Comment on the U.K.’s new National Cyber Security Strategy

On 01 November 2016 the U.K. government published the new National Cyber Security Strategy 2016 to 2021. The document outlines the government’s plans ‘to make Britain secure and resilient in cyberspace’.

The government plan to invest £1.9bn to pay for the national strategy.

Accelerating the innovators

The digital marketplace structure of the U.K. government has reached spending of over £1bn in the last four years

The strategy outlines a clear desire of government to solve existing cyber security issues through innovation, and there is a perception that this is likely to come from small or start-up companies. Increased funding in SME’s and start-ups, and changes in government policy to allow for greater investment is likely to create accelerated market growth. This is likely to lead to an increase in merger and acquisition (M&A) activity.

The high market value created by the accelerator effect and the reliance on key individuals within those companies creates a unique risk. Acquisitive companies will need to ensure due diligence procedures are followed including quantification and management of intellectual property and ‘key personnel’.

As well as providing funding opportunities for smaller companies, the government also outlines plans to utilise new and untested products.

The digital marketplace structure of the U.K. government has reached spending of over £1bn in the last four years. Although this provides huge opportunities, a more direct to market product lifecycle may increase the likelihood and impact of the risk that a product or service implementation goes wrong. There will, therefore, need to be a focus on contractual risk and mitigation. These risks, however, are likely to be lessened with the government’s plans to increase the availability of testing facilities.

Commenting on the National Cyber Security Strategy, my colleague Fredrik Motzfeldt, Willis Towers Watson’s GB Industry Leader of Technology, Media Telecommunications, said:

The pledged investment in R&D, a Cyber Security Research Institute and security-based start-ups provides opportunity for the U.K. tech industry. As people increase their technology usage they also increase their cyber exposure. Organisations will need to strengthen their cyber security and will look to specialists to provide these services. The increased investment will widen the entry points for technology companies entering the cyber security ecosystem.

Data Protection

The time has long since passed when cyber security can be seen as a matter only for IT departments

One of the main themes prevalent throughout the strategy is that government will encourage best practice; this is likely to be seen through the continuation of the implementation journey of the General Data Protection Regulation (GDPR) and other regulatory standards.

The government also plans to ensure investors and insurers make business well aware of the upside and downside of having cyber security best practice and that this is recognised in the pricing of cyber risk.

My colleague Jamie Monck-Mason, Willis Towers Watson’s Executive Director of Cyber, had praise for the moves, but cautions that cyber-security isn’t just the government’s responsibility:

The UK Government can’t be criticised for not giving cyber security the priority it deserves. The issue now is whether the business community can respond in kind and meet the challenges proactively, rather just reactively. That response has to be driven at board level: the time has long since passed when cyber security can be seen as a matter only for IT departments.

Operational impact

The strategy outlines government plans for increased collaboration between the public and private sector. Suppliers to Critical Network Infrastructure (CNI) and communications providers should, however, expect increased scrutiny in exchange for additional government cyber security support.

The strengthening and resilience of overall infrastructure is a government priority, but this is also likely to result in additional responsibilities for businesses, including the sharing of threat and incident data and reacting faster to blocking requests. You will need to consider if these measures are likely to affect your customers. The more changes required to your network infrastructure the more likelihood of misconfiguration, which could lead to interruption to your business.

Talent war: Immediate and long term

The government intends to target talent from the age of 14 and from diverse backgrounds

The battle for cyber security talent has been widely reported in the industry alongside the lack of diversity. In almost every developed market the gaps are growing.

The government’s strategy aims to increase recruitment of specialists in the public sector to fill roles across government and defence. This is likely to add additional pressure to the job market.

Companies, therefore, need to ensure they offer a competitive benefits and reward packages to ensure they attract and retain the best talent as well as providing an attractive career pathway. The long-term government strategy to target talent from the age of 14 and of a diverse background should stabilise the labour market. An elevation of roles within cyber security gaining royal chartered status and a focus on upskilling employees should assist with selection of the right talent.

My colleague Alasdair Wood, a Director in Willis Towers Watson’s Talent and Reward practice, further commented:

Increased focus on cyber security talent will add to a range of factors currently placing greater emphasis not only on recruitment, but also critically on talent development and succession planning. As we have seen with digital development and marketing talent in recent years, in order to compete, companies need to formulate their unique employee value proposition and ensure it is fully reflected in HR programmes including pay, performance management and talent development. And in order to prepare for a fast-moving future, better succession planning is also needed, to ensure high potential candidates with the right cyber security skills are retained and progress through to leadership roles as the topic starts to mature.


Click here to learn more about comprehensive cybersecurity from Willis Towers Watson.


Karl Sawyer is a member of the Willis GB Technology, Media & Telecom (TMT) Industry Group. He provides industry experience to ensure a commercial perspective on risk. Karl had over 10 years’ in-house experience at ITV, a major broadcaster and international television producer. In his time at ITV he managed the global insurance programme and led the company on the development of business resilience. He also had time to have had roles in underwriting and loss adjusting.

Categories: Cyber Risk, Leadership and Talent | Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *