Tag Archives: Cyber Sectoral Analysis

Cyber Sectoral Analysis

Cyber Sectoral Analysis examines how cyber risk, regulation, skills and capability actually land in specific sectors and regions, not in theory, but in practice.
This series looks across defence, critical infrastructure, supply chains, SMEs, regional clusters and public policy to understand where resilience is working, where it isn’t, and why. The focus is on real dependencies, delivery capacity, regulatory impact and economic consequences, connecting national strategy to operational reality and regional execution.

If cyber is economic infrastructure, this is where the weak points, and the leverage, really are.

Cyber Resilience Testing and Facilities: Mapping, Critique, and the Path Forward

Between February and March 2025, I analysed the UK’s Cyber Resilience Testing (CRT) initiative and its associated Cyber Resilience Test Facilities (CRTFs). From that research, I developed three articles: one mapping the global standards landscape, one examining CRT’s practical challenges, and one exploring its role as a trust label. Together, they present CRT as a promising but evolving approach: not yet a standard, but under active NCSC development and consultation, with the potential to reshape product-based assurance if given clarity, support, and ecosystem alignment.

Continue reading →

Restructuring the West Midlands Growth Company: Reform or Rebrand?

The West Midlands Growth Company (WMGC) is being restructured into a new Economic Development Vehicle (EDV) by 2026 to focus on investment and strategic delivery. While WMGC claims credit for attracting big business, many local startups, mine included, received no meaningful support. The restructuring is a chance to fix that, but only if the new EDV backs early-stage innovators with funding access, partnerships, and scale-up support. Otherwise, it’s just a rebrand, not reform.

Continue reading →

Cyber as a Cluster: A Critical Review of the Midlands Engine Cyber & Defence Report (April 2025)

Cyber in the West Midlands is no longer just a business activity, it’s a cluster. With the right action, it can become a strategic economic engine. This review critiques the Midlands Engine Cyber & Defence Report (April 2025) and sets out a ten-point plan to make that transformation real. The opportunity is clear. The data is in. Now we must deliver.

Continue reading →

The Future of Cyber Resilience Testing: Reflections on a Scheme in Transition

This blog article offers a critical yet constructive reflection on the UK’s Cyber Resilience Testing (CRT) initiative. While CRT is conceptually sound and timely, significant questions remain around cost, demand, usability, policy intent, and delivery responsibility. The article explores whether CRT is positioned to become a meaningful standard or risks being sidelined as another voluntary layer. It advocates for clearer articulation of purpose, audience targeting, and strategic alignment to unlock CRT’s full potential.

Continue reading →

From Consultation to Code Retrospective: Did We Influence the Outcome of the Cyber Governance Code of Practice

This reflection examines the Cyber Governance Code of Practice as published in April 2025. It compares government output with practitioner and IET responses from 2024, showing where influence carried through and where gaps remain. The conclusion: progress was made, but without law, incentives, and professional recognition, the Code risks becoming compliance theatre.

Continue reading →

Inside the Breach: What M&S and the Harris Federation Reveal About UK Cyber Vulnerabilities

Two senior leaders, Sir Charlie Mayfield, former John Lewis chairman, and Sir Dan Moynihan, CEO of the Harris Federation, joined BBC Radio 4’s Today Programme on 1 May 2025 to discuss the impact of recent cyber attacks on Marks & Spencer, the Co-op, and UK schools. Their stories offer rare insight into how institutions respond to major breaches and what it really takes to recover.

Continue reading →

Did We Influence DSIT’s Cyber Governance Code of Practice?

This article compares my practitioner response, the IET’s institutional submission, and the final Cyber Governance Code of Practice published in April 2025. It shows where our ideas carried through (supply chain oversight, continuous process, assurance), where they were partly adopted (SME proportionality, professional recognition), and where they were ignored (incentives, legal duties). The conclusion: yes, we influenced the Code — but the hardest issues remain unresolved.

Continue reading →

Cyber Governance Code of Practice 2024: What Government Finally Published

The UK’s Cyber Governance Code of Practice, published in 2025, sets out five principles for boards: risk management, strategy, people, incident response, and assurance. It places cyber in the boardroom and makes directors personally accountable, but stops short of embedding duties in company law. While clear and structured, the Code lacks incentives, SME pathways, and professional recognition — making uptake uncertain.

Continue reading →

Steering Regional Resilience: Reflections on Two Years Supporting DSIT’s Cyber Local Programme

As Chair of the West Midlands Cyber Working Group, I’ve helped lead DSIT’s Cyber Local steering group for the region over the past two years. Working alongside regional experts, I’ve supported the selection of projects that strengthen cyber resilience on the ground, including Aston University’s powerful work on cyber violence against women and girls. This experience has reinforced just how critical locally informed funding is to building practical, inclusive, and impactful cyber capability.

