National Cyber Strategy misses the mark in one important way

While this section of Computer Weekly is all about security and IT security in particular, not all readers of this publication will be involved with security day to day, or at all. Indeed, they might not all be BCS members. 

My article this month takes a look at the UK government’s recently published National Cyber Strategy to see what, in my view, it means and the implications it might have on the UK as a whole, whether that be industry, education, public services and, of course, citizenry.

The published strategy is full of fine words and flag-waving, but what does it actually articulate? One thing that is clear from the strategy, but sadly is lacking any real emphasis, is the need for the UK as a whole to fully embrace and support science, technology, engineering and maths (STEM) subjects in education.

Teaching children to use office products such as Microsoft Word, Excel or open source equivalents is not teaching IT. Youngsters need to be enthused to study STEM subjects because it is the enthused ones who will go on to higher education and/or the technical apprenticeships necessary to support the goals articulated in the strategy. This requires a firm commitment from central government to support and fund STEM education in our school system.

While the strategy does mention the small and medium-sized enterprise (SME) sector, it does so only in relation to assisting in finding new markets for cyber products and in helping to shape standards by reducing the influence of the large players, both in the cyber marketplace and on the standards process. What is missing is a strategy for improving the provision of cyber support for the average SME.

In a similar vein, another area not directly mentioned in the strategy is how to improve the overall understanding and importance of cyber security to companies in general.

This could be fostered by the government supporting the UK’s various professional bodies in providing cyber bootcamps for managers, and public awareness could be fostered by a media campaign similar to the old “Clunk-click-every-trip” campaign when car seatbelts became mandatory.

The need to get company leaders on board was highlighted in one sidebar in the strategy by Jen Ellis of Rapid7, who said: “It can be hard for technical staff to get buy-in from leadership.”

So of the strategy overall, I would say it is a very good starter for 10, but really it should have been produced and put into practice a few years ago. And, crucially, it misses the education mark in many respects: there must be proper, centrally supported STEM education for the under 16s; there must be an effective strategy to improve the overall cyber security of the SME sector; and the importance of cyber security needs to be understood at managerial and board level across all companies and enterprises.