting into stop–start cycles. Three gaps stand out:

• Continuity. Too many cyber programmes are launched with fanfare, then quietly dropped.
• Metrics. “Resilience” remains an abstract goal without binding KPIs, open dashboards, and owner-by-owner delivery plans.
• Practitioner voice. The lived experience of SMEs, startups, and frontline technologists is still marginal. Policy often defaults to London, Cheltenham, and Manchester — the “cyber affluent” — while ignoring the rest.

In short: the Cyber Policy points in the right direction but doesn’t yet explain how the journey will actually be travelled.

2. The Regional Frame: West Midlands Futures Green Paper

The Green Paper is more than an economic plan; it is an act of institutional honesty. It admits the productivity gap (GVA/hour £34.50 vs UK £39.50), names weaknesses in management capability, and acknowledges the thinness of Tier-1 supply chains. It celebrates momentum in inward investment — 127 new FDI projects in 2023, placing the region 7th in Europe — but stresses that growth has not yet translated into living standards.

Its six components are well-chosen: clusters, business leadership, everyday economy, place, people & skills, and institutions. These match the real levers of productivity, not the siloed approaches of past strategies.

Yet gaps remain:

• Overweighting AI. The document leans heavily on AI and digital as engines of growth, while cyber is reduced to a supporting act. That is a strategic blind spot.
• Light delivery architecture. The Green Paper sketches outcomes but is thin on hard KPIs, delivery accountabilities, and budget lines.
• Supply-chain weakness. It acknowledges the Tier-1 gap but doesn’t show how to systematically grow Tier-2/3 firms into Tier-1 status.

It is a credible foundation — but it needs sharper edges.

3. Where Policy and Growth Meet: Practitioner Gaps

Read side by side, the Cyber Policy and the Green Paper are more complementary than they appear. Both are concerned with resilience, skills, investment, and inclusivity. Both see safe environments as critical — whether cyber ranges or spatial corridors of growth. Both recognise that institutions must be retooled to deliver.

But both also share blind spots: an underweighting of practitioner-led delivery, and a reliance on high-level rhetoric over operational plans. That is where the practitioner gap sits — the space where strategy must become practice.

4. How the Two Plans Interlock

At first glance, DSIT’s Cyber Policy 2025 and the WMCA’s West Midlands Futures Green Paper operate on different planes — one national, one regional; one focused on resilience, the other on economic growth. But look closer, and the overlap is striking. The challenge is not divergence, but integration.

• Resilience as Growth ↔ High-Growth Clusters
  DSIT frames cyber resilience as a driver of prosperity. The WMCA identifies advanced engineering, EV/batteries, med-tech, and cleantech as priority clusters. The link is direct: resilient supply chains, assured digital infrastructure, and secure IP pipelines are prerequisites for cluster success.
• Safe Environments ↔ Spatial Development Strategy
  DSIT’s call for safe testing environments aligns with WMCA’s spatial corridors and planned densification. Testbeds, cyber ranges, and corridor-based innovation zones are two sides of the same coin — environments where firms can experiment, scale, and export.
• One Team Narrative ↔ Institutional Spine
  Nationally, DSIT wants a “one team” ethos; regionally, WMCA proposes a new economic delivery vehicle and an annual partnership summit. Together, these can reduce fragmentation — if practitioners are given the lead.
• Skills & Conversion ↔ People & Skills
  DSIT highlights CyberFirst and skills pipelines; WMCA acknowledges youth inactivity and experience gaps. A joint strategy could see cyber apprenticeships, mid-career transitions, and conversion residencies embedded in both agendas.
• Investor Confidence ↔ Business Leadership & Investment
  Cyber assurance and benchmarking create the trust that investors demand. The WMCA’s focus on FDI and management capability is strengthened if firms can show credible cyber maturity.
• Everyday Economy ↔ Cyber Hygiene at Scale
  DSIT’s safe havens and assurance models can flow directly into WMCA’s everyday economy: retail, logistics, care, and hospitality firms equipped with baseline protections.

In short, the Cyber Policy provides the “why” — resilience as national mission — while the Green Paper provides the “where” and “what” — the levers of regional growth. The West Midlands Cyber Hub offers the “how”: a practitioner-led anchor that makes the interlock real.

5. A Ten-Point Roadmap for Regional Cyber Growth

The West Midlands can show how national and regional ambitions converge. A ten-point plan brings together the national aims of the Cyber Policy, the regional scaffolding of the Green Paper, and the lived experience of practitioners.

