The UK has recently unveiled a comprehensive economic strategy aimed at bolstering technological investments and positioning the nation as a global leader in innovation.
Central to this initiative is the Modern Industrial Strategy, a ten-year plan focusing on eight high-growth sectors, including digital technology. The strategy commits £86 billion over four years to research and development (R&D), with £22.5 billion allocated annually to support advancements in areas such as artificial intelligence, semiconductors, and engineering biology.
However, economic conditions alone are not enough to create the conditions for technological ecosystems to thrive. There’s growing consensus among decision makers that part of the foundation of economic growth must include an emphasis on the cyber and security risk posture that emerging technologies bring to these economies.
Both the UK and EU face a defining challenge and opportunity as they chart their digital and economic futures. Sabeen Malik, VP of global government affairs and public policy at Rapid7, (pictured) shares insights from her recent conversations with government stakeholders during travels in the UK, EU, and RSAC conference in the United States.
She explores why economic and security policy frameworks also need to focus on procurement, partnerships and policy ‘pivots.’
What trends are you seeing in UK cyber policy?
There’s definitely growing recognition that cybersecurity isn’t just about defence; it’s also about enabling economic growth. That shift in mindset is encouraging. Policymakers increasingly understand that digital trust is essential if we want to scale emerging technologies across critical sectors and public services. Without that trust, transformation doesn’t happen.
But while the ambition is there, I’ve noticed a real disconnect between that vision and what’s actually happening on the ground. There seems to be a growing recognition of this issue. At the CYBERUK 2025 Technology Plenary, NCSC CTO Ollie Whitehouse contended that the UK has not been incentivising and rewarding companies that innovate and invest in cyber.
I think trust is one of the most important factors here. Organisations of all sizes and maturity levels need to have the confidence of secure infrastructure to grow and scale up. Putting cybersecurity front and centre in the economic strategy with SMART, risk-informed policies is the way forward.
What are the aims of the government’s cyber policy?
At a high level, the UK government is trying to position cybersecurity as a key part of its broader digital and economic strategy. In his speech at CYBERUK 2025 in Manchester, The Chancellor of the Duchy of Lancaster hailed cyber as the ‘poster child’ for growth.
While the direction of travel is promising, I often see a divide between those high-level aims and the mechanisms being used to achieve them. This is where the issue of trust comes in. Trust doesn’t emerge out of the blue, but rather it’s built through SMART, risk-informed policy.
Across the UK and Europe, we’re seeing a better understanding of the critical link between cybersecurity and economic resilience. The UK’s Cyber Security and Resilience Bill, for instance, places cyber readiness at the heart of national economic strategy.
To fully seize this moment, government leaders must provide a clearer, more decisive articulation of how these policies are being shaped to meet today’s evolving threats.
This means focusing on three core areas: partnerships, procurement and pivot. I call it the ‘three Ps.’ And to do this, there needs to be greater cooperation between the private and public sector.
Why does there need to be greater cooperation between the private and public sector?
If you liked this content…
Government IT Spending Set to Rise Next Year as AI Priorities Strengthen
London Councils Hit by Coordinated Cyberattacks as NCSC Steps In
In the Spotlight: Waltham Forest College
New Cyber Bill Aims to Keep ‘The Lights On and the Taps Running’
Public Sector Leads UK Industries in Cyber Policy Strength, New Study Finds
Governments and industry need to collaborate closely, sharing the same table to jointly address and reduce systemic risk. Effective cybersecurity requires a cooperative approach, not a top-down one.
The private sector collects a huge amount of threat intelligence, given that we’re on the front lines managing infrastructure, identifying vulnerabilities, and responding in real time. However, the public sector brings something equally critical: the strategic, geopolitical view that helps to frame all of this threat data into a broader context.
When you bring those two perspectives together, you can start making real progress on reducing systemic risk. This is why the first ‘P’ – partnerships – is so important.
My takeaway from recent conversations I’ve had across the UK and Europe is that while cooperation is happening, it’s still too passive. We’re often stuck in models where the private sector shares data after the fact, or the government issues top-down guidance that doesn’t reflect operational realities. That kind of setup won’t cut it anymore.
I was encouraged to hear the government talk openly about the need for better collaboration at the recent CyberUK event. For me, it’s about designing partnerships that go beyond self-attested best practices.
Some governments are leading the way in recognising the importance of translating complex policy into clear, actionable directives. This demonstrates that effective policy design depends on deliberate intent and thoughtful execution.
We need to actively analyse what’s working, what’s not, and why, based on the data we’re already collecting. Stronger, more dynamic partnerships mean we’re all better prepared. That’s not just good policy; it’s essential to keeping public institutions and businesses resilient in a constantly shifting threat landscape. This helps foster more effective policies and faster responses when serious threats emerge.
What can be done to encourage greater cooperation?
First, we have to stop treating cooperation as something that only happens in moments of crisis or consultation. It needs to be built into how policy is made from the start. That means bringing in industry voices early, not after the decisions have already been made.
One of the biggest levers we have is procurement – it’s a critical economic strategy, not just a bland, back-office necessity. The way governments buy and fund technology sends a powerful signal to the market.
If we want to incentivise innovation that will boost economic resilience, then procurement must reflect that, not just in language, but in how contracts are awarded, how outcomes are measured, and how flexibility is built in. There must be clear incentives for the private sector to get involved.
Research and development hubs are another potential way to foster collaboration from both sides. Again, the right incentives are necessary to attract private security companies to R&D projects that can foster momentum and innovation in areas such as AI and quantum.
We also need to talk honestly about existing regulations. A lot of people I spoke with recently across the UK, EU, and even elsewhere, kept using the word “pivot.” There’s that third ‘P’. Yet when I asked what they really meant, it came down to “review.”
There’s a sense that we need to review what’s in place and be willing to adapt, which is absolutely critical in a field as fast-moving as cybersecurity. Some rules are working, but others are just adding complexity without reducing real risk. That needs to change. To actually pivot, cyber regulations must be adaptive, risk-based, and innovation-friendly to succeed.
Finally, let’s invest in capability. Public sector teams need the tools, the training, and the breathing room to engage with private partners in a meaningful way. That’s how you build trust, and that’s the foundation of any effective partnership.
