Buying & Building Cyber Services icon
Back
Accreditation Pathway & Membership icon
Back
Skills, Certifications & Careers icon
Back
News, Events & Research icon
Back
About Us icon
Back
Login to profile
Join Today Find a Supplier
Home  »  Blog   »   Reflections on the 2025 Cyber Growth Action Plan

Reflections on the 2025 Cyber Growth Action Plan

The UK’s 2025 Cyber Growth Action Plan, developed by Bristol University and Imperial College London on behalf of the UK government’s Department for Science, Innovation and Technology (DSIT), lays out an ambitious roadmap to strengthen the nation’s cyber security sector. It identifies key challenges and recommendations to spur growth, resilience, and skills development.

As a community of accredited cyber companies and professionals, CREST finds many of the plan’s priorities closely aligned with our mission. Below, we reflect on a few themes from the plan and what they mean for our community.

In particular, how a trusted community of high quality service providers and talented professionals can support the government to protect national interests whilst developing and flourishing in a competitive global market for cyber services.

Trusted Assurance to Address Market Gaps

One core theme in the plan, advocated for strongly by CREST CEO Nick Benson in his contributions to the report, is the information asymmetry between cyber security providers and buyers. In Section 3, the review describes this as a market failure where buyers lack clear, independent information about the quality of products and services. This is compounded by the technical complexity of many cyber offerings and the comparative lack of specialist knowledge by many on the demand side.

This gap in understanding erodes buyer confidence, leading to a ‘race to the bottom’ on price and quality. UK cyber’s strong reputation on the world stage is underpinned by quality and its continued domestic and international growth relies on this. The plan warns that simply growing the cyber industry without ensuring quality would be risky. Instead, it calls for raising standards through better assurance. Insufficient buyer understanding is cited as a factor behind lower market standards, and improving assurance processes is highlighted as a solution.

The plan points to the success of some of the UK’s National Cyber Security Centre assurance schemes in overcoming information gaps. The NCSC’s Cyber Incident Response and Exercising programmes for example, of which CREST is a delivery partner on behalf of the NCSC, are strong recent examples of this delivering tangible impact.

CREST are highly encouraged to see this as a core element of the growth plan, having championed this exact point for almost 20 years now. Our accreditation of member companies, certification of professionals and partnerships with regulators like the NCSC and the Bank of England, are all about providing trusted assurance. By accrediting provider services against high standards, we help bridge the information gap between vendors and buyers, giving customers greater confidence in the cyber solutions they procure.

Harmonising Standards for Global Growth

Another priority in the Action Plan is the harmonisation of cyber security standards internationally. Many participants in the review noted the complexity of complying with different regulations and the value of mapping standards or having fewer overlapping requirements. This reduces friction for the UK’s cyber exporters and enables accelerated growth potential.

Aligning UK standards with upcoming European Union rules and other frameworks could pave the way for wider international standardisation. As examples. The introduction of NIS2, DORA, the Cyber Solidarity Act and the planned accreditation of managed security service providers will provide opportunities for UK cyber businesses to show their capabilities using UK NCSC and CREST credentials in a market that is now seeing greater demand than supply of quality providers.

The Action Plan notes that promoting UK cyber capabilities abroad, particularly by helping startups and smaller firms access export markets, is crucial for growth. CREST continues to contribute here by working tirelessly with international partners to raise awareness of and recognise its standards. We welcome the plan’s support for harmonised standards as a means to supercharge UK cyber exports and innovation abroad.

Protecting the UK’s cyber community – the imperative of CMA Reform

The Computer Misuse Act (CMA), the law governing unauthorised computer access, emerges in the plan as an area needing careful reform. Participants in the review highlighted ongoing debates about the CMA, as the Act can discourage well-intentioned cyber activities. The CyberUp campaign has argued that uncertainty around the law “chills” the development of offensive security skills, potentially leaving the UK at a disadvantage. Talented individuals may shy away from these careers or fail to sufficiently test and strengthen defences for fear of legal repercussions.

Recognising this issue, the Cyber Growth Action Plan repeats the consistently raised suggestion that the government review the CMA. CREST, along with many of its member companies, has been an active supporter of CyberUp’s push for updates to the CMA – we believe that reforming the out-of-date law is key to both security and growth. The plan’s forward-looking stance on this topic is encouraging.

Strengthening the cyber talent pipeline

The final area we highlight is that the Action Plan underscores the need to grow and professionalise the cyber security workforce. Despite a historically well-documented cyber skills shortage, the report notes a more complex picture is emerging – a high volume of individuals now graduating with relevant degrees, but many struggling to find their first role.

Participants observed that demand for entry-level positions is limited, even though plenty of people are eager to move into cyber careers. CREST expects that the AI revolution will accelerate this trend, causing concern as to where the cyber professionals of the future will come from when the opportunities to learn and develop at the start of a career are being taken away.

To tackle this, the plan proposes incentives for companies to create cyber career entry roles and apprenticeships, linking such efforts to broader initiatives that stimulate cyber demand. CREST strongly supports building these entry pathways. Our industry only thrives if we have a pipeline of qualified new professionals coming through. Many CREST member firms already mentor interns and graduates; additional government backing would amplify such programmes and help more young people get that critical first experience.

The plan also recognises ongoing work to professionalise cyber security as a discipline, helping shape career pathways, but also providing trusted assurance over professional skill and competence. The UK Cyber Security Council and licensed bodies like CREST have already started assessing and awarding professional titles to cyber professionals across the UK. Maintaining a register of qualified professionals is highlighted as increasingly important as the field grows and evolves.

The plan’s emphasis on professional titles and accreditation validates the approach CREST and others have taken for years – that of treating cyber security as a true profession with recognised credentials. It is important that, as the UK develops its professional standards, it seeks harmonisation with other countries to ensure its people can continue to work on international assignments with low friction, as well as being able to attract quality talent to the UK.

We will continue collaborating with the UK DSIT and the International Coalition for Cyber Security Workforces to work towards harmonised standards and a robust, recognised profession that attracts new talent and upskills the existing workforce.

Looking Ahead

Overall, the Cyber Growth Action Plan offers a compelling, forward-looking vision for expanding the UK’s cyber sector in tandem with improving national resilience. Its priorities, particularly trusted assurance, internationally recognised standards, legal reform and skills development, are ones that CREST and our members are already deeply invested in.

Our community of experts has long advocated for raising standards and building trust in cyber services, and it’s heartening to see these themes at the forefront of UK government strategy. By working together with industry peers, government, and international partners, we are confident in helping to turn these recommendations into reality.

About the policy paper “A UK cyber growth action plan – final report”

The report was presented to the UK Parliament by the Parliamentary Under-Secretary of State for Science, Innovation and Technology in September 2025. The official publication of the report on the gov.uk website (https://www.gov.uk/government/publications/cyber-growth-action-plan-2025/a-uk-cyber-growth-action-plan-final-report) describes it as “the output from an independent, rapid analysis to provide key insights on the interventions needed to further develop the UK’s cyber security sector. Carried out by a team from the University of Bristol and Imperial College London, it builds on the Cyber Security Sectoral Analysis 2025 and the UK government’s Modern Industrial Strategy. It was produced in time to feed into the refresh of the National Cyber Strategy.”

Several members of the UK cyber eco-system were acknowledged for contributing to the review, including CREST CEO, Nick Benson.