Publication - Progress report

Cyber resilience strategy 2015-2020: progress report

This report entitled 'Firm foundations' highlights the progress of 'Safe, Secure and Prosperous: A Cyber Resilience Strategy for Scotland' (2015-2020).

Cyber resilience strategy 2015-2020: progress report
Reflections from the Chair of the National Cyber Resilience Advisory Board – David Ferbrache, OBE

Reflections from the Chair of the National Cyber Resilience Advisory Board –
David Ferbrache, OBE

Safe, secure and prosperous: a cyber resilience strategy for Scotland set out an ambitious vision for a digital society and economy remaining resilient in the face of a growing cyber threat.

In the five years since the strategy was published much has been achieved and the progress is a testament to the cyber resilience community in Scotland. Nowhere was this national effort clearer than in the response to the changing cyber threat we saw during COVID-19 with the Scottish Government, Police Scotland, the Scottish Council for Voluntary Organisations and the Scottish Business Resilience Centre working together to raise awareness
and support the community in the face
of a rapidly evolving cyber threat.

The five action plans put in place to deliver the cyber resilience strategy have made progress, in some cases exceptional, in others challenges remain. 

The Learning and Skills Action Plan reached many young people through the work of Skills Development Scotland, Education Scotland, Young Scot, Police Scotland, Civic Digits, NCSC's CyberFirst programme and the Cyber Christmas Lectures. Cyber resilience is now a key part of the educational curriculum and national occupational standards; with National Progression Awards, HNC, HND and Professional Development Awards in Cyber Resilience and Cyber Security.

The Third Sector Action Plan saw over 250 organisations achieve Cyber Essentials, over 1,000 charities educated on cyber fundamentals, and 10,000 third sector organisations provided with regular cyber advice through the Scottish Charity Regulator, OSCR.

The Public Sector Action Plan has seen good progress in focusing public sector bodies on cyber security risks, raising board awareness, achieving Cyber Essentials certification, establishing incident management policies and ensuring the cyber security of supply chains is considered. There is more to do to fully embed cyber resilience into public sector digital strategies and investment plans, and to build confidence that Scotland can withstand a large scale cyber attack – but this is a good start.

The Private Sector and Economic Opportunity Action Plans have proved most challenging. While the Scottish Business Resilience Centre, ScotlandIS and Scottish Information Sharing Network/CISP have reached many hundreds of firms in Scotland, there is much to do working with Ministers, professional and trade bodies to scale these initiatives and achieve the impact we require, working closely with the NCSC. As a nation we need to have confidence in building our cyber resilience research and industry base, and in promoting Scotland's cyber security goods and services sector. We often underplay our achievements.

The cyber threat has grown, as has our dependency on cyberspace. Continuing Ministerial focus, increased investment and creativity are needed to drive the cyber resilience agenda. Without such investment we risk undermining the resilience of the digital economy which Scotland will depend on for its future, but we recognise that in these times of restraint we must also be disciplined in linking that investment to clear outcomes and metrics. The journey toward cyber resilience has begun, and that journey will be vital to the achievement of a safe, secure and prosperous Scotland. 

David Ferbrache, OBE

David Ferbrache, OBE
Chair, National Cyber Resilience
Advisory Board