1. Formally Recognise Cyber as a Standalone Economic Cluster
   Cyber must move beyond being framed as a subset of digital or defence. It should be formally embedded as a cluster in regional strategy documents and investment propositions — equal to AI, EV, or cleantech.
2. Establish a Unified Cluster Governance Model
   A regional Cyber Cluster Lead Body should be appointed to coordinate delivery, investment, and alignment. It must be practitioner-led, with credible industry and startup experience, and should formally link Midlands Cyber, WM CWG, EMCSC, WMCRC, and others into a single ecosystem.
3. Foster the Regional Cyber Community
   Growth is cultural as well as economic. Funding should support regular cross-cluster networking, innovation sprints, grassroots groups, and inclusive engagement to build a coherent, representative community.
4. Increase Inbound Investment into West Midlands Cyber
   A West Midlands Cyber Investment Proposition should map assets, clusters, and success stories to attract national programmes, international delegations, and private capital.
5. Create a Home for Cyber in the Region
   The West Midlands Cyber Hub, opening at Enterprise Wharf, is the physical anchor: a co-working, event, and incubator space, and a platform for assurance, training, and convening.
6. Launch a Two-Day Cyber Festival
   A flagship festival can showcase regional talent, attract investors, and foster collaboration across policy, skills, innovation, and commercial tracks. It will serve as both a signal of ambition and a practical marketplace. Thanks to Birmingham Tech Week and TechWM, we have a Cyber Festival arriving in October.
7. Rebuild the Regional Narrative and Perception
   The region must shift its identity from “digital with cyber inside” to “cyber-led, digitally enabled, commercially grounded.” This reframing addresses ESG concerns and positions cyber as a source of trust and sovereignty.
8. Reform Funding Access and SME Engagement
   A regional funding concierge should be created to help SMEs navigate defence, DSIT, Innovate UK, and NATO DIANA schemes. Procurement pipelines must be opened to allow Tier-3 suppliers visibility and access.
9. Enhance Talent Strategy with a Focus on Retention and Transitions
   Apprenticeships, mid-career transitions, and graduate retention need to be scaled up. The Cyber Hub can act as the connector, while embedding UK Cyber Security Council certifications to ensure alignment with national standards.
10. Develop a West Midlands Cyber Resilience Benchmarking Index
    A regional benchmarking tool should track SME maturity (Cyber Essentials adoption, breach exposure, phishing resilience), publish anonymous results, and align with NCSC frameworks. This would provide visibility, incentives, and credibility.

6. Recommendations: Towards a Shared Roadmap

Taken together, these points suggest a shared roadmap that balances national policy and regional growth:

• Nationally: institutionalise continuity, publish quarterly dashboards, and fund practitioner-led hubs.
• Regionally: embed cyber as a cluster, operationalise the Green Paper with Delivery Ledgers, and make corridor-based propositions bankable.
• Practitioner level: build community, run assurance and benchmarking schemes, and deliver large-scale skills conversion through paid residencies.

Conclusion

The UK cyber ecosystem stands at a crossroads. DSIT’s Cyber Policy sets the ambition. The WM Futures Plan sets the scaffolding. But ambition and scaffolding alone do not deliver growth. That requires continuity, clarity, and credibility.

The West Midlands has a chance to demonstrate all three. The West Midlands Cyber Hub can serve as a prototype: where resilience is growth, where national meets regional, and where practitioner-led delivery turns rhetoric into reality.

If the government wants proof that its policies can succeed, it needs only look to Birmingham.

References

• Reviewing the 2025 UK Cyber Policy Paper: Promise, Blind Spots, and the Challenge of Continuity
• A Potted History of the UK’s Cyber Economy: From Secrecy to Sector
• Stabilising the Base: From Patchwork to Platform in the UK Cyber Ecosystem
• Cyber, Digital, and Tech: Understanding the West Midlands Perspective
• The West Midlands Futures Green Paper (2025): Synopsis, Key Takeaways, Critique, and Recommendations
• Cyber as a Cluster: A Critical Review of the Midlands Engine Cyber & Defence Report (April 2025)
• Cyber Collaboration in the West Midlands: Skills, Strategy, and a Shared Future
• West Midlands Cyber Hub Diaries: Day One (Or Perhaps Day Sixty)