In 2024, the National Cyber Security Centre (NCSC) hit a major milestone: a decade of its Cyber Essentials (CE) certification. This program aims to set a standard for basic cyber hygiene across all organizations, promising a level of protection against common threats. Yet, there’s a growing concern from NCSC’s CEO Richard Horne about the widening gap between the UK’s cyber defenses and the increasing threats from state actors, including sabotage and espionage. The risks aren’t just cyber; they extend to research and innovation, adding urgency to the conversation about protective security.
As threats escalate, the role of the National Protective Security Authority (NPSA) comes into sharper focus. Many wonder if the NPSA should create its own certification, similar to CE, for physical and personnel security. However, tackling threats effectively means we need a strategy that goes beyond just meeting baseline standards and embraces a risk-oriented approach.
Is there a standard level of protective security? CE certification emerged in 2014, offering universal guidelines that any organization, regardless of size or sector, could adopt. The NCSC designed it to be broad enough to apply to all, with five core security controls targeting common cyber attacks. Year after year, more organizations are getting certified under CE, and there are plans to enhance the program to tackle supply chain vulnerabilities. Still, one report reveals that less than 1% of eligible organizations are actually on board with CE, pointing to unmet potential.
The push for a baseline cyber certification sounds solid. If we can boost individual organizations’ defenses, we enhance the overall security ecosystem. The controls in CE are broad, so they don’t require a specific risk profile to apply. But whether we can pull off a similar baseline for protective security is a tricky question. CE focuses on a core set of controls, but the landscape of protective security is vast—covering physical threats, insider risks, and more.
Creating a new certification that mirrors CE might backfire. If organizations already have CE, they might skip a new protective security certification, especially when CE uptake is still low. Moreover, separate certifications from NCSC and NPSA could deepen the divide between cyber and physical security. We’re better off encouraging organizations to adopt a more integrated approach that deals with threats holistically rather than through isolated silos.
CE works at a technical level, but its framing feels dated in our current geopolitical landscape. While the cyber security industry often downplays the human element, emphasizing technical solutions, the UK government has become vocal about the rising threats and the necessity for a coordinated response. As the government gears up for increasing defense spending, this aligns with wider conversations on resilience across sectors.
The upcoming Cyber Security and Resilience Bill (CSRB) aims to strengthen cyber defenses for critical services and fits into a larger effort around physical security and community preparedness. The UK’s Resilience Framework is another critical piece, addressing everything from extreme weather to supply chain interruptions. Creating a separate physical security certification would go against the trend toward a comprehensive resilience strategy.
Instead of creating separate certifications, we should consider one unified security resilience certification for at-risk organizations. This would complement existing baselines like CE but starts with a credible risk assessment tailored to each organization. Bridging different security domains—cyber, physical, and personnel—this modular framework focuses on adaptive, proportionate measures based on specific risks.
While this approach requires a deeper commitment than CE, it encourages organizations to go beyond filling out compliance checklists. With strong collaboration between NCSC and NPSA, we can build a framework that fosters genuine resilience. Accompanied by a clear awareness campaign about current geopolitical threats, this strategy would make it clear that we can’t afford to treat security as just business as usual.
This unified risk-based approach not only addresses certification fatigue but also positions organizations to defend themselves more effectively in a complex, evolving threat landscape, ultimately contributing to a more resilient nation.