Research and analysis

Evaluation of the UKC3 programme 2022

Published 4 August 2023

1. Executive summary

Starting a successful and innovative cyber security business in the UK is challenging and difficult to do alone. Successful innovators selling the best technology usually partner with academia and industry to develop the best product, to secure the most talented workforce, and to find access to customers. Over recent years, clusters of cyber businesses, universities, law enforcement partners and others have organically formed across the regions of the UK. These clusters delivered local events, attracting speakers, to help their members create business connections, gain investment, recruit and sell. The government, in the National Cyber Strategy, has set an objective to establish more integrated and effective regional cyber networks across the UK, enabling stronger partnerships between government, businesses and academia to support sectoral growth and business resilience. Supporting clusters to grow and become more effective directly supports this objective.

UKC3 is a programme funded by the Department for Digital, Culture, Media and Sport (DCMS) which aims to:

• build the capacity of the regional cyber security clusters
• raise awareness and understanding of cyber activities within regions and support the development of a healthy and diverse talent pipeline into the cyber industry
• support the creation, development, and growth of new cyber businesses within region^{[footnote 1]}

It is intended to act as a single voice for the cyber cluster community, representing the needs and interests of clusters and their members at a national level. Conclusions and recommendations against each of the core evaluation questions are outlined below.

This report covers the financial year 2021 - 2022.

1.1 Process evaluation

Was the programme funding process delivered as intended? / How could this funding process be improved?

The programme was delivered as intended in the grant offer letter between DCMS and the UKC3 Board. Grant funding was used to:

• increase UKC3 programme and cluster marketing activities
• provide administrative and operational funding for newly recognised clusters
• provide transitional funding for April and May 2022 (to cover the gap between FY21/22 and funding being secured and allocated to clusters for FY22/23)

The UKC3 programme administered and distributed monies to support the work of cyber clusters via two main funds. These are the:

• Cluster Administration Fund - aimed at enabling clusters to bring in dedicated resource to help run and deliver the day-to-day activities of a cyber cluster
• Project Fund - focused on supporting cyber clusters to deliver specific projects or initiatives that focus on ecosystem development, innovation, or skills growth

When the UKC3 programme launched as a Community Interest Company (CIC) in May 2021 an interim Board was elected.^{[footnote 2]} It initially focused on setting up the processes needed to distribute funding to cyber clusters. These processes work as the majority of clusters did not report any issues with the UKC3 programme funding allocation process. Three working groups were set up in June 2021 as planned to focus on: (1) developing the ecosystem, (2) cyber skills growth, and (3) joined-up innovation. However these progressed slowly and were initially not funded, limiting the impact they could have and the speed at which progress could be made in the areas they were focused on.

In addition, there was a lack of dedicated UKC3 programme resource to engage with the clusters, meaning it took more time to respond to any enquiries and challenges raised.^{[footnote 3]}

How did the UKC3 programme and clusters use grant funding? / What worked well, or less well, for different clusters and why?

In its pilot year, the UKC3 programme used funding to recognise clusters in 12 regions and nations with a further two emerging clusters expected to be formally recognised in the next six months. The clusters used the funding on:

• supporting the development of digital platforms (for example website development or enhancement, or creation of a slack channel) – 67%
• knowledge sharing / engagement events – 58%
• staff recruitment – 50%
• marketing and communications – 50%

Most clusters indicated they felt supported by the UKC3 programme and that it provides a useful central point for communications and queries, for instance to learn about the work of other clusters. Further areas identified as working well for different clusters include:

• being recognised as a cluster by the UKC3 programme, which was seen by cluster leads as an asset that allows them to confidently communicate with government
• project funding to deliver skills development, innovation, and ecosystem development projects (for more established clusters)
• using a Customer Relationship Management (CRM) system for member communications, with feedback suggesting this system has provided more organisation and structure to previously “ad-hoc” communication to ensure ‘the right information gets to the right people’

However, regional partners suggested the UKC3 programme could do more to help increase communication across clusters and in doing so improve efficiency and avoid duplication of efforts or projects. All 7 regional partners interviewed for this evaluation reported a limited understanding of cluster activities and the role of the UKC3 programme, although regional partners are keen to learn more about its purpose and ways of working.

