Public sector security: light at the end of the tunnel?

3rd July 2025 • Online

The government seems serious: is 2025 the year in which we start to fund security properly?

Good news at last: the government admits it must spend more and quickly too

The head of the National Cyber Security Centre (NCSC), Richard Horne, describes the cyber risks facing the nation as “widely underestimated … What has struck me more forcefully than anything else since taking the helm at the NCSC is the clearly widening gap between the exposure and threat we face, and the defences that are in place to protect us.

And what is equally clear to me is that we all need to increase the pace we are working at to keep ahead of our adversaries. We need all organisations, public and private, to see cyber security as both an essential foundation for their operations and a driver for growth. To view cyber security not just as a ‘necessary evil’ or compliance function, but as a business investment, a catalyst for innovation and an integral part of achieving their purpose.”

The January 2025 report issued by the Cabinet Office and researched by the National Audit Office was, if anything, blunter when it comes to public sector cybersecurity.

It reports that “multiple system controls fundamental to departments’ cyber resilience were at low levels of maturity in 2024, including asset management, protective monitoring and response planning.”

At least “228 legacy’ IT systems in use by departments in March 2024, and the government does not know how vulnerable these are to cyber-attack.”

And over 50% of roles in some departments’ security teams were vacant in 2023-24.

As one spokesperson for the Cabinet Office has told AKJ, “it's a very challenging context. At the same time, be really blunt about it. Government is not keeping pace with this. We haven't done that adequately so far. That's why we need to seriously look at and seriously change the way that we're dealing with it.”

So, what does this mean for public sector cybersecurity? Well, it means responsibility for security will be clarified and allocated appropriately. It means that all types of public sector bodies, including arm’s length bodies, will have to get their security in order.

But most of all, it means that the government has finally accepted the fundamental importance of cybersecurity as a foundation of national security, a driver of economic stability and growth and a key deliverable in ensuring the safety and security of citizens and the organisations upon which they rely.

The new Cyber Security and Resilience Bill will be introduced to Parliament in 2025. Assuming the government is serious about revolutionising cybersecurity across the public estate, the Bill will usher in a new environment in which security is prioritised and new solutions sought.

Securing the Public Sector will look at how security should evolve from both a technology and a human perspective. Join our real-life case studies and in-depth technical sessions from the security and privacy teams at some of the country’s leading public sector organisations.

This event is for anyone in:

• Local and national government
• Healthcare
• Education
• Public safety and defence organisations
• Public transportation
• The civil service