NAO calls UK Government Cyber Security Programme a farce
.jpg)
In 2016, the government announced it was to invest £1.9 billion in a National Cyber Security Strategy. The announcement came with a lot of fanfare and claims about where the money would be invested. The Strategy was designed as a cross government approach to making the UK more secure. Of the £1.9bn, £1.3bn was allocated to the UK 2016-2021 National Cyber Security Programme.
The National Audit Office (NAO) has just published its latest progress report on the Programme and it does not make for good reading. The full report runs to a whopping 53 pages which, in places, is far from the most scintillating read. What it does do, however, is deliver a damning insight into the way the Programme is being run.
What did the report find?
The report identifies:
- Inadequate management that continues despite recent improvements
- A poor delivery record which is improving but not enough
- A lack of effective baselines for allocating resources, deciding on priorities or measuring progress
- 37% of the budget from the first two years (£169 million) loaned or transferred to support other activities
- Only 8 of the 12 objectives have at least 80% of the projects supporting them on track
- A low confidence that six projects will achieve their objectives
- National security reasons used to prevent the NAO reporting on 11 of the key strategic outcomes
- A third (107) of the 326 metrics that could track the performance of the Programme and the overall Strategy are not being measured
- No funding for the new capabilities in the Programme to be funded after 2021
- An expectation that there will be no coherent vision for cyber security post 2021 in time for the 2019 Spending Review which will set out funding requirements when the current Programme expires
Overall, this leads the NAO to say that: “With two years of the Programme still to run this makes it hard to say whether it will provide value for money.”
What has gone wrong?
Seemingly right from the beginning. Despite this being the second five year Strategy, it seems that there was a significant lack of understanding about what was involved. The NAO report highlights the fact there was: “No business case for the Programme.” This, in turn, meant there was: “No way to assess how much funding it really required.”
The lack of planning is also one of the reasons that monies were loaned or transferred elsewhere. The grand Strategy announcement was overtaken by other priorities. Counter-terrorism has “borrowed” (£100m) and (£69m) was given to other national security activities. The report does say that there is some cyber security benefit from those but doesn’t say how much.
The lack of planning is also reflected in confusion over roles and responsibilities. This extended from government departments to the private sector. The report stops short of saying if monies was wasted on private sector contracts but confusion is not conducive to value for money.
Adding to the pressure on the government is the claim that: “Two years in the government still lacks the evidence to prioritise those activities that will have the greatest impact.” This will concern those responsible for security in the long-term. It means that there is a significant risk of effective projects being lost and gaps in the Programme appearing.
Not everything is a failure
Among the bad news there is some good news. The success of the National Cyber Security Centre is highlighted. It has created a solid education platform and targeted messaging to businesses. It has also been increasingly involved in responding to certain types of attack. This is as part of its work with the Incident Response Programme. Since 2016, the NCSC has dealt with over 1,100 incidents.
Among the successes for the NCSC has been the blocking of over 54.5 million fake emails in 2017-2018. Many of these promise tax or VAT refunds. This success is part of the Active Cyber Defence Programme that the NCSC has been responsible for. However, despite the efforts of the NCSC and HMRC, those emails continue to circulate and cyber criminals continue to have success.
It is not just emails where the NCSC has been successful. It has brought the time taken to bring down a malicious website from 42 hours to 9 hours. This work has also seen over 53,000 websites closed.
The report states that parts of the Active Cyber Defence have been taken up by other parts of the public sector and the private sector. This is good news. It has certainly provided some relief from commodity attacks. What is not clear is if this is likely to be supported by the government to bring more partners in.
There is also a substantial amount of work being done by UK universities to help close the cyber skills gap. What is missing here is the same interest in vocational training which will deliver help sooner.
What does the industry think?
Not a lot, well not a lot that was printable. Farce, inept, laughable and a national embarrassment were typical of the comments we received via phone calls. Some, however, were understanding and even supportive of the government.
Jake Moore, cyber security specialist at ESET commented: “In 2016, £1.9 billion may have sounded like a huge financial injection but cyber security needs a constant flow of resources, both people and financial support. If this money were to simply dry up in 2021 then over a short period of time all the good work done thus far could unravel. Great Britain has been no safe haven for cyber criminals and the NCSC is known across the world as a solid force against cyber criminality.”