Recommendation 1:

• we recommend that the UKC3 programme develops a communication strategy, which sets out how they will ensure all clusters and regional partners are provided with the information they need on (a) the UKC3 programme business plan and objectives, (b) progress, achievements, and results being achieved, and (c) the on-going work across clusters, including cross cluster working and emerging best practice
• the strategy should detail the methods that will be used, such as reports setting out progress against objectives and webinars to communicate learnings and new initiatives

Did clusters experience any unexpected or unintended issues in the delivery of the programme?

A minority of clusters reported difficulties demonstrating that their existing governance structures met UKC3 programme expectations. The majority of clusters are set up as CICs while a small number who are not a CIC are part of, and overseen / governed by, their Local Enterprise Partnership (LEP). Feedback suggested this made applying for recognition more complex as they had to prove the effectiveness of their existing governance structure.

What can be learned from the delivery methods used by the UKC3 programme?

Feedback from cluster leads suggests the UKC3 programme approach has been working well, with cluster leads noting that:

• all clusters were involved in designing the common operating framework and have set up governance structures that are in line with it which has enabled them to apply for recognition by, and / or funding from, the UKC3 programme
• UKC3 programme funding to pay administrative staff or cluster leader salaries has been particularly effective as it has allowed cluster leads to focus on strategic planning to address members’ needs

Potential improvements to the UKC3 programme’s delivery going forward includes:

• more transparent communication on what other clusters are delivering
• supporting clusters with the measurement of outcomes from their funded activities

Recommendation 2: we recommend that the UKC3 programme develop SMART outcomes, linked to the UKC3 programme Theory of Change (ToC), for example:

Measure 1: increased representation on major cyber security groups from current baseline (to be established via engagement with clusters)

Measure 2: evidence of joint working between clusters (case studies to be developed by UKC3 programme)

Measure 3: UKC3 programme to identify gaps in ecosystem and demonstrate how these have been actioned

Measure 4: UKC3 programme to report on work involved in supporting clusters to deal with local needs. Monthly reporting on help to local clusters regarding meeting local needs and implementation

Measure 5: UKC3 programme to report on support provided to help clusters align with the National Cyber Strategy 2022 (NCS)

Measure 6: UKC3 programme to provide an annual report setting out state of the cyber security ecosystem and how their work has contributed to:

• an increased number of set ups / development and growth of cyber businesses within regions
• filling the gaps regionally
• greater collaboration between government, law enforcement, academia, educators, innovators, and industry
• increased regional investment in cyber security technology, skills, and services
• UK economic growth

1.2 Impact evaluation

Has the UKC3 programme led to more formalised cluster governance at a cluster level and at board level?

The UKC3 programme developed a cyber cluster operating framework in collaboration with cyber cluster leads. As part of becoming formally recognised and funded by the UKC3 programme, a cyber cluster must operate in line with the framework.

As a result, all clusters have formal governance arrangements. While feedback from cluster leads suggests the UKC3 programme did not have a significant role in establishing these, by making them a requirement of accreditation it ensures formal governance is in place.

Has the UKC3 programme led to an increase in the number of networking, collaboration and knowledge sharing opportunities and events between clusters and for cluster members?

All clusters offer events with the aim of growing the cluster ecosystem in their local areas and promoting networking opportunities. Many have developed event plans and in total 110 new events were delivered as of March 2022.^{[footnote 4]} Events included those focused on:

• knowledge sharing (for example events focused on defence)
• raising awareness of the cluster, its members, and work undertaken / planned (for example cluster launch events)
• member engagement following launch events (for example to ascertain member interest in active involvement with cluster activities)

Many clusters have also enabled members to attend cyber security events such as Cyber UK or Infosec, with cluster leads noting that without funding from the UKC3 programme, attendance would not have been possible due to the associated costs for most Small and Medium-sized Enterprises (SMEs).

Based on the contribution analysis conducted, the UKC3 programme has:

• strongly contributed to increased collaboration and knowledge sharing between clusters, and to clusters’ representation at organisations such as the UK Cyber Security Council
• had some contribution to the development of new interventions tackling regional needs and to the knowledge and understanding of regional activities by DCMS and other clusters

Has the UKC3 programme led to the delivery of pilot activities to support growth and skills?

The three strategic pillars underpinning the UKC3 programme’s work are:

1. Ecosystem Development
2. Cyber Skills Growth
3. Innovation Join-up

A working group for each of the three pillars above has now been established to foster collaboration between clusters, cluster leads, and sector experts. Each are at different stages of development with varying levels of activity and no evidence of outcomes or impacts from these are available at this time.

