Tag Archives: Cyber Sectoral Analysis

Cyber Sectoral Analysis

Cyber Sectoral Analysis examines how cyber risk, regulation, skills and capability actually land in specific sectors and regions, not in theory, but in practice.
This series looks across defence, critical infrastructure, supply chains, SMEs, regional clusters and public policy to understand where resilience is working, where it isn’t, and why. The focus is on real dependencies, delivery capacity, regulatory impact and economic consequences, connecting national strategy to operational reality and regional execution.

If cyber is economic infrastructure, this is where the weak points, and the leverage, really are.

The Gap Between Reality and Reporting: A Model of True Cyber Exposure in the UK

The UK’s cyber security data does not describe a single reality; it describes three filtered views of it. By overlaying Breaches Survey, ICO, and NCSC data, a clearer model emerges: one of layered visibility, not layered severity. This article introduces a “true exposure vs reported exposure” framework, showing that most cyber risk sits below what is detected, reported, or acted on, and that the current strategy is focused on the wrong layer.

Continue reading →

A Decade of the UK Cyber Security Breaches Survey: Trends, Plateaus, and What Actually Changed

The UK Cyber Security Breaches Survey, viewed over time, reveals not progress but stabilisation. Breach rates remain persistently high, attack methods largely unchanged, and improvements in governance lag behind rising exposure. The data shows a system that has normalised insecurity, where awareness has increased, but action has not kept pace, resulting in a steady-state of widespread, structurally embedded cyber risk.

Continue reading →

The UK Cyber Security Breaches Survey 2025/26: Stagnation, Scale, and the Illusion of Progress

The UK Cyber Security Breaches Survey 2025/26 suggests stability, but closer analysis reveals a system stuck in place rather than improving. Breaches remain widespread, detection uneven, and incentives misaligned. What looks like progress is often an artefact of measurement. This article argues the UK has reached a cybersecurity plateau, where risk is normalised, resilience is incomplete, and meaningful change will require structural, not incremental, intervention.

Continue reading →

CYBERUK 2026: From Policy to Practice and the System Inbetween

CYBERUK 2026 signals a shift from building a cyber ecosystem to operating a national cyber system. Across a series of analyses, a consistent pattern emerges: policy is coherent, execution is demanding, and outcomes are uneven. This article draws those strands together to show that the gap between strategy and delivery is not incidental; it is structural, and it defines how the system behaves.

Continue reading →

CYBERUK 2026: The Missing Layer Between Strategy and Execution is Regional Capability Infrastructure

CYBERUK 2026 defines a clear national cyber strategy, but leaves a critical gap between ambition and execution. This article identifies the “missing layer”: the regional capability infrastructure required to translate policy into scalable organisational resilience. Without it, capability remains uneven, SMEs struggle to progress, and the system evolves by default rather than design, undermining the goal of distributed national resilience.

Continue reading →

CYBERUK 2026: System Ambition vs Operational Reality and the Rise of a Two-Speed Cyber Economy

CYBERUK 2026 reveals a coherent but challenging shift in UK cyber strategy: from building a policy ecosystem to operating a national cyber system. While the government drives system-level resilience and AI-enabled defence, organisations are expected to execute fundamentals under increasing pressure. The result is a growing gap between ambition and capability, driving the emergence of a two-speed cyber economy where cyber security becomes a condition of market access.

Continue reading →

CYBERUK 2026: The Perfect Storm and the Limits of Fundamentals

Richard Horne’s CYBERUK 2026 keynote frames cyber security as operating in a “perfect storm” of rapid technological change and rising geopolitical tension. While reinforcing the importance of fundamentals, the speech highlights how AI and evolving threats are reshaping the landscape. The core challenge is whether organisations can maintain baseline security as capability gaps widen, raising the risk of a two-speed cyber economy.

Continue reading →

CYBERUK 2026: From Policy Ecosystem to Operational Doctrine

The UK’s Security Minister, Dan Jarvis MBE’s CYBERUK 2026 speech, signals a shift from building a cyber ecosystem to actively operating a national cyber system. It elevates baseline security expectations, embeds supply chain enforcement, and positions AI as central to defence. However, this transition risks concentrating market power, potentially excluding SMEs while increasing dependence on a small number of large firms and frontier AI providers.

Continue reading →

UK Cyber Policy Ecosystem Mapped: Structure and Evidence

This article maps the core policy architecture and supporting evidence underpinning the UK cyber security ecosystem. By separating system-defining strategies, legislation, and sectoral analyses from the research and technical studies that inform them, it provides a clearer view of how cyber policy, economics, and regional development interact across government and industry.

Continue reading →

CyberDIVA and the Architecture of Online Harm

A reflection on the CyberDIVA conference at Aston University, examining cyber violence against women and girls, the fragmentation of the UK response ecosystem, and the architectural incentives shaping harm in modern digital environments. The article connects operational realities to broader structural questions around platform design, AI integration, economic alignment and the need for systemic accountability in an increasingly asymmetric web.

Continue reading →

CRTFs Move From Concept to Reality… But the Hard Questions Begin Now

Cyber Resilience Test Facilities (CRTFs) have now moved from concept into operational reality, with the first product assessments completed and reports issued. This milestone confirms CRTFs as a risk-based assurance mechanism rather than a pass/fail certification scheme. Yet major challenges remain: governance, market interpretation, high-assurance integration with UK Telecoms Lab (UKTL), and international alignment. CRTFs are real, but adoption must stay meaningful.

