New report sets out how the UK can accelerate the growth and resilience of its cyber security sector

The Cyber Growth Action Plan has been published.

Commissioned by Imperial College London’s Centre for Sectoral Economic Performance (CSEP) & the University of Bristol, the Cyber Growth Action Plan sets out the roadmap for the UK to reinforce its position as a global leader in cyber resilience and innovation. Laid before Parliament as a Command Paper, the report will feed into the Growth pillar of the UK’s National Cyber Strategy which is currently undergoing a refresh.

What’s the focus of the report?

The report focuses on the growth of the UK cyber security sector, while paying attention to resiliency and value for money. The stated aim is to grow a thriving cyber security sector that enables the UK to be the safest country online, whilst recognising a persistent challenge: that those who make purchasing decisions often do not see why they should be investing in cyber security.

It follows the identification of Cyber as a frontier technology in the Digital and Technologies sector plan of the UK’s Industrial Strategy. With all organisations depending more on digital infrastructures, cyber resilience is critical to enabling all sectors of the economy to grow. This wider economic growth, in turn, should help to fuel innovation and growth in the cyber sector.

What does the report call for?

The Cyber Growth Action plan puts forward 9 recommendations and 24 associated suggestions which outline actions for all parts of the UK cyber ecosystem including government and industry. Broadly, these focus on:

• Curating the UK’s cyber culture to drive growth and public participation in cyber skills and innovation.
• Putting leadership in the right places with industry-led national and place-based cyber growth roles.
• Building on the UK’s places of cyber strength to collaborate on sensitive topics, chosen technology areas and make time to create and anticipate cyber futures.

Further, the report emphasises the need for two core shared principles to underpin the recommendations – (1) to act as one team (industry, government, academia, investors, and civil society coming together to grow the UK’s cyber sector); and (2) to both recognise and act upon the connections between cyber growth, resilience and value for money.

The Recommendations

[On Culture]

Recommendation 1 – Support growth journeys

Government and industry stakeholders should review the incentives and validation routes available to cyber businesses.

The goal is to make it easier for cyber businesses to navigate the complexity of meeting cyber demand and to shift the culture to one that selects and helps winners to grow.

Associated suggestions:

1. Pilot programmes that allow NCSC and DSIT to qualify and connect cyber startups with government departments.
2. Expand the co-creation and government investment models for wider commercial participation.

Recommendation 2 – Stimulate informed demand

Government should use guidance and regulations to stimulate growth by setting expectations for high-quality reporting of cyber risks, consulting on mandating the use of Cyber Essentials, and encouraging usage of cyber insurance and principles-based assurance.

The goal is to encourage organisations across sectors to prioritise cyber security in alignment with their organisational risks, thereby reducing incidents, increasing resilience, supporting broader economic growth, and driving demand for more UK cyber services.

Associated suggestions:

10. Mandate Cyber Essentials in selected supply chains.

11. Map standards & regulations to help navigate compliance.

12. Share guidance early to reduce burden.

13. Improve guidance on the reporting of cyber risk.

14. Support pre-procurement engagement for SMEs.

15. Accelerate the development of Principles Based Assurance (PBA).

24. Convene innovation work on cyber insurance.

Recommendation 3 – Foster public participation in cyber skills and growth

UK cyber professionals should engage with UK civil society on the sector’s role in national resilience and prosperity. This means emphasising the role cyber teams play in ‘keeping the lights on’ and the importance of skills initiatives from schools to professional development for cyber founders and leaders.

The goal is to build broader UK support for the role of cyber, making it easier for businesses to prioritise cyber, for people to learn cyber skills, and for the industry to attract, grow and maintain talent.

Associated suggestions:

3. Include ** ** marginalised demographics in product development.

4. Convene ‘cyber in the public interest’ events.

5. Use immersive methods to engage civil society.

6. Focus on the way cyber language is used with the public.

7. Incentivise organisations to create cyber career entry roles.

8. Double down on skills.

9. Review the Computer Misuse Act.

[On Leadership]

Recommendation 4 – Appoint a UK cyber growth leader

Government should appoint a leader to provide expertise and drive coordinated action across the cyber security industry and within Whitehall. This role would encompass some of the previous Cyber Ambassador’s responsibilities in advancing export growth and supporting national security objectives. It would also include responsibility for driving this growth plan forward.

The goal is to ensure cyber growth is prioritised and integrated across several policy areas.

Recommendation 5 – Appoint growth leaders in places of cyber strength

Appoint place-based leaders to be responsible for convening and driving cyber growth initiatives and outcomes. These leaders should have industry experience, support the UK cyber growth leader and be independent from central and regional government.

The goal is to ensure places use their strengths to grow, create, and attract more cyber businesses.

Associated suggestions for recommendations 4 & 5:

16. Choose a few places for Cyber Growth Centres.

17. Support growth leaders with funding & structure.

Recommendation 6 – Expand the NCSC role

The Government should expand and appropriately resource the NCSC to help drive cyber growth. The NCSC is a ‘crown jewel’ for cyber resilience, which is their primary mission. They also have the capability to guide and steer for growth outcomes. Given the importance of resilience, growth should be added without diverting attention from their existing priorities.

The goal is to use the deep expertise of NCSC in support of cyber growth, guiding and validating cyber businesses, research, futures, and technologies.

Associated suggestions:

21. NCSC to support place-based cyber growth leaders.

22. NCSC to work with place-based growth leaders assessing startups.

[On place]

Recommendation 7 – Develop futures-oriented communities

Place-based leaders should use their convening role to look forward and shape future markets. To do this, they should bring together CISOs, academia, small and large industry, government, and other stakeholders to share perspectives on, and pursue solutions to emerging cyber challenges.

The goal is to drive initiation, co-creation and delivery of innovative projects into the market, and to build a culture of anticipation.

Recommendation 8 – Places to nurture distinct tech areas

Places should be strategic in prioritising technologies and application areas based on their cyber strengths and sector connections in alignment with the Industrial Strategy and the UK Government Resilience Action Plan. Cyber innovation in AI, cyber-physical systems, and tooling for fundamentals should be considered as initial priority areas.

The goal is for the UK to have place-based cyber strengths that are more than the sum of their parts, each contributing to UK cyber growth.

Associated suggestions for recommendations 7 & 8:

18. Use places used to convene stakeholders on futures.

19. Engage with places to identify strengths to focus on.

23. Identify commercialisation opportunities for cyber-safe AI.

Recommendation 9 – Places to provide safe environments

Create safe havens with infrastructure and data for multiple groups of stakeholders (not just those with security clearances) to explore, ‘role-play’, co-create and share how to assemble and test solutions to current and emerging challenges.

The goal is to build broader cyber resilience capability, which will both serve in moments of crisis and be a pool of talent for cyber growth.

Associated suggestion:

20. Target a few places to create safe environments.

For more detail on the recommendations and associated suggestions, you can read the full Cyber Growth Action Plan report - follow the link below.