Recommendation 3: we recommend outcome and impact measures are developed for each working group, linked to their aims and critical success factors and reported on monthly to the UKC3 Board.

Has the UKC3 programme led to increased representation of clusters (and therefore regions) in cyber security organisations / greater knowledge sharing between clusters and UK government?

UKC3 clusters have been engaging and working with a number of cyber security organisations and government departments. For example:

• some clusters were able to cooperate with the UK Cyber Security Council on a taxonomy of cyber security roles project due to the support received from the UKC3 programme
• a number of clusters were involved in communicating the challenges faced by their members to the DCMS skills team, in order to help address the cyber security skills gap
• initiatives have been funded by DCMS (via the UKC3 programme) into some regions of the UK with the longer term view that they will generate further investment and be rolled out more widely. This includes:
  1. CyNam’s Investment Community Engagement Project (DCMS / UKC3 funded) which has resulted in the cluster forming relationships with 25 investors that are active in the cyber sector. Feedback from the UKC3 chair suggests these activities could be replicated in other regions to engage investors there
  2. two Cyber Wales projects that are designed to be rolled out more widely: the Cyber Security Body of Knowledge (CyBOK) project (centred around skills mapping) and the CRM project (centred around developing open source CRM software for use by clusters too large to use free tools however did not want to buy off-the-shelf products)^{[footnote 5]}
• the UKC3 programme has been working with DCMS, the Home Office, and the National Cyber Resilience Centre (NCRC) to influence changes in the CRC Trusted Partner model which focuses on a group of cyber businesses as ‘trusted partners’ potentially excluding other cyber firms in the regions

Feedback from the chair of the UKC3 Board also notes that it has formed links with the UK Cyber Security Council and other national stakeholders such as TechUK, NCRC, National Cyber Security Centre (NCSC), DCMS and Department for International Trade (DIT), as well as NCSC’s Cyber First and Cyber Explorers to ensure a joined up approach to skills development.

Recommendation 4: to illustrate increased representation and knowledge sharing we recommend the UKC3 programme develops case studies based on evidence and learning from more mature clusters that have increased regional investment in cyber security skills or increased cyber security innovation and business growth. These could help other less mature clusters learn and develop.

Has the UKC3 programme led to an increased number of local partnerships with schools and employers?

There is some evidence of formal partnerships between clusters and schools and employers, including: - one cluster establishing a formal project to support 90 individuals to gain an Information and Cyber Security Foundation (ICSF) qualification - the South-West cluster supporting skills training in Exeter College - another cluster delivering a Cyber First schools pilot

Other clusters suggested they have supported individual business members by referring them to schools, colleges and universities when looking for potential employees. This is an important area of work that clusters should be focused on and ideally should have targets for.

Recommendation 5: we recommend that UKC3 supports clusters to share best practice in this area with each other, for example how relationships with schools / colleges are developed and sustained.

Has the UKC3 programme led to better recruitment guidance focused on increasing diversity to support the adoption of more inclusive recruitment and skills?

The UKC3 programme has not developed recruitment guidance. However, the UKC3 Chair advised that if this is developed by individual clusters they will ensure it is shared across the cluster community.

Recommendation 6: we recommend the UKC3 programme coordinates the sharing of any recruitment guidance developed by individual clusters to avoid duplication and make best use of resources

2. Introduction, terms of reference and methodology

2.1 Introduction

RSM Consulting LLP were commissioned by the Department for Digital, Culture, Media and Sport (DCMS)^{[footnote 6]} to undertake independent evaluations of the CyberASAP, Cyber Runway and UKC3 programmes. The evaluations will help DCMS to understand the impact of these programmes and the findings will be used to inform the development of future interventions. This evaluation report relates to the UKC3 programme in its initial pilot year (2021/22). UKC3 is a programme funded by DCMS which aims to:

• build the capacity of the regional cyber security clusters
• raise awareness and understanding of cyber activities within regions and support the development of a healthy and diverse talent pipeline into the cyber industry
• support the creation, development, and growth of new cyber businesses within regions^{[footnote 7]}

2.3 Methodology

The evaluation methodology was agreed with DCMS and includes the following stages:

Scoping phase:

1. project initiation meeting: the project commenced with a project initiation meeting involving the evaluation team and DCMS to review and agree the stages of the work, approach and timetable, access to information and finalise arrangements for project management and progress updates
2. desk research and analysis: review of the strategic and delivery context for the programme and mapping was conducted to identify other sources of funding available to support the development of the UK’s cyber security ecosystem
3. review of programme documentation setting out rationale for funding measures: review of the programme business case, contract between DCMS and UKC3 Board, project initiation document, and previous research / theories of change to identify the rationale for the intervention and the outputs and impacts expected from it (based on this an evaluation framework was developed using a ToC approach detailing the activities, outputs, outcomes, and impacts expected to be delivered)
4. development of ToC: the final ToC (see Appendix B – Theory of Change) was used to inform the research tools that were developed, specifically the cluster lead and partner interview guides and the case study interview guide
5. evaluation plans for each programme: an evaluation plan was developed detailing the design and approach being taken to address the evaluation questions

Data collection:

1. analysis of programme monitoring information / impact information and published data: to inform the assessment of UKC3 programme performance against its core KPIs (as per the ITT) and those in the agreed ToC
2. consultations: with cluster leads / managers of every cluster (12) and regional partners (7) (see interviewees and interview questions used in Appendix C – Regional Partner and Working Group Interview Questions)
3. case studies^{[footnote 8]}: 4 in-depth case studies were developed to provide qualitative insight into the benefits of the UKC3 programme – these were selected to provide a representative sample across regions, sectors, if they were a working group lead / member, if they had received admin / programme funding and if they had evidence of outcomes, specifically

Table 1: Case Studies

Cluster	Region	Ecosystem lead or member	Skills lead or member	Innovation lead or member	Received admin / programme funding	Evidence of cluster outcomes
Cyber Wales	Wales		Yes		Yes	Yes
Northern Ireland	Northern Ireland				Yes	Yes
Scotland	Scotland	Yes	Yes		Yes	Yes
CyNam	South-west England	Yes	Yes	Yes	Yes	Yes

Note: where ‘n=’ is used during survey analysis, it is signifying the number of respondents responding in a certain way / to a specific answer choice, rather than the entire respondent base.

Analysis and reporting:

• analysis of monitoring data: to assess performance against targets

• contribution analysis: this focused on why the results have occurred and the role played by the UKC3 programme – it involved 3 key steps:

  (1) the evaluation team developed 4 contribution statements which describe the outcomes the UKC3 programme intends to achieve, and how the UKC3 programme intends to achieve them. The statements are based on the ToC outcomes and impacts (see figure 1). The statements are:

  • UKC3 programme support leads to increased collaboration and knowledge sharing between the regional clusters

  • the UKC3 programme helps to develop more interventions linked to regional needs

  • DCMS and the clusters improve their knowledge and understanding of regional activities and their strengths and weaknesses

  • clusters are increasingly represented at UK Cyber Security Council, Cyber Growth Partnerships, CRCs and cluster working groups

Figure 1: UKC3 Programme Theory of Change

(2) based on the data collected in the previous stages the strength of evidence was assessed against each contribution statement, as well as evidence of any other factors that have contributed. The evaluation then identified how strong the UKC3 programme’s contribution to each statement was

The strength of evidence was determined by reviewing:

• clarity
• frequency of a particular theme
• diversity of the stakeholders who provide the evidence (across cohorts, for example)
• emphasis placed on the evidence by stakeholders, for example if the stakeholder stressed that what they said was important to them
• the sources of evidence reported by stakeholders
• availability of the evidence across primary, monitoring, and monitoring information data

High strength of evidence includes:

• evidence that is articulated clearly and frequently, by different stakeholders without the need for probing
• where the survey findings show high rates of “strongly agree / disagree” and similar responses across different measures

(3) the contribution of the UKC3 programme to the expected results as described by each contribution statement was then assessed as strong, some, or negligible, with:

• strong contribution meaning that UKC3 programme activities contributed substantially to the observed results
• some contribution meanings that UKC3 programme activities contributed to the observed results but not substantially
• negligible contribution meanings that the UKC3 programme had no or minimal contribution to the result
  
• cluster blueprint: the UKC3 programme interview analysis and case study findings have informed an assessment of whether there are common practices that successful clusters share
• reporting: included a progress presentation, interim and final reports, a final presentation, and a closing workshop with DCMS which will act as a learning event

Issues / limitations:

• no interviews were conducted with SMEs or stakeholders who are members of the clusters: therefore, reports of outcomes or impacts emerging for cluster members are based on the views of cluster leads

• timeframes for measuring impacts: it is too early for impacts to have materialised from most of the clusters / cluster funded projects. However, clusters reported outcomes such as an increase in their ability to plan and develop cluster strategies due to administration funding received which could lead to impacts in the future.

