UK National Cyber Security Programme not delivering promised economic benefits

NAO update paints mixed picture of progress

The UK's £860 million National Cyber Security Programme has so far failed to deliver the expected economic benefits for businesses, the latest progress report from the National Audit Office (NAO) has found. Businesses might also not be sharing enough threat information.

Overall, the Update offers a surprisingly glowing assessment of the progress made by the Programme, despite in the past pointing out weaknesses such as the persistent shortage of cyber security skills.

This time, there is more sweetness and light, although if you read deeper some islands of anxiety eventually surface.

On the positive side, progress has been made in getting businesses and consumers to take cyber security seriously, the clutch of educational initiatives have started to address skills shortages, and financial governance of the Programme appears to be good - the NAO said it expected the full £860 million budget to be used by the expected 2016 date.

On the other, the successful launch of UK CERT in March shouldn't be allowed to obscure the difficulties that still exist in getting businesses to share threat information to make possible real-time intelligence of the sort the Government sees as critical.

"There is, however, some reluctance from many companies to share information about breaches, unless forced by regulators or legislation, because of the potential impact on their reputations."

But the weakest score of all is reserved for the Programme's struggle to turn the security expertise held by UK-based businesses into something resembling an economic benefit. Cyber Security is at the top of everyone's to do list and UK businesses should be booming on the back of exports but somehow this is proving harder to bring about.

Some of the blame is thrown at slow implementation, with the Cabinet Office UK Trade and Investment (UKTI) marketing strategy taking until May 2013 to appear, 14 months behind schedule.

Big deals with foreign governments through the Defence and Security Organisation also favoured established firms rather than SMEs, the NAO said.

The Government agreed a methodology for measuring export success and reaching its own £2 billion target but this remained fraught with difficulties.

"The nature of cyber products means that it is often possible for operations in the UK with intellectual property developed by UK employees to be owned by a foreign company," said the NAO.

"The ultimate destination for this income being generated by UK intellectual property may therefore not be the UK economy. All of these factors make accurate measurement of the target difficult."

A final uncertainty with the National Cyber Security Programme was simply the inherent difficult of measuring the relationship between inputs defined through money and initiatives and outputs measured through better cybersecurity.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityNational Audit Officepublic sector

More about National Audit Office

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E. Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts