Why cybersecurity must be at the heart of the UK's new mission-led procurement strategy

"Cybersecurity is national security." These powerful words from Security Minister Dan Jarvis at this week's Predict conference couldn't be more relevant. Combined with last week's celebration of Cyber Essentials' 10th anniversary, where Cyber Security Minister Feryal Clark revealed that certified organisations are 92% less likely to make an insurance claim, we're seeing unprecedented government focus on cyber resilience.

As HP's Director of Public Policy for the UK, I recently had the opportunity to contribute to the consultation on the National Public Procurement Statement (NPPS). This crucial policy document will shape how billions of pounds of public money is spent in the coming years. However, one critical element is notably absent from the framework Labour inherited: cybersecurity.

Mission-led Procurement

With Minister Jarvis warning that cyberattacks are "destroying businesses and ruining lives," and Minister Clark announcing major UK banks' commitment to expand Cyber Essentials within their supplier assurance processes, we're seeing a vital shift in procurement thinking. Public procurement must follow suit. The government's recognition that "Russia and China are investing in advanced cyber operations" makes it clear: in an era where digital transformation is reshaping public services, our procurement strategies must evolve to address emerging challenges and opportunities.

Public procurement can support the Government’s missions by embedding societal priorities, such as reducing inequality, creating jobs, promoting economic growth and enhancing national security, which is why the new mission-led NPPS should include cybersecurity and national security as critical components of social or societal value.

The Security Imperative

The numbers tell a compelling story. The security and resilience sector contributes ￡12.8 billion in value-added impact to the UK economy, supports 145,000 direct jobs, and generates ￡9.5 billion in export sales. But as Minister Jarvis highlighted, the NCSC has confirmed Russian attempts to target key sectors of the British economy, including "UK media, telecommunications, political and democratic institutions, and energy infrastructure." Our public services face unprecedented cyber threats that demand immediate attention.

Protecting public authorities from cyberattacks is essential, especially as the public sector handles sensitive data. The UK is the third most targeted country in the world for cyber-attacks. Recent reports from the NCSC and others have highlighted ongoing threats to public sector organisations in the UK, showing that these remain key targets for cybercriminals.

As identified by techUK in their Seven Tech Priorities for the Next Government, Government should prioritise cybersecurity for contracting authorities in public procurement of technology. This crucial focus was omitted by the last Government. The refresh of the NPPS under Labour presents a unique opportunity to bolster the UK’s cyber resilience and raise cybersecurity awareness.

Although email remained the top vector for delivering malware to endpoints (61% of threats), HP Wolf Security's most recent Threat Insights Report highlights that attackers are looking for unusual ways to infect endpoints in the hope of avoiding detection, which is why all organisations - public and private - should look at the cybersecurity of their endpoint devices.

Smart Investment

A common concern is that prioritising cybersecurity in procurement might drive up costs or reduce value for money. The evidence suggests otherwise. IBM's latest Cost of a Data Breach Report reveals that public sector breaches cost an average of $2.13 million – a figure that doesn't fully capture the disruption to essential services or loss of public trust.

Security-focused procurement represents smart investment rather than additional cost.

Here's why:

1. Prevention vs. Response

Organisations with mature security approaches save an average of ￡1.51 million per breach (Cost of a Data Breach report) compared to those without. In the public sector, where services are essential and downtime costs are high, prevention through procurement is particularly cost-effective. The recent attack on IT systems at firm Synnovis affecting critical services at London Hospitals as well as primary care services showed the importance of prevention.

2. Operational Efficiency

Security-by-design doesn't just prevent breaches – it improves service delivery. Experience working with public sector clients shows that secure systems reduce IT support needs, improve user satisfaction, and increase workforce productivity.

3. Strategic Partnership Benefits

When we shift from transactional procurement to strategic partnerships, we create opportunities for innovation, cost sharing, and mutual growth. The Crown Commercial Service's frameworks demonstrate that procurement can deliver significant savings while raising standards.

A Framework for the Future

The National Cyber Security Centre provides clear guidance on cloud security and digital transformation and device security including hardware and firmware. By incorporating cybersecurity as a national priority into the NPPS, we can create a procurement framework that:

• Protects critical infrastructure
• Protects cyber resilience of the public sector
• Drives innovation
• Delivers value for money
• Supports economic growth

Moving Forward Together

As we await the government's response to the NPPS consultation, it's crucial that cybersecurity isn't treated as an optional extra but as a fundamental component of value for money and national security. At HP, we're committed to working with public sector partners to deliver secure, innovative solutions that protect both public services and public funds.

The upcoming NIS2 Directive in the EU and the evolving threat landscape make this the perfect moment to reshape our approach to public procurement. By placing security at the heart of our procurement strategy, we can build resilient public services that deliver value not just today, but for years to come.

#PublicPolicy #Cybersecurity #Procurement #PublicSector #Innovation #DigitalTransformation #MissionLedProcurement #CyberEssentials #NationalSecurity