The UK government is unlikely to achieve its 2025 cyber resilience targets
The UK government set a bold goal: total cyber resilience across all departments by the end of 2025. It’s not going to make it. That much is clear. The Cabinet Office has been moving in the right direction, starting independent assessments of critical IT systems was long overdue. But progress isn’t fast or deep enough. Security weaknesses are more severe than expected. Control failures in basic areas like risk management and incident response are still common. That tells us the current system isn’t working.
The government knows it can’t keep doing things the same way and expect a different result. That’s good. Future resilience, especially across the wider public sector by 2030, will need real structural change. Departments can’t continue treating cyber risk as an afterthought or outsource accountability upward toward the center. The Cabinet Office needs to play a stronger direct role, central policy, funding models, oversight, and new digital infrastructure tools that actually scale across departments.
This is about speed, clarity, and the right incentives to get cybersecurity baked into the public sector at every level. That means putting pressure on timelines, performance, and spending in a way that matches the urgency of the threat landscape.
Key data makes that urgency obvious. In July 2024, assessments of 72 critical systems across 35 government departments exposed widespread vulnerabilities. These weren’t marginal systems, they were part of the backbone of public service delivery. That should be a wake-up call. The government isn’t moving fast enough, and the goals they’ve set for 2025 don’t match the reality on the ground.
Legacy IT systems continue to undermine national cybersecurity
One of the most critical, and long-standing, problems here is the legacy software still powering huge portions of the UK’s public sector. According to the Department for Science, Innovation and Technology (DSIT), nearly 28% of all public sector IT infrastructure qualifies as legacy. That means it’s outdated, unsupported, and in many cases incompatible with modern cybersecurity protocols. And here’s the alarming part, most of it hasn’t even been independently assessed for risk.
This has been flagged consistently. The Public Accounts Committee (PAC) raised the issue again, pointing to the government’s continued reliance on self-assessments. These are often inconsistent and overly optimistic. Leadership lacks a complete picture of how much outdated tech is still in use or where it’s embedded. When you don’t know where the vulnerabilities are, you don’t control the risk. That’s simple logic.
Failure to address this creates a massive blind spot. If systems at the core of healthcare, welfare, immigration or critical infrastructure are vulnerable due to legacy architecture, the risk is operational. And it multiplies the damage when attackers find their way in. We’ve seen ransomware hit hospitals and government agencies. It’s not about “if” anymore, it’s about whether we’ll be ready when it happens again.
This problem isn’t unique to the UK, but what stands out is the lack of pace. Executives in both public and private sectors need to treat this as a high-priority transition. Upgrading legacy systems requires more than funding, it demands leadership, urgency, and integration with modern cybersecurity strategies.
Geoffrey Clifton-Brown, MP and Chair of the Public Accounts Committee, captured the issue best when he said it’s “alarming” that the government still doesn’t know the number of legacy systems it operates. That’s not just a tech debt problem. That’s a leadership problem. Let’s fix it.
Department-Level leadership still isn’t taking cybersecurity seriously
Cybersecurity is still seen by too many departments as a technical function, something IT handles in the background. That mindset is outdated, and the consequences of sticking with it aren’t minor. We’re now dealing with persistent, well-funded, and often state-backed cyber threats. Thinking of cybersecurity as a secondary issue doesn’t match the reality of what’s needed at a national level.
Senior leadership across government hasn’t done enough. Many departments fail to include cybersecurity leaders in high-level decision-making. That means security isn’t being treated as a strategic issue, which is a mistake. When cyber professionals are left out of board-level discussions, organizations miss opportunities to embed resilience into their planning and execution. That leads to fragmented responses, slow incident recovery, and failures in proactive defense.
Part of the issue is a lack of clear and consistent guidance from the Cabinet Office. If departments don’t have clarity from the center, they fall back to a reactive model instead of building purposeful defenses into their workflows. The Public Accounts Committee pointed out that this has led to widespread underestimation of risks across departments. The urgency of cyber threats isn’t being acknowledged at the senior leadership level, and that has to change now.
Cybersecurity shouldn’t be isolated. It should be part of core strategy discussions. Budgeting, hiring, supplier decisions, they all have security implications. For C-suite leaders, the takeaway is this: unless your digital and security leads are in the room when these decisions are being made, you’re not managing risk, you’re ignoring it.
Cybersecurity hiring problems continue to weaken government capability
There’s a people problem here. The government can’t attract and retain enough of the right cybersecurity talent, and it’s a serious risk. One in three cyber roles are currently either unfilled or being handled by outside contractors. That’s not a sustainable model, especially when you’re trying to scale capacity across dozens of interconnected systems.
The workforce has grown, up to about 23,000 digital professionals across the public sector, but the core security roles aren’t getting filled fast enough. Why? Compensation. The government hasn’t been willing to match market salaries for top-tier cyber talent. In a competitive global market, skilled professionals have other options. They won’t wait around for low-bid public roles if they can earn more and move faster elsewhere.
The report is direct about this: government needs to be realistic about recruitment and retention. It also needs to do more to move digital and security leadership into top-tier governance spaces. Until security professionals are seen as equal stakeholders in strategic planning, the hiring problem will drag on. Contractors help short term, but they can’t build the institutional knowledge needed to manage national-level cybersecurity threats over time.
