The McPartland Review, led by Rt Hon Stephen McPartland MP, is an independent inquiry initiated by the UK government to explore how cybersecurity can act as a catalyst for economic growth. The review aligns with the government’s vision to leverage cybersecurity in bolstering economic resilience across various sectors, contributing to the UK’s ambition of becoming a leading cyber power. It seeks to gather insights on enhancing trust, resilience and growth in the UK economy through effective cybersecurity measures.
CREST, as a not-for-profit accreditation and certification body representing and supporting the technical information security market, is keen to deliver its research and member’s thoughts to assist in the McPartland Review.
With this in mind, CREST held a roundtable event in early March 2024, chaired by the Rt Hon Stephen McPartland MP, which discussed the opinions and concerns of more than 180 CREST International members based in the UK.
During the roundtable, and after a member survey, it is clear to CREST that cyber security providers play a critical role in bolstering the UK’s economic resilience and in enhancing standards and competitiveness on the global stage.
The need for internationally recognised standards in cyber security is paramount.
Asymmetry of information between buyers and sellers of cyber services risks a failed market, suppressing economic growth and weakening resilience. This imbalance can affect the decision-making process, leading to potentially unfair outcomes where the less informed party may make decisions that are not in their best interest, simply because they lack critical information.
This information issue disproportionately affects SMEs, which often have less understanding of the lexicon of cyber, making procurement decisions based on cost rather than on service delivery competency and assurance considerations.
And coupled with the challenge of recruiting and retaining skilled professionals, the UK is facing important decisions to accelerate innovation in cyber in the next five years and fulfil its potential as a continuing world leader in the field.
Elevating standards
Our evidence submission to the McPartland Review includes a selection of key findings and suggestions.
Firstly, we need to elevate domestic and international standards. Addressing the cyber security knowledge gap and elevating standards globally will significantly enhance economic growth as well as security, particularly benefiting smaller businesses and strengthening international competitiveness.
As Dr Bushra AlBlooshi, Director General Senior Consultant at Dubai Electronic Security Center (DESC), put it in our evidence submission: “By accepting and recognising international standards, nations reap many benefits, including enhancing their own security posture as well as contributing to a safer global cyber landscape that is less prone to cyberattacks.
“Harmonised standards provide a common framework that securely and efficiently facilitates cross border collaboration, thereby fostering trust and confidence among countries across the globe.”
Standards for services that go beyond basic cyber hygiene tend to focus on central government, critical infrastructure and high-risk sectors like financial services. They do not, however, generally apply to the whole economy, leaving gaps in security for other potentially more vulnerable organisations and individuals.
The current ‘patchwork quilt’ of differing standards emerging internationally is creating, rather than removing, friction. It also opens the door to lower quality service providers, as buyers look for low-cost solutions, often unaware that they offer little to no assurance.
We are calling for standards that buyers can rely upon. Tools like CREST accreditations and the associated buyers’ selection tool operate as independent assurance mechanisms, mitigating limitations in buyers’ cyber knowledge and procurement capability.
And while the UK stands at the forefront of establishing cyber security standards, such as NCSC’s CHECK for UK government and the Bank of England’s CBEST for financial services, adoption of newer frameworks like NCSC’s CIE and CIR L2, along with addressing limitations posed by existing laws like the Computer Misuse Act, is crucial.
CREST further suggests a push for more national-level cyber incident reporting and transparency, which will drive a faster, better understanding of attack types, sector trends and enable knowledge sharing and prevention. Authorities need to promote a culture of sharing, openness and learning to encourage adoption, similar to the sharing of safety incident data in the aviation sector.
We also recommend adoption of secure-by-design principles in software development is widely accepted to be critical for securing the supply chain. The UK software and cyber sectors can enhance their attractiveness and competitiveness by driving this concept at an early stage through university courses, professional training and the developer community.
Meanwhile, supporting international standards like OWASP’s Application Security Verification Standard (ASVS) and CREST’s associated OVS accreditation would further strengthen the independent assurance of web and mobile application security.
Stop stifling growth
Closing the cyber skills gap is vital. UK Government figures from 2023 reveal 50% of businesses reporting a basic skills gap and 33% an advanced skills gap. The sector also saw a 30% increase in job postings, with 37% of these positions being hard to fill. Additionally, women represented only 17% of the workforce, highlighting diversity issues. The estimated shortfall of personnel needed to meet demand decreased slightly to 11,200, indicating ongoing efforts to address these gaps through initiatives like the National Cyber Strategy.
CREST members feel the cyber skills gap is stifling investment, growth, and quality in the industry, marked by a mismatch in supply and demand for skilled professionals at various career stages and an urgent need for investment in leadership and wellbeing to sustain the sector.
Dynamic initiatives to professionalise the cyber workforce, enhance early career development, and foster a more inclusive and supportive environment are critical steps toward bridging this gap.
Compounded by gaps in people management and leadership experience, there is also an urgent need for greater wellbeing support at the heart of the cyber community, championed by leaders across the sector.
Leading the world
However, the UK’s cyber security ecosystem, already bolstered by CREST’s collaboration with the government and its global standard-setting efforts, stands at the cusp of leading the world in cyber expertise and innovation.
The UK cyber sector can, and should be, positioned by UK government as a world leader in advanced skills, high standards, emerging technology and professional consulting services.
A UK cyber service is a mark of quality, born in one of the most advanced cyber ecosystems globally, backed by the independent quality assurance that you get from the UK regulatory environment and force-multiplied by CREST’s international remit.
Policies aimed at encouraging, and where possible funding, innovation and competitiveness within the UK cyber security industry are vital. UK cyber businesses must continue to invest in technology, skilled people and growth to ensure that they remain at the forefront of service capabilities in the AI-era.
By harmonising international standards around the CREST model, and fostering a government-backed push for growth and innovation, we believe the UK can cement its position as a powerhouse of cyber service excellence and ensure its companies thrive on the global stage.
Addressing these findings with tangible actions can put UK cyber security firmly on the global map, leveraging the UK’s strengths in cyber security to foster economic growth while enhancing national security.