Cyber Growth Action Plan: Demand-side issues linger

Assessing the UK government's announcement of the Cyber Growth Action Plan and additional investment of up to £16 million to boost the cybersecurity sector (see here), we see a stark disconnect between policy ambition and market reality that needs to be addressed.

The government's commitment is welcome—establishing a growth action plan led by experts from the University of Bristol and Imperial College London, alongside funding for CyberASAP and Cyber Runway programmes. With the UK's cyber sector already generating £13.2 billion annually and supporting 67,000 jobs, there's clearly existing momentum to build upon.

However, our recent Tech Confidence Index ((see *NEW RESEARCH* TechMarketView’s Tech Confidence Index highlights rising economic challenges for UK firms | TechMarketView) reveals a concerning gap between government priorities and business reality. While 84% of UK tech companies plan to invest in AI/GenAI, only 40% are prioritising cybersecurity investment. Meanwhile, the Manufacturing Momentum Report 2024 shows cybersecurity ranking dead last among manufacturing priorities at just 1%, while leadership and skills challenges dominate at 24%.

This disconnect is dangerous. Recent cyber incidents affecting organisations like Synnovis, NHS Dumfries and Galloway, and the British Library demonstrate the real-world consequences of inadequate cyber resilience. The NCSC managed 430 cyber incidents in the past year, with 89 classified as nationally significant.

The Cyber Growth Action Plan's success hinges critically on implementing the forthcoming Cyber Security and Resilience Bill (see Government outlines new Cyber Security and Resilience Bill | TechMarketView). Without regulatory teeth to drive demand, even the most innovative UK cyber companies will struggle to find willing customers among organisations that consistently deprioritise cybersecurity spending.

The Bill's proposal to bring 900-1,100 managed service providers under ICO regulation, strengthen supply chain security requirements, and designate high-impact suppliers as 'designated critical suppliers' should create compliance-driven demand. However, the challenge runs deep.

The government's own Cyber Security Breaches Survey 2025 (see 2025 Cyber Security Breaches Survey: Rising ransomware and declining board responsibility | TechMarketView) reveals that only 27% of UK businesses now have board-level cyber security responsibility, down from 38% in 2021. With cyber budgets remaining flat despite rising threats, the sector faces a fundamental awareness problem that won't be solved by supply-side investment alone.

The government's establishment of the Government Cyber Advisory Board, featuring experts from BAE Systems, Microsoft, and Google DeepMind, alongside regional technology clusters, represents important supply-side coordination. However, most announced measures focus on creating cyber companies rather than cyber customers.

The few demand-side drivers are significant but limited: the Cyber Security and Resilience Bill creating compliance requirements, the government acting as lead customer through initiatives like the NHS Cyber Security Charter, and public sector procurement demonstrating market leadership. Yet, the government’s own preparedness for cyberattacks is considered dangerously inadequate, making the state's ability to lead by example challenging (see UK government cyber resilience lagging behind).

For investment to truly catalyse growth, three conditions must align: strong regulatory enforcement driving compliance demand, continued skills development addressing talent shortages, and, crucially, cultural change elevating cybersecurity from afterthought to strategic priority in UK boardrooms.

Recent enforcement action suggests regulators are getting serious about penalties—the ICO's £2.31m fine against 23andMe for failing to implement basic multi-factor authentication sends a clear signal. However, continued high-profile breaches like the Legal Aid Agency attack, exposing sensitive data from hundreds of thousands of applicants show that even regulatory action isn't yet changing organisational behaviour at the pace required.

Without this trinity of regulation, skills, and cultural change, even £16 million risks being insufficient to bridge the gap between cyber innovation and adoption, leaving UK organisations exposed.

Posted by: Georgina O'Toole at 09:49

Tags: investment   policy   government   cyber   cybersecurity   cybertech