3. Rationale and programme overview

This section details the rationale for the UKC3 programme as well as the strategy and delivery context.

3.1 Review of the strategic and delivery context

3.1.1 Policy

The UKC3 programme was expected to contribute, or has the potential to contribute to, a number of key national strategies, as set out below:

Table 2: Strategic context

Strategy	How the UKC3 programme is expected to contribute
National Cyber Security Strategy (2016 - 2021) - supports the creation of a growing, innovative and thriving cyber security sector in the UK. National Cyber Strategy 2022 – focuses on strengthening the UK Cyber Ecosystem	The UKC3 programme was expected to contribute to these strategies by supporting clusters to drive growth of the cyber sector within their nations and regions, encouraging greater collaboration across the UK’s cyber ecosystem. It was expected to help to establish structures, partnerships and networks that promote collaboration, knowledge exchange and sharing of best practice between cyber clusters that would help to develop the ecosystem, promote innovation, and grow cyber skills.
DCMS UK Digital Strategy (2022)	The Digital Strategy includes a focus on spreading digital prosperity and levelling up. By supporting regional clusters, the UKC3 programme was expected to contribute to the development of tailored and localised digital interventions to help generate economic growth across the regions. It was also expected to help support innovators and entrepreneurs outside London and the South-East and support local digital businesses via partnerships with local government, local businesses, and academia.

3.1.2 The UK cyber security sector growth and innovation space

The UK Cyber Security Sectoral Analysis published in 2022 suggests the UK cyber security sector is growing rapidly with:

• approximately 52,700 Full Time Equivalents working in the cyber security sector (a 13% increase from the previous year), of which 64% work in large firms with over 250 employees
• an estimated revenue of £10.1 billion (an increase of 14% compared to the 2021 publication)

The UK has a reputation as a global leader in cyber security research, with 19 Academic Centres of Excellence in Cyber Security Research, four Engineering and Physical Research Council (EPSRC) - NCSC) Research Institutes, four Centres for Doctoral Training, the Centre for Security Information Technologies (CSIT) and the PETRAS National Centre of Excellence in Cyber Security of Internet of Things.

The 2022 UK Cyber Security Sectoral Analysis also notes that investment in cyber security firms has increased, with over £1.4 billion being raised in 2021 across 108 deals. In addition, the sector is playing a critical role in responding to emerging cyber threats and challenges, and the rapid proliferation of connectable products.

However, research in 2020 found that significant long-term investments in other nations, especially the USA, France, and Germany, are leading to the development of large clusters of research excellence. This can pose a threat to maintaining the UK’s position as a leading nation for research and innovation in cyber security, given a potential brain drain from the UK. It suggests a need for the UK to further invest in cyber security research in various forms, including clusters of research excellence in cyber security, doctoral research funding to train future research and development leaders in cyber security, and national research facilities.

There are several challenges within the sector and the existing cyber cluster landscape. Specifically, the DCMS business case for the UKC3 programme highlights that:

• most clusters in England do not receive government funding and are dependent on voluntary effort – this is limiting the cluster growth due to limited time and energy being invested by the volunteers. The case suggests channelling a stream of funding towards cyber clusters is necessary to maximise the potential impact they can have in promoting regional growth
• there is a lack of awareness across SMEs regarding the government cyber initiatives which limits their effectiveness – The case suggests that by increasing the financial support of cyber clusters around the UK, they can play a greater role in increasing the awareness of government-funded projects across local SMEs maximising the impact of cyber initiatives on the growth of SMEs
• the sector experiences regional disparity – according to the 2022 Cyber Sectoral Analysis 53% of Cyber Security firms are registered in either London or the South-East, with only 2% of the firms in Northern Ireland, displaying a sharp regional disparity across the UK. Therefore targeting government funding towards cyber security clusters could help address this key issue by fostering regional growth
• SME growth is needed – the 2022 Sectoral Analysis also noted that 85% of 2021 investments targeted large-medium firms. Supporting the growth of regional cyber clusters could facilitate the growth of local small-micro firms which may otherwise struggle to receive enough funding from the private sector
• there is a trend of variance in cluster development – currