Tag Archives: Cyber Strategy

The Gap Between Reality and Reporting: A Model of True Cyber Exposure in the UK

Leave a Reply

The UK’s cyber security data does not describe a single reality; it describes three filtered views of it. By overlaying Breaches Survey, ICO, and NCSC data, a clearer model emerges: one of layered visibility, not layered severity. This article introduces a “true exposure vs reported exposure” framework, showing that most cyber risk sits below what is detected, reported, or acted on, and that the current strategy is focused on the wrong layer.

Continue reading

CYBERUK 2026: The Missing Layer Between Strategy and Execution is Regional Capability Infrastructure

Leave a Reply

CYBERUK 2026 defines a clear national cyber strategy, but leaves a critical gap between ambition and execution. This article identifies the “missing layer”: the regional capability infrastructure required to translate policy into scalable organisational resilience. Without it, capability remains uneven, SMEs struggle to progress, and the system evolves by default rather than design, undermining the goal of distributed national resilience.

Continue reading

CYBERUK 2026: System Ambition vs Operational Reality and the Rise of a Two-Speed Cyber Economy

Leave a Reply

CYBERUK 2026 reveals a coherent but challenging shift in UK cyber strategy: from building a policy ecosystem to operating a national cyber system. While the government drives system-level resilience and AI-enabled defence, organisations are expected to execute fundamentals under increasing pressure. The result is a growing gap between ambition and capability, driving the emergence of a two-speed cyber economy where cyber security becomes a condition of market access.

Continue reading

CYBERUK 2026: The Perfect Storm and the Limits of Fundamentals

Leave a Reply

Richard Horne’s CYBERUK 2026 keynote frames cyber security as operating in a “perfect storm” of rapid technological change and rising geopolitical tension. While reinforcing the importance of fundamentals, the speech highlights how AI and evolving threats are reshaping the landscape. The core challenge is whether organisations can maintain baseline security as capability gaps widen, raising the risk of a two-speed cyber economy.

Continue reading

CYBERUK 2026: From Policy Ecosystem to Operational Doctrine

Leave a Reply

The UK’s Security Minister, Dan Jarvis MBE’s CYBERUK 2026 speech, signals a shift from building a cyber ecosystem to actively operating a national cyber system. It elevates baseline security expectations, embeds supply chain enforcement, and positions AI as central to defence. However, this transition risks concentrating market power, potentially excluding SMEs while increasing dependence on a small number of large firms and frontier AI providers.

Continue reading

UK Cyber Policy Ecosystem Mapped: Structure and Evidence

Leave a Reply

This article maps the core policy architecture and supporting evidence underpinning the UK cyber security ecosystem. By separating system-defining strategies, legislation, and sectoral analyses from the research and technical studies that inform them, it provides a clearer view of how cyber policy, economics, and regional development interact across government and industry.

Continue reading

The NCSC Annual Review 2025: Between Capability and Stasis

Leave a Reply

The article examines the NCSC Annual Review 2025 as both a testament to accomplishment and a warning. It praises the NCSC’s technical competence but questions its identity: regulator, delivery agency, or state-backed market player? It highlights contradictions — DSIT hailing it as “the jewel in the crown” while eroding its remit, diluting CyberFirst into TechFirst, ending its startup work, and overstating the benefits of Cyber Essentials. The piece concludes that the NCSC is overextended and under-defined, needing clarity of purpose more than new initiatives — less performance, more direction.

Continue reading

UK Cyber at a Crossroads: Three Essays on Policy, Practice, and Growth, in Reaction to the 2025 Cyber Growth Action Plan

Leave a Reply

The UK’s cyber policy has made progress but suffers from churn, overlap, and regional imbalance. The 2025 Cyber Policy sets out ambition but lacks continuity and practitioner voice. This three-part series traces the history, critiques the new policy, and argues for a practitioner-led, regionally balanced ecosystem to stabilise the base finally.

Continue reading

Reviewing the 2025 UK Cyber Growth Action Plan: Promise, Blind Spots, and the Challenge of Continuity

Leave a Reply

This article, written in reaction to the DSIT Cyber Growth Action Plan 2025, reviews and critiques the government’s new approach. It recognises what the policy gets right — framing resilience as growth, creating safe havens, and calling for a one-team response — but also highlights what is missing: metrics, continuity, practitioner voice, and regional balance. Without these, the new policy risks becoming rhetoric rather than a platform for real progress. Unless the UK moves decisively from aspiration to delivery, the 2025 Cyber Growth Action Plan will join its predecessors as another missed opportunity.

Continue reading

Reviewing the 2025 DSIT Code of Practice for Enterprise Connected Device Security: A Critical and Constructive Analysis

Leave a Reply

This article provides a comprehensive analysis of the UK Government’s proposed 2025 Code of Practice for Enterprise Connected Device Security, published by the Department for Science, Innovation and Technology (DSIT). It unpacks the structure, rationale, and policy intent behind the Code, outlines its 11 lifecycle-aware security principles, and evaluates its strengths and limitations. Drawing on lessons from the earlier NCSC Cyber Resilience Testing (CRT) programme, it offers a set of practical, actionable recommendations to improve uptake, scalability, and long-term impact. This is a roadmap for policymakers, manufacturers, and enterprise buyers navigating the emerging landscape of connected device security in organisational settings.

Continue reading

Cyber Collaboration in the West Midlands: Skills, Strategy, and a Shared Future

Leave a Reply

On 29 April 2025, the West Midlands Cyber Working Group met at Gowling WLG in Birmingham to explore how collaboration can drive cyber resilience, skills development, and strategic growth across the region. Speakers, including Andy Hague (TechWM), Dan Rodrigues (CyberFirst), Dave Walker (ex-AWS), Sarah Gray and Louise Macdonald (Gowling WLG), and Wayne Horkan (WM CWG Chair) shared insights on scaling regional leadership, building inclusive talent pipelines, addressing AI security risks, and navigating evolving legal frameworks. The event underscored a shared ambition to position the West Midlands not just as a participant but as a leader in the UK’s cyber ecosystem.

Continue reading

Mapping the Landscape: Stakeholder Grids for Startups and Ecosystems

Leave a Reply

Understanding who matters most to your mission, and how to engage with them, is vital for any business, especially in the startup and innovation space. Whether you’re building a cyber risk platform, championing cyber psychology, or coordinating a regional community like the West Midlands Cyber Working Group (WM CWG), the ability to identify, map, and actively engage stakeholders is fundamental to long-term success.

Continue reading

The Ides of March: Reflections on Cyber, Startups, and Scaling Innovation

Leave a Reply

The Ides of March is a fitting time to reflect on betrayal, resilience, and the realities of UK cybersecurity. In the past two weeks, I’ve balanced DSIT’s Cyber Local funding process, chaired the West Midlands Cyber Working Group (WM CWG), led two funding bids, scaled one startup in a brutal funding climate, and booted up a second from scratch. Along the way, I’ve won the Pitch Battle at Cyber Runway Live, launched the UK’s first dedicated universal cyber risk score and comparison site, and tackled everything from weaponised AI threats to Kafka-powered scalability, all while navigating the messy, unpredictable, and often painful journey of building something that lasts.

Continue reading

Before the DSIT Cyber Governance Code of Practice: What the Consultation Proposed

Leave a Reply

The DSIT Cyber Governance Code of Practice consultation (Jan 2024) proposed five principles for boards: risk management, strategy, people, incident response, and assurance. But it left key gaps: no incentives, little for SMEs, no professional recognition, and weak thinking on assurance. This article argues the consultation was historic, but incomplete — a foundation that required sharper, practitioner-led input.

Continue reading