National Cyber Resilience Advisory Board (NCRAB) minutes: September 2025

Attendees and apologies

Board members in attendance

Maggie Titmuss (Chair)
Deryck Mitchelson (Vice-Chair – DM)
Freha Arshad (FA)
Carla Baker (CB)
George Fraser (GF)
Don Smith (DS)
Ollie Bray (OB)
Detective Chief Superintendent Andrew Patrick, Police Scotland (DSU AP) 
Detective Chief Inspector Alasdair Penny, Police Scotland (DCI AP) 
Alan Gray, Deputy Director, National Cyber Security and Resilience Division, Scottish Government (AG) - Ex Officio

Also in attendance

Head of the National Cyber Resilience Unit (NCRU)
NCRU Head of Policy and Programme
NCRU Public Sector Lead
Scottish Cyber Coordination Centre (SC3) Service Lead 
NCRU Policy and Programme Officer

Partial attendance

Carla Baker (CB) (partial)
Jordan Schroeder (JS) (partial)

Apologies

Martyn Wallace (MW)
Natalie Coull (NC)
Phil Ford (PF)
National Cyber Security Centre representative, NCSC, (NW) - Ex-Officio
ACC Stuart Houston (SH) – Ex-Officio

Items and actions

Welcome, introductions, last meeting actions and conflicts of interest

The Chair welcomed Members to the meeting. 

The minutes of the March 2025 meeting were approved. 

The Chair advised that DM, FA, CB, JS, GF and NC’s first term as Members of NCRAB was due to end in September 2025. She shared that each of them had agreed to serve a second term, concluding in September 2028. She thanked them for their contributions thus far and added she looked forward to continuing working together on the Board. 

The Chair shared that she had engaged with a Chief Information Officer (within academia) with a view to him joining the Board as a Member from December 2025. Members concurred. 

SEP25/01: NCRU Policy and Programme Officer to invite new member to December 2025 meeting and share Terms of Reference. 

The NCRU Policy and Programme Officer ran through outstanding meeting actions: 

DEC24/02: ACC AF to update Board on Report Fraud developments. NCRU Policy and Programme Officer to add item to March 2025 agenda.
•    This action was discussed in further detail later in the meeting and subsequently closed. (See ‘Overview of Cyber and Fraud Unit/Report Fraud developments.’)

MAR25/04: Chair, AG and Head of NCRU to decide on key discussion points for future meeting when the Cabinet Secretary for Justice and Home Affairs will be in attendance. 
•    It was noted that the Cabinet Secretary for Justice and Home Affairs would potentially host a Cyber Leaders dinner on the evening of 4 November 2025, to which some Members were invited as representatives of the Board. 

No conflicts of interest were noted. 

Cyber threat landscape

DCI AP and DSU AP provided Members with an update on cyber security trends Police Scotland have dealt with over the last quarter. This included fraud, investment scams, sextortion and ticket scams. They noted these crimes continue to be under-reported but work was underway to determine how reporting can be more accurate moving forward to capture the scale and size of the threat the crimes pose. 

A brief discussion followed on how Members could spread awareness of key cyber resilience awareness messaging. The Head of the NCRU advised Members would be able to use and share CyberScotland Partnership quarterly asset packs to support with sharing messaging across their networks. 
SEP25/02: NCRU to share the CyberScotland Partnership quarterly asset packs with the Board for them to disseminate across their networks. 

The SC3 Service Lead also provided an update on threats the SC3 had dealt with. This included SC3 daily, weekly and vulnerability reports and lessons learned from recent public sector cyber incidents in Scotland. 

The SC3 Service Lead included an update on future work planned to look at education networks across Scotland to assess how these could be best secured. DS was very supportive. OB mentioned that Education Scotland had done some work on this and would be happy to work with SC3. 
The Head of the NCRU mentioned it was important to note that this was not just about technology systems but understanding of risk by head teachers who create the culture of security in schools. The Chair suggested this needed buy-in from Ministers as well as Education Scotland. The SC3 Service Lead was happy to engage with Education Scotland and Education policy leads. AG advised this topic would be brought back to a future NCRAB for update.

Overview of the Cyber and Fraud Unit/Report Fraud developments

DCI AP shared that Police Scotland had launched a new Cyber and Fraud unit (CAFU) in response to the increasing rate of cyber crime across the country. 

CAFU will work with other UK agencies and partners to provide a co-ordinated approach to cyber-related issues, improving the ability to tackle online crime and better support victims. 

Members were supportive of the establishment of the CAFU and were keen to see future developments. 

Strategic Framework refresh – update

The Head of the NCRU shared an update on progress of the development of the refreshed Strategic Framework for a Cyber Resilient Scotland (2025-30). 

She explained it was clear there had been substantial progression in cyber resilience in Scotland since the publication of the previous strategy in 2021. There is a well-developed cyber ecosystem in Scotland. The CyberScotland Partnership, the Scottish Cyber Coordination Centre (SC3) and National Cyber Resilience Unit (NCRU) all contribute to improving the cyber resilience of people and organisations in Scotland. Also, the Cyber Security Unit within Scottish Government provides IT services and security to over 50 public bodies. 

