Tag Archives: Cyber Strategy

The NCSC Annual Review 2025: Between Capability and Stasis

The article examines the NCSC Annual Review 2025 as both a testament to accomplishment and a warning. It praises the NCSC’s technical competence but questions its identity: regulator, delivery agency, or state-backed market player? It highlights contradictions — DSIT hailing it as “the jewel in the crown” while eroding its remit, diluting CyberFirst into TechFirst, ending its startup work, and overstating the benefits of Cyber Essentials. The piece concludes that the NCSC is overextended and under-defined, needing clarity of purpose more than new initiatives — less performance, more direction.

Continue reading →

UK Cyber at a Crossroads: Three Essays on Policy, Practice, and Growth, in Reaction to the 2025 Cyber Growth Action Plan

Leave a Reply

The UK’s cyber policy has made progress but suffers from churn, overlap, and regional imbalance. The 2025 Cyber Policy sets out ambition but lacks continuity and practitioner voice. This three-part series traces the history, critiques the new policy, and argues for a practitioner-led, regionally balanced ecosystem to stabilise the base finally.

Continue reading →

Reviewing the 2025 UK Cyber Growth Action Plan: Promise, Blind Spots, and the Challenge of Continuity

Leave a Reply

This article, written in reaction to the DSIT Cyber Growth Action Plan 2025, reviews and critiques the government’s new approach. It recognises what the policy gets right — framing resilience as growth, creating safe havens, and calling for a one-team response — but also highlights what is missing: metrics, continuity, practitioner voice, and regional balance. Without these, the new policy risks becoming rhetoric rather than a platform for real progress. Unless the UK moves decisively from aspiration to delivery, the 2025 Cyber Growth Action Plan will join its predecessors as another missed opportunity.

Continue reading →

Reviewing the 2025 DSIT Code of Practice for Enterprise Connected Device Security: A Critical and Constructive Analysis

Leave a Reply

This article provides a comprehensive analysis of the UK Government’s proposed 2025 Code of Practice for Enterprise Connected Device Security, published by the Department for Science, Innovation and Technology (DSIT). It unpacks the structure, rationale, and policy intent behind the Code, outlines its 11 lifecycle-aware security principles, and evaluates its strengths and limitations. Drawing on lessons from the earlier NCSC Cyber Resilience Testing (CRT) programme, it offers a set of practical, actionable recommendations to improve uptake, scalability, and long-term impact. This is a roadmap for policymakers, manufacturers, and enterprise buyers navigating the emerging landscape of connected device security in organisational settings.

Continue reading →

Cyber Collaboration in the West Midlands: Skills, Strategy, and a Shared Future

Leave a Reply

On 29 April 2025, the West Midlands Cyber Working Group met at Gowling WLG in Birmingham to explore how collaboration can drive cyber resilience, skills development, and strategic growth across the region. Speakers, including Andy Hague (TechWM), Dan Rodrigues (CyberFirst), Dave Walker (ex-AWS), Sarah Gray and Louise Macdonald (Gowling WLG), and Wayne Horkan (WM CWG Chair) shared insights on scaling regional leadership, building inclusive talent pipelines, addressing AI security risks, and navigating evolving legal frameworks. The event underscored a shared ambition to position the West Midlands not just as a participant but as a leader in the UK’s cyber ecosystem.

Continue reading →

Mapping the Landscape: Stakeholder Grids for Startups and Ecosystems

Leave a Reply

Understanding who matters most to your mission, and how to engage with them, is vital for any business, especially in the startup and innovation space. Whether you’re building a cyber risk platform, championing cyber psychology, or coordinating a regional community like the West Midlands Cyber Working Group (WM CWG), the ability to identify, map, and actively engage stakeholders is fundamental to long-term success.

Continue reading →

The Ides of March: Reflections on Cyber, Startups, and Scaling Innovation

Leave a Reply

The Ides of March is a fitting time to reflect on betrayal, resilience, and the realities of UK cybersecurity. In the past two weeks, I’ve balanced DSIT’s Cyber Local funding process, chaired the West Midlands Cyber Working Group (WM CWG), led two funding bids, scaled one startup in a brutal funding climate, and booted up a second from scratch. Along the way, I’ve won the Pitch Battle at Cyber Runway Live, launched the UK’s first dedicated universal cyber risk score and comparison site, and tackled everything from weaponised AI threats to Kafka-powered scalability, all while navigating the messy, unpredictable, and often painful journey of building something that lasts.

Continue reading →

Before the DSIT Cyber Governance Code of Practice: What the Consultation Proposed

Leave a Reply

The DSIT Cyber Governance Code of Practice consultation (Jan 2024) proposed five principles for boards: risk management, strategy, people, incident response, and assurance. But it left key gaps: no incentives, little for SMEs, no professional recognition, and weak thinking on assurance. This article argues the consultation was historic, but incomplete — a foundation that required sharper, practitioner-led input.

Continue reading →