Continue reading →

Professionalising Cyber: Reflections from Conway Hall

A first-hand reflection on the UK Cyber Security Council’s recent “The Journey to Professionalisation” event at Conway Hall, exploring the ongoing professionalisation of the cyber security sector. Highlights include the expansion of recognised specialisms, the development of the UK Cyber Skills Framework, and discussions on AI, early-career challenges, and the need for a more inclusive, realistic skills framework to support a growing cyber economy.

Continue reading →

Women Shaping Cyber: Reflections from Aston University

The Women Shaping Cyber event at Aston University, held during International Women’s Day, highlighted the importance of diversity in the West Midlands cyber sector. Keynote speaker Sevgi Aksoy emphasised the human factor in cybersecurity, while roundtable discussions explored barriers facing women, how to attract and retain talent, and how to leverage regional strengths. With contributions from leaders across academia, industry, and government, the event underscored that growth in cyber must also be measured in inclusivity and representation, not just economics.

Continue reading →

Cyber, Digital, and Tech: Understanding the West Midlands Perspective

In the West Midlands, the definitions and boundaries of Cyber, Digital, and Tech are more than just academic semantics; they influence policy, investment decisions, and how the region positions itself on the national and global stage. While the rest of the UK and many parts of the world have moved towards recognising cyber as a distinct and critical sector, in the West Midlands, it still largely sits within the broader digital and technology categories.

Continue reading →

Overview, Summary, Thoughts, and Recommendations on the NCSC Cyber Security Risk Management Guidance

This article evaluates the NCSC’s Cybersecurity Risk Management Guidance, highlighting its strengths in broad coverage and practical tools but identifying key weaknesses, including the lack of an integrated end-to-end framework, inconsistent depth, and limited audience-specific tailoring. It recommends strengthening the framework’s integration, providing accessible tools, addressing organisational resistance, and incorporating strategies for emerging technologies and black swan events. These enhancements could elevate the guidance to a truly comprehensive standard for diverse organisations.

Continue reading →

Driving Cyber Resilience in the Defence Supply Chain: Summary of Key Actions and Recommendations and Some Thoughts

The Ministry of Defence (MOD) has issued a call to action for Defence industry CEOs and Defence Leads, underlining the critical importance of enhancing cyber resilience across the Defence supply chain, “Letter from the Second Permanent Secretary, DG Chief Information Officer and DG Commercial to Defence industry CEOs/Defence Leads“. The letter, signed by Paul Lincoln, Second Permanent Secretary; Charles Forte, DG Chief Information Officer; and Andrew Forzani, DG Commercial, stresses the heightened global cyber threat landscape and the need for immediate and robust action to safeguard the UK’s Defence capabilities.

Continue reading →

Exploring the Link Between Cyber-Dependent Crime and Autism: A Critical Analysis

This article reviews a study exploring links between autistic-like traits, autism, and cyber-dependent crimes. Findings show autistic-like traits increase cyber-crime risk, while autism reduces it. Advanced digital skills are a key factor. The study highlights opportunities for autistic individuals in cybersecurity but is limited by self-reported data and sample representation. Further research is needed to clarify causal links and broader impacts.

Continue reading →

Cyber Governance at a Crossroads: Responding to DSIT’s Consultation

This framing article summarises a set of responses to DSIT’s Cyber Governance Code of Practice consultation in Jan/Feb 2024. It highlights practitioner and institutional submissions, alongside thematic deep dives on law, assurance, incentives, and professionalism. The message: DSIT asked the right questions, but the hardest answers were still missing.

Continue reading →

Professionalism and Accountability: Why Cyber Needs Recognition like Law and Engineering

1 Reply

This article argues that DSIT’s Cyber Governance Code of Practice must embed professional recognition for cyber experts, just as directors rely on lawyers, accountants, and engineers. Without a register of recognised professionals, directors risk being accountable without credible support.

Continue reading →

Incentives, Not Just Obligations: Driving Real Uptake of Cyber Governance

This article argues that obligations alone will not drive the adoption of DSIT’s Cyber Governance Code of Practice. To succeed, the Code must be backed by incentives — tax relief, insurance benefits, procurement levers, and reputational recognition — that make governance valuable to boards. Obligations can enforce compliance; incentives will create commitment.

Continue reading →

From Cyber Essentials to Corporate Governance: Raising the Bar

Cyber Essentials has value as a baseline, but reaches only 0.3% of UK organisations and says little about governance. This article argues that DSIT’s Cyber Governance Code of Practice must raise the bar, from compliance to accountability, from self-attestation to credible assurance, and from one-off certificates to continuous governance. Cyber Essentials is the floor; governance must be the ceiling.

Continue reading →

Directors and Cyber Responsibility: Towards a New Company Law

This article examines DSIT’s 2024 proposal to embed cyber responsibility into company law. It argues that directors should carry legal duties for cyber resilience, as they already do for finance and health and safety — but only if those duties are proportionate, professionalised, and practical. The consultation did not change the law, but the direction of travel is unmistakable.

Continue reading →