Reflections from CYBERUK2025

This year, the UK’s flagship cyber security conference, CYBERUK, returned to Manchester – NCC Group’s hometown and one of the UK’s fastest-growing cyber hubs. From policy to practice, AI to assurance, the 2025 edition spotlighted how the public and private sectors can work together to stay on the front foot. 

With the theme of building resilience in an interconnected world, the event convened international partners, policymakers, CISOs, and technical experts for three packed days of keynotes, breakout sessions, and debates on how to outpace evolving threats and seize the opportunities of a digital future.

UK NCSC CEO Richard Horne kicked off the conference by comparing cyber security to a tennis match between two opposing players – both equipped with cutting edge tools like AI to improve their game. And while there was broad agreement that AI is unlikely to lead to a “cyber armageddon” any time soon, newly declassified intelligence from the NCSC finds that it will increase the frequency and intensity of cyber threats.  

So, how do we win this contest? Or, at least, if not win, gain an advantage on our opponents? For many speakers, it starts with shifting our mindset: accepting that not everything can be controlled but doubling down on what can.   

Here are our takeaways from the week. 

Control the controllables 

Horne told the conference that we must focus on “controlling all the variables that are within our control” while being “prepared for those that are not.” For the NCC Group team on the ground, we noted a marked shift to a solutions-focused approach, moving past the “frozen deer mentality”, accepting that there is no such thing as secure, and concentrating on what can be done to make a difference. 

At the Technical Masterclass session on ‘Countering Cyber Threats for Resilient Global Supply Chains’, easyJet CISO Paul Midian reiterated that we can't control everything. But he added that the industry is building a clearer picture of what can be controlled — and how to respond when unexpected events, whether security incidents, global crises, or political shifts, disrupt the steady state.  

Speaking alongside Paul, NCC Group’s Dr. Liz James noted that this especially applies in the context of the global supply chain, contributing to a more progressive mindset across the sector. This more progressive mindset, however, should not detract from the very real assurance challenges, be they cyber and information security or operational resiliency. The more layers across the supply chain, the more opportunities for misalignment and a larger potential attack surface.  

During the course of the three days in Manchester, the UK Government set out how it is “controlling the controllables” with announcement of key initiatives including the rollout of passkey technology for its digital services, new work to drive the adoption of the CHERI chip, and an £8million investment in the Ukraine Cyber Programme. Chancellor of the Duchy of Lancaster Rt Hon Pat McFadden MP also announced a new National Cyber Strategy that will establish this Government’s overarching approach to cyber resilience and is set to be published by the end of this year.  

Incentivise best practice 

NCSC’s CTO Ollie Whitehouse was clear in his message that “market incentives for secure foundations are going to be crucial”, noting that “the market does not currently support and reward those companies that build secure products”. Without clear incentives in place, he added, “nothing changes, and we repeat for the next 40 years what we’ve done to date”.  

But what role can governments play in creating these incentives? The most obvious way is to make it law. As we explore in the latest edition of NCC Group’s Global Cyber Policy Radar, governments are expanding cyber security rules to more and more sectors – from the UK’s Cyber Security and Resilience Bill and the EU’s myriad of new cyber laws through to Australia’s Cybersecurity Act and Japan’s Active Cyber Defense Bill.   

But there are other levers governments and industry can pull. CEO of the Cybersecurity Agency of Singapore, David Koh, said that while cyber laws and regulations are necessary, one unintended consequence is that regulated firms simply “meet the baseline and don’t go beyond.”  

We must move away from a “regulator-regulatee” relationship to one which is a partnership, he said, while also exploring the role of voluntary schemes that enable organisations to differentiate themselves from their competitors and/or access new markets. Japan’s Deputy National Security Advisor Keiichi Ichikawa highlighted the success of Japan’s Cyber Star – a voluntary labelling system for IoT devices that is being driven through government procurement rules. Meanwhile the UK NCSC launched the new Cyber Resilience Test Facilities (CRTFs) that will deliver assurance for a wide range of internet connected products against the Principles Based Assurance (PBA) methodology which NCC Group has been proud to help craft.  

Build a community response 

Every year, CYBERUK brings together all parts of the cyber ecosystem together to discuss, challenge, and co-create a collective approach to cyber security. This year was no different – with the great and the good from the global cyber community descending on Manchester.  

Across all the sessions and the conference floor, a sense of “we’re all in this together” was ever-present. This was true not only of UK delegates, but also from the strong international contingent because – as we know – cyberspace knows no borders.  

For Minister Pat McFadden, the UK’s long history of public-private partnerships presents an “enormous” opportunity for “cyber security to be a driving force in our economy”. He announced that cyber will be a core part of the UK’s Industrial Strategy, with the cyber industry backed by government with policies aimed at enabling its continued growth.  

We are so pleased to see this recognition of the sector’s critical role in the UK economy, particularly in our home city of Manchester where the North West cyber ecosystem is going from strength to strength.