There was also a view from some comments that businesses who rely on government fixing this are wrong. Spencer Young, RVP EMEA at Imperva told us: “With cyber-crimes on the rise and becoming increasingly sophisticated by the day, the responsibility now lies with businesses to protect their data.
“With a multitude of apps, cloud storage platforms and devices available, organisations are finding that their data security posture is not as robust as it used to be. Web applications have been quickly growing more complex as users and companies demand more from their online, mobile and connected device experiences.
“The growing popularity of these apps, however, means hackers now have many different entry ways to target an organisation’s data – and potentially cause more exposures and breaches.
“This is why businesses must focus their efforts on protecting their data above all else – regardless of the platform, app or device it sits in or passes through.”
Enterprise Times: What does this mean
Governments and grand plans are history’s way of delivering comedy. The repeated announcement of the initial £1.9bn for cyber security is a good case in point. There was confusion over whether this was a single announcement or multiple chunks of money.
We now know that only £1.3bn made it through to the core Programmes. Spending in the first two years has been limited especially as monies have gone elsewhere. The report also questions if the current plans can be delivered with what is left in the pot.
Of more concern is that fact that there is no serious planning for 2021 and beyond. The cyber threat is growing far faster than government can react. Other governments, such as the US, are allocating billions every year to cyber defence. It is time for the UK government to take this threat seriously.
While the NAO doesn’t say that the Programme is a complete failure it does make it clear that there are significant shortcomings. Those mean that it cannot be certain of what will be achieved and what won’t. It will be interesting to see what changes as a result of this report. The likelihood is that very little will happen. Why? The department responsible for this is the Cabinet Office who is currently struggling with Brexit and all that entails.
source enterprisetimes
Industry: Cyber Security News

Latest Jobs
-
- Account Manager - IT Services
- Germany
- €90000 plus OTE and Car
-
Are you a deal closer with a hunter mindset? Do you know how to uncover business pain points, and turn them into long-term digital transformation partnerships? Our Client are growing their sales force across Germany and looking for an ambitious, straight-talking Account Manager to take the lead on new client acquisition. You’ll focus on mid-sized to large enterprises across Germany helping to shape their digital future with tailored IT solutions in Workplace, Cloud, and Security. • Drive Growth: Own the full sales cycle for new business across your region. • Solution Sell: Build bespoke offers in Security, Digital Workplace and Cloud solutions • Build Relationships: Establish a solid pipeline through smart prospecting, marketing-driven leads, and your own network. • Represent a brand known for trust, delivery, and tech excellence—with 4,000 employees globally and a growing team within Germany. What You Bring • Proven new logo sales experience in the IT services space (not hardware!) • Deep knowledge in one or more of: Cybersecurity, Digital Workplace, or Cloud • Confidence to lead enterprise deals and pitch directly to senior stakeholders • Fluent German and good English skills Sind Sie ein Abschlussprofi mit Hunter-Mentalität? Wissen Sie, wie man geschäftliche Pain Points identifiziert und in langfristige Partnerschaften zur digitalen Transformation verwandelt? Unser Kunde baut derzeit sein Vertriebsteam in ganz Deutschland aus und sucht eine ambitionierte, ehrliche Persönlichkeit als Account Manager, die den Lead bei der Neukundengewinnung übernimmt. Ihr Fokus liegt auf mittelständischen bis großen Unternehmen in Deutschland, denen Sie mit maßgeschneiderten IT-Lösungen in den Bereichen Workplace, Cloud und Security den Weg in die digitale Zukunft ebnen. Ihre Aufgaben • Wachstum vorantreiben: Verantwortung für den gesamten Vertriebszyklus im Neugeschäft Ihrer Region. • Lösungsorientierter Vertrieb: Entwicklung individueller Angebote in den Bereichen Security, Digital Workplace und Cloud-Lösungen. • Beziehungen aufbauen: Aufbau einer stabilen Pipeline durch gezielte Ansprache, marketinggenerierte Leads und Ihr eigenes Netzwerk. • Marke repräsentieren: Werden Sie Teil eines Unternehmens mit 4.000 Mitarbeitenden weltweit und einem stark wachsenden Team in Deutschland – bekannt für Vertrauen, Verlässlichkeit und technologische Exzellenz. Was Sie mitbringen • Nachgewiesene Erfahrung in der Neukundenakquise im Bereich IT-Services (kein Hardwarevertrieb!) • Fundiertes Wissen in mindestens einem der Bereiche: Cybersecurity, Digital Workplace oder Cloud • Selbstbewusstes Auftreten im Umgang mit Enterprise-Deals und Entscheidungsträgern auf Top-Level • Verhandlungssichere Deutschkenntnisse und gute Englischkenntnisse
