Tag Archives: CESG

UK Cyber at a Crossroads: Three Essays on Policy, Practice, and Growth, in Reaction to the 2025 Cyber Growth Action Plan

The UK’s cyber policy has made progress but suffers from churn, overlap, and regional imbalance. The 2025 Cyber Policy sets out ambition but lacks continuity and practitioner voice. This three-part series traces the history, critiques the new policy, and argues for a practitioner-led, regionally balanced ecosystem to stabilise the base finally.

Continue reading

A Potted History of the UK’s Cyber Economy: From Secrecy to Sector

This article, written in reaction to the DSIT Cyber Growth Action Plan 2025, traces the uneven history of the UK’s cyber economy. From CESG’s secretive assurance role to NCSC’s public authority and DSIT’s contested remit, the story is one of incremental gains but persistent churn. Programmes such as Cyber Essentials, CyberFirst, CyberASAP, Cyber Runway, and Cyber Resilience Centres have delivered value but lacked continuity, scale, and coherence. Unless the government commits to stabilisation and long-term delivery, the UK will continue to recycle initiatives rather than build a durable cyber base.

Continue reading

A Brief History of the Term Cyber (Meaning Cybersecurity)

This article explores how the word cyber evolved from its academic roots in cybernetics to its current role as shorthand for cybersecurity. It traces the rise of cyberpunk fiction, the growing association with digital threats in the 1990s, and how UK policy frameworks adopted and institutionalised the term, culminating in the creation of the National Cyber Security Centre (NCSC). From Greek etymology to modern geopolitics, cyber has shifted from describing control to denoting risk.

Continue reading

A Brief History of Penetration Testing: From Tiger Teams to PTaaS

This article traces the history of penetration testing from its military and intelligence roots in the 1960s to its formalisation through U.S. Tiger Teams and J.P. Anderson’s security frameworks. It follows the growth of pen testing into the commercial sector during the 1980s–90s, highlights key tooling milestones like SATAN, and explores its professionalisation in the 2000s via OWASP and PTaaS models. A dedicated UK section explains the roles of CESG, CHECK, CREST, and the NCSC in standardising and accrediting pen testing within British institutions. The article concludes with a reflection on how penetration testing continues to evolve in parallel with modern cyber threats.

Continue reading

The Future of Cyber Resilience Testing: Reflections on a Scheme in Transition

This blog article offers a critical yet constructive reflection on the UK’s Cyber Resilience Testing (CRT) initiative. While CRT is conceptually sound and timely, significant questions remain around cost, demand, usability, policy intent, and delivery responsibility. The article explores whether CRT is positioned to become a meaningful standard or risks being sidelined as another voluntary layer. It advocates for clearer articulation of purpose, audience targeting, and strategic alignment to unlock CRT’s full potential.

Continue reading