Continue reading →

The UK Cyber Security and Resilience Bill 2025: What It Means and Why It Matters

The UK Cyber Security and Resilience Bill 2025 represents a major shift from sector-based cyber regulation to a broader national resilience framework. By expanding the NIS regime to data centres, managed service providers and critical suppliers, strengthening incident reporting, and introducing strategic governance and national security powers, the Bill closes long-standing gaps but raises challenges around proportionality, skills, regional delivery and SME impact.

Continue reading →

When It Comes To Cyber The Midlands Defence Blueprint Is Polite Fiction

The Midlands Defence & Security Blueprint presents itself as decisive and strategic, but in reality it repeats the same structural failures that undermined Midlands Engine. Cyber remains subordinated, underfunded, and ownerless, while coordination is mistaken for delivery. Written from the perspective of a practitioner who has built cyber capability on the ground, this article argues that resilience will not come from another blueprint, but from funded authority, real centres, and delivery.

Continue reading →

Cyber deception at UK scale: what the NCSC trials tell us — and what they still don’t

The NCSC’s cyber deception trials mark a shift from theory to evidence, testing whether deception can deliver real defensive value at scale. This article examines what those trials show — and what they leave unresolved. It argues that cyber deception is best understood as an evolution of honeypots, powerful but operationally demanding, and highly dependent on organisational maturity. While effective in well-instrumented environments, deception is not an SME-level control and risks being over-sold. Without clear metrics, safety discipline, and honest maturity gating, its promise remains conditional.

Continue reading →

UK Flywheel and the Missing Middle: Cyber Scenes from the National Theatre

A first-hand account of the UK Flywheel event at the National Theatre: part love letter to the UK cyber ecosystem, part demolition of the comforting myths around funding, government “capability”, and NCSC’s role. From the NCSC Annual Review to West Midlands Cyber Hub, this is what the day looked like from the founder trenches rather than the podium.

Continue reading →

The NCSC Annual Review 2025: Between Capability and Stasis

The article examines the NCSC Annual Review 2025 as both a testament to accomplishment and a warning. It praises the NCSC’s technical competence but questions its identity: regulator, delivery agency, or state-backed market player? It highlights contradictions — DSIT hailing it as “the jewel in the crown” while eroding its remit, diluting CyberFirst into TechFirst, ending its startup work, and overstating the benefits of Cyber Essentials. The piece concludes that the NCSC is overextended and under-defined, needing clarity of purpose more than new initiatives — less performance, more direction.

Continue reading →

The Grant Delusion: Why Government Should Commission, Not Compete, in UK Innovation

David Richards MBE is right, the UK’s innovation economy has become addicted to grants, not growth. But the problem isn’t funding itself; it’s design. Innovate UK and its peers were meant to bridge the early-stage gap between research and market, but instead became destinations in their own right. Government now competes with, rather than commissions, the innovators it should empower. The fix is simple: commission outcomes, not applications; fund practitioners, not paperwork.

Continue reading →

Cyber, Growth, and Regional Futures: A Comparative Synthesis of Six 2025 Reports: From Fragmentation to Framework

2025 has been a year of noise, policy papers, strategies, and growth plans, each declaring the next leap for UK cyber and regional innovation. But noise isn’t movement. Across six flagship reports, DSIT’s Cyber Growth Action Plan, WMCA’s Futures and Growth Plans, the Tech Nation 2025 report, the Midlands Engine Cyber & Defence report, and DSIT’s Cyber Skills 2025, the pattern repeats: good intent, weak execution, no continuity. Together, they map £77 billion in Gross Value Added (GVA), 143,000 cyber professionals, and £17 billion in projected uplift, but no coherent operating model. This paper builds one: treating cyber as economic infrastructure and the West Midlands as the proof-of-concept for a practitioner-led, resilient growth framework.

Continue reading →

The West Midlands Growth Plan 2025: Blueprint or Turning Point?

The West Midlands Growth Plan 2025 is the most detailed and credible regional strategy in a decade, a £17.4 billion growth blueprint built on data, pragmatism, and belief in place-based delivery. It models a region that can finally close its £5-per-hour productivity gap and turn polycentric geography into economic strength. Yet it still risks the same fate as its predecessors: ambition without execution. My critique goes beyond the press releases, exposing funding silos, institutional churn, and the absence of practitioner leadership, and proposes a hard-edged, engineer’s roadmap for delivery. Cyber must be treated as infrastructure; innovation must be systemic, not decorative; and governance must have teeth. The call is simple: stop admiring the plan and start engineering the outcome. Continuity, accountability, and practitioner leadership; the rest is noise.

Continue reading →

Cyber Security Skills in the UK Labour Market 2025: A Critical Analysis

This article critically examines the Cyber Security Skills in the UK Labour Market 2025 report, highlighting strengths, weaknesses, and regional implications. It synthesises the findings into a practitioner-academic analysis, with recommendations for aligning graduate supply, employer demand, and future skills in areas such as AI and cyber resilience.

Continue reading →