The refreshed strategy will have a renewed focus on building cyber resilience across sectors, with the added benefit and challenge of emerging technologies. Some other key areas of focus will be on research and professional standards. A suite of Action Plans will be developed this Winter.

The Chair agreed that the Scottish cyber ecosystem had improved and stated that it was important to get the balance right and ensure that constant change and continuous improvement was a focal part of the refreshed strategy. 

The Head of the NCRU advised that publication of the refreshed Strategic Framework was planned for early November 2025. Planning for an official launch event was underway to which some Members were invited as representatives of NCRAB. 

Scottish Cyber Coordination Centre (SC3) - update 

The SC3 Service Lead advised that the internal SC3 team had grown recently with technical and incident management resource having been recently appointed, to ensure that in the event of an incident, business-as-usual work would be uninterrupted. 

He shared a further update on the development of the Cyber Observatory. There was a planned ‘go-live’ between October and November 2025. He stated he was happy to come back to a future meeting and showcase the Observatory to Members. 

SEP25/03: SC3 Service Lead to showcase the Cyber Observatory to Members at a future meeting when it is fully functional and operational. 

DS offered to put the SC3 Service Lead in touch with a CISO at an energy business who may be able to offer support with the final stages of the development of the Cyber Observatory.

The SC3 Service lead advised work would begin to develop an improved website for SC3 which would complement the existing CyberScotland Partnership Portal. 

Supply25

The NCRU Public Sector Lead provided Members with an update on the progress of Supply25, the supply chain cyber assurance solution arising from CivTech Challenge 9.5 winners. 

The platform was in private beta with around ten public bodies successfully using the platform to seek cyber assurances from their potential suppliers. The developers were in the process of developing their commercial model to ensure Supply25 was commercially viable as it moved into the public beta stage. 

Update on UK developments

CB updated Members with information on the proposed Cyber Security and Resilience (Network and Information Systems) Bill. 
It appears there is still refinement required in some of the terminology and reach of the Bill, and that the Scottish Government is engaging with the Bill team on how this impacts on Scotland and how it would work in practice. 
The Vice Chair commented that he was not sure there would be appropriate resource available to monitor, audit and enforce changes proposed, given the wider scope of the Bill. 

The NCRU Public Sector lead proposed the Cyber Security and Resilience (Network and Information Systems) Bill was added as a standing agenda item for future meetings to allow for discussion between Members to better understand the impact for Scotland. 

The Chair agreed and added that the Board will need to be aware of critical developments and proposed implementation. 

SEP25/03: Cyber Security and Resilience (Network and Information Systems) Bill to be added as a standing agenda item at future meetings. 

CB added detail on the proposed UK Cyber Strategy. She said this would be a light-touch refresh, focusing around three core pillars: Countering Threat, Strengthening Resilience and Promoting Growth. The refreshed Strategy will support the UK Government and the private sector to work together, reduce cyber risks and seize opportunities for growth in the UK cyber industry.

The Head of the NCRU advised a roundtable had been set up to share and gather information on the UK Cyber Strategy later in the week (4 September 2025). NCRAB members were invited to this. 

Curriculum Improvement Cycle

OB updated the Board on the curriculum improvement cycle. He advised that they were in the Curriculum Development phase. He added that analysis was ongoing to understand and plan changes required based on feedback from education practitioners and young people. He shared that work was also underway with co-design partners to develop and assess relevant workstreams, ensuring the correct balance was struck. This would support with understanding the needs of young people at developmentally appropriate stages. 

SEP25/04: OB to provide an update in March 2026 on further developments of the Curriculum Improvement Cycle and the embedding of cyber within the curriculum. 

The Chair added NCRAB would be available to support Education Scotland with advising, developing and embedding cyber resilience within the curriculum where required. 

The Head of the NCRU flagged that CyberFirst was moving from the National Cyber Security Centre (NCSC) to the Department for Science, Innovation and Technology (DSIT) and would rebrand as ‘TechFirst.’ She added this may present challenges for CyberFirst within Scotland, which has achieved substantial success, with 33 CyberFirst schools and related CyberFirst competitions and with plans for further expansion of schools.
OB concurred CyberFirst had been a tremendous success in Scotland and Education Scotland were keen to ensure this continued. 

The Head of the NCRU said that digital literacy, and digital competence, was a critical enabler across the entire school curriculum and importance should also be placed on ensuring cyber resilience was embedded within teacher training. 
OB agreed that this was a crucial point. 

DCI AP added that Cyber Choices (a policing initiative focusing on young people on the cusp of cyber criminality and encouraging them to use their cyber skills in a legal way) would be introduced in Scotland and it would be helpful if a conversation could be had with the Head of the NCRU. 

SEP25/05: Head of NCRU and DCI AP to discuss Cyber Choices and its introduction to Scotland in further detail. 

Any other business

The Head of the NCRU advised that CyberUK would be held in Scotland in April 2026. She asked if any Members would be keen to provide talks during the conference. 
DS and DM agreed to speak and will share a summary with the Head of the NCRU by 5 September 2025. 

Close

The Chair thanked members for their attendance and advised the next ordinary meeting would be in December 2025.