-
- Senior SOC Analyst Level 3. Microsoft Security stack | Ability to achieve SC Clearance
- London
- To attract the right person
-
Job Title: Senior SOC Analyst Level 3. Microsoft Security stack | Ability to achieve SC Clearance Location: Hybrid remote | London / Berkshire Overview: Senior SOC Analyst Level 3 to join a specialist Managed Security Services business. You will be responsible for advanced threat hunting / triage, incident response etc with a strong focus on the Microsoft Security Stack. Key Responsibilities: Lead and resolve complex security incidents / escalations Conduct advanced threat hunting using the Microsoft Security Stack. Build, optimise and maintain workbooks, rules, analytics etc. Correlate data across Microsoft 365 Defender, Azure Defender and Sentinel. Perform root cause analysis and post-incident reporting. Aid in mentoring and upskilling Level 1 and 2 SOC analysts. Required Skills & Experience: The ability to achieve UK Security Clearance (SC) – existing clearance ideal. (Sorry no visa applications) Current experience working with a SOC environment Microsoft Sentinel: Development and tuning of custom analytic rules. Workbook creation and dashboarding. Automation using Playbooks and SOAR integration. Kusto Query Language (KQL): Writing complex, efficient queries for advanced threat hunting and detection. Correlating data across key tables (e.g., SignInLogs, SecurityEvent, OfficeActivity, DeviceEvents). Developing custom detection rules, optimising performance, and reducing false positives. Supporting Sentinel Workbooks, Alerts, and Playbooks through advanced KQL use. Deep understanding of incident response, threat intelligence and adversary techniques (MITRE ATT&CK framework). Strong knowledge of cloud and hybrid security, particularly within Azure. Additional Requirements: Must hold or be eligible to achieve a minimum of Security Clearance (SC) level. Nice to have certifications (e.g., SC-200, AZ-500, GIAC) are desirable. Strong problem-solving and analytical skills. Excellent communication for clear documentation and team collaboration. Please follow Wheaton’s Law.
-
- New Business Sales Hunter | Cyber Security (UK Based)
- London
- To attract the right person
-
New Business Sales Hunter needed | Cybersecurity (UK Based) Are you looking for uncapped commission, a fun and sociable team that drives success with no politics? If so...You must Be UK based - and able to achieve UK SC clearance. (sorry no visas) Have a demonstrable history of sales success in Cyber Security Follow Weatons law. The role: Seeking a proven New Business Sales Hunter to join an established, successful and expanding cyber security firm. New business focused - £1m GP year one target (ramped). Sell a blend of security services & professional services. Ideal experience selling some or all of the following Cyber strategy & risk management Managed detection & response (MDR) Penetration testing Compliance & audit support You: Strong cybersecurity/IT services sales track record. Confident selling into mid-market & enterprise. UK based - London commutable 1x per week. Hunter mindset, full sales cycle ownership. Don't just send an email to apply give me a call on 07884666351
-
- CyberArk Architect
- London
- Upto £110,000 plus bonus and benefits
-
Are you ready to lead from the front and drive innovation in the Identity & Access Management (IAM) space? We’re looking for a seasoned CyberArk Architect who has CDE-CPC ideally or experience with privilege Cloud, someone who can lead with vision, execute with precision, and inspire teams to deliver excellence. As a key leader in our organisation, you’ll bring your strong business acumen and a technology-focused, innovative mindset to the table. You’ll be driving strategic initiatives, shaping transformation programs, and empowering teams to think big and deliver even bigger. Acting as a subject matter expert in CyberArk Leading strategic transformations in: Identity Governance Privileged Access Management (PAM) Access Management Customer Identity and Access Management (CIAM) Building and maintaining strong, collaborative relationships within the team Communicating clearly and confidently — both written and verbal — to deliver updates, raise potential issues, and share insights If you are interested in the above position we are looking for people with: deep expertise and a successful track record in IAM strategy, delivery, or assurance with CyberArk Hold relevant certifications such as CDE in Privileged Cloud or Guardian Have experience in a client-facing role (preferred, but not essential) Thrive in a hybrid working environment and are available to work from our or client London office three days a week Lead with clarity, communicate with impact, and adapt quickly to changing priorities