Failure to build in-house capability at this level is no small miss, it weakens the UK’s core resilience posture. Business leaders should see the parallel in their own organizations. Without the right people, even the best frameworks and tech can unravel quickly. Investing in talent isn’t a cost. It’s a line of defense. Skimp on it, and the rest becomes exposed.
Government response isn’t matching the scale or sophistication of threats
The cyber threat environment is escalating. Attacks are increasing in complexity, frequency, and impact. Despite this, the UK government’s response hasn’t evolved fast enough. Incidents like the ransomware attack on the British Library in 2023, the breach of NHS supplier Synnovis in 2024, and ongoing cyber disruptions across major UK supermarkets show a clear pattern, threat actors are targeting institutions that are critical to public function and daily life.
These are not isolated events. They demonstrate how attackers are exploiting systemic weaknesses. And the risks are compounded by a slow, fragmented response from government entities that have not kept pace with modern threat dynamics. There’s a substantial gap between the level of risk and the current preparedness across departments. The longer that gap exists, the more room there is for disruption and damage.
It’s an environment where financial motives, geopolitics, and emerging technologies like AI are changing the threat landscape fast. The National Cyber Security Centre already pointed out that we’re heading toward a serious split: organizations that can evolve and keep up with these advancements will survive. Those that can’t will fall behind and become liabilities.
Senior leaders, both inside and outside government, should assume that similar attacks are coming. It’s not a question of optimism versus pessimism. It’s a matter of realism and action. Resources, leadership, and systems all need to be aligned to move faster, anticipate threats, and deliver coordinated responses that minimize real-world impact.
Weak supply chain oversight is creating National-Level vulnerabilities
Cybersecurity isn’t only about internal controls. Public sector systems are tightly connected with external suppliers, especially in healthcare, transport, and infrastructure. Many of these suppliers are under-resourced in cybersecurity, which creates vulnerabilities that cascade into government systems. The NHS Synnovis incident proved this. A single vendor breach disrupted critical healthcare delivery.
Right now, government oversight of supply chain security is inconsistent. There isn’t a unified set of standards or enforcement tools that ensures vendors uphold strong cybersecurity practices. That’s a risk multiplier. Even departments with solid internal defenses can be compromised if a supplier lacks funding, talent, or robust protocols. The Public Accounts Committee calls this out clearly: supply chain incidents are a risk vector that remains under-supervised across most departments.
Leaders should be aware that a secure organization depends on secure partners. For government, that means building better visibility across the supply chain. It also means allocating funding and defining accountability, so that when something goes wrong, it’s clear who is responsible, what’s affected, and how to respond without disruption to public services.
C-suite leaders in the private sector should be taking note too. If your vendor structure is complex and you’re not actively managing cyber risks throughout that network, then your exposure is likely underestimated. Government has the same issue, with higher stakes, because disruption here often affects critical systems that millions of people rely on.
The cabinet office needs to define and deploy a scalable cyber resilience strategy beyond 2025
The Public Accounts Committee has made it clear: the UK government’s current cyber strategy is not enough. To meet the demands of an evolving threat landscape after 2025, the Cabinet Office must shift from monitoring to executing a more assertive, system-wide response. That means new enforcement tools, better-defined oversight mechanisms, and scalable frameworks that can be applied across departments and supply chains.
The next phase of cyber resilience must stop relying on fragmented departmental actions. Instead, the Cabinet Office should lead from the center, not just as a coordinator, but as an enabler, with standards that are enforceable, not suggested. This isn’t just about improving processes. It’s about speeding up how the government adapts, communicates, and responds to risk in real time. Until these levers are made explicit, both in terms of policy and operational control, progress will remain slow and uneven.
Looking ahead, AI will be a serious accelerant in the threat landscape. It’s already changing the nature of attacks, making them faster, more targeted, and harder to detect. That’s not theoretical. It’s real, and it’s already happening. Organizations that fail to integrate AI-driven threat modeling and response will inevitably fall behind. The National Cyber Security Centre has warned of a growing divide between those that adapt to AI-enabled threats and those that don’t. Government must ensure it’s in the first category, not the second.
Decision-makers should view the 2025–2030 period as a critical investment window. After the next Spending Review, there’s an opportunity to set new benchmarks for transparency, talent development, and proactive defense. If those tools are clearly defined and rapidly deployed, the UK can move toward becoming cyber-resilient.
Recap
Right now, the UK government isn’t moving fast enough to stay ahead of the threat curve. That’s a problem, and it should concern anyone in a leadership role, public or private sector. Legacy infrastructure, leadership gaps, underfunded talent pipelines, and an overreliance on vague central guidance have created vulnerabilities across the board. And the threat landscape isn’t slowing down.
For executives, this moment is a signal. Cybersecurity is no longer a siloed responsibility owned by IT. It’s a top-level business risk with operational impact. Whether you lead a government department or a global enterprise, the message is the same: if you’re not integrating cyber strategy into core leadership decisions, you’re leaving your organization exposed.
Future-ready organizations, ones that will thrive in an AI-driven threat environment, will be defined by how quickly they adapt, how deeply they embed security leadership, and how seriously they invest in talent and transparency. That’s true for government, and it’s true for business. The time to act was yesterday. The opportunity to lead is now.
