A report produced for the government has today set out nine core recommendations for how the UK can strengthen its burgeoning cyber security sector to fuel resilience and growth across the economy.
Written by experts at Imperial College London (ICL) and the University of Bristol, and drawing on consultations with nearly 100 members of the cyber community, the UK cyber growth action plan slots into the government’s Modern Industrial Strategy, and will feed into an ongoing refresh of the National Cyber Strategy.
The report says that although the UK’s cyber sector remains on an upward trajectory, with jobs and revenue both rising by over 10% and gross value added (GVA) by over 20% in the past 12 months, taken as a whole, cyber is still undervalued. It describes “significant untapped potential” to go further still.
“The cyber security sector in the UK has significant growth potential, and there are clear roles for both government and the private sector identified … to contribute to tapping into that potential,” said Nigel Steward, director of the Centre for Sectoral Economic Performance (CSEP) at ICL.
“Supporting the sector isn’t just an economic opportunity, it’s essential for our national security and the resilience of businesses, so we at CSEP are very happy to have been able to produce this independent report in partnership with the University of Bristol to support the government’s Modern Industrial Strategy.”
Guy Poppy, pro vice-chancellor for research and innovation at the University of Bristol, added: “The UK’s cyber sector is a driver of innovation, resilience and economic growth. This action plan provides a timely roadmap, recognising how emerging technologies will shape future challenges and opportunities for stakeholders. It sets out a framework for research, skills and collaboration to turn innovation into growth and nationwide impact.
“By combining academic excellence with enterprise and policy engagement, we can help build a stronger, more resilient cyber ecosystem.”
Three pillars, nine recommendations
Each of the nine core recommendations is organised around three pillars – culture, leadership and places, designed to be implemented together to maximise their impact and force change at a systemic level.
The report’s authors caveated this by saying these are not designed to be exhaustive, and given how quickly the report was researched and compiled, it is likely that further work will be needed to create more granular recommendations.
On the first pillar, culture, the report recognises that growing British cyber businesses will depend on better interaction between product and service suppliers, and security buyers and leaders, and the first three recommendations are designed to address this.
- First, government and stakeholders should review incentives and validation routes available to cyber businesses to help make it easier to navigate complex cyber demands and build a culture that helps organisations grow;
- Second, government should stimulate growth by setting expectations on reporting cyber risk, encouraging uptake of cyber insurance and principles-based assurance, and possibly mandating the use of accreditations such as the National Cyber Security Centre’s (NCSC’s) Cyber Essentials scheme;
- Third, cyber professionals should be engaged in civil society on their role in national resilience and prosperity to foster public participation in security. They could, for example, emphasise the role security teams at critical infrastructure operations play in keeping the nation’s homes lit and warm. This effort would also include shoring up cyber skills initiatives at schools and colleges to develop future talent.
On the second pillar, the report recognises that cyber leaders today tend not to be very focused on connecting supply and demand for sector growth. The fourth, fifth and sixth recommendations set out to address this.
- The report recommends the appointment of a UK cyber growth leader to coordinate across the security sector and in the government. This role would encompass some duties previously held by the now-defunct UK cyber ambassador in promoting exports in support of the country’s national security, as well as a responsibility for driving forward a plan to prioritise cyber growth and integrate it into various policy areas;
- Next, it calls for the appointment of “place-based leaders” who can convene and drive local cyber security growth initiatives and outcomes. Ideally, these individuals will have significant experience in the industry. Although they will work with the cyber growth leader, they should remain independent from all levels of government;
- Then, the government should expand and better resource the NCSC, which the report’s authors describe as a “crown jewel” for cyber resilience, using its deep expertise in support of cyber growth, business guidance and validation, and technological research.
The third pillar recognises the role of “places” in innovation and growth. On this basis, the final three recommendations are designed to help attract cyber investors, shape research and development (R&D), and build relationships to help new security businesses get up and running.
- Place-based leaders should be in place to develop future-oriented communities that bring together security pros and chief information security officers, academics, small and large businesses, government, and other stakeholders, to share perspectives and pursue solutions to security challenges. The goal here is to help initiate and deliver innovative projects, building a “culture of anticipation”;
- Places should nurture distinct tech areas by being strategic in prioritising technologies and their areas of application based on local strengths and sector connections, aligned to government strategy. The goal here is local security strengths for local places that together are more than the sum of their parts and contribute to UK-wide growth;
- Finally, places should create safe spaces or sandboxes, with on-tap infrastructure and data for various stakeholders to explore, create and conduct exercises such as role-playing cyber wargames. The goal here is not just to help create new initiatives, products and services, but to foster broader capabilities to serve in times of crises, should they arise.
All of these recommendations are underpinned by two principles – that the UK’s security sector should act as one team, and celebrate, build on and capitalise on the social capital in the cyber community, and that the benefits of cyber resilience and growth should always be recognised during discussions of value for money.
“The message from across the sector is clear,” said Simon Shiu, professor of cyber security at the University of Bristol, who led on the report’s creation.
“The UK has the talent, ambition and opportunity to lead in cyber security. We can do this by aligning growth with resilience, and making strategic choices that benefit the whole economy.”
NCC Group CEO Mike Maddison added: “The UK’s Cyber growth action plan is a bold step forward, recognising cyber not just as a technology, but as a strategic enabler of national resilience and economic growth. It builds on the Industrial Strategy’s clear message: cyber is a frontier industry.
“This plan sends a powerful signal to our clients and partners. It shows that the UK is serious about scaling innovation, investing in skills and commercialising research. And it confirms what we have always known, that cyber security is essential to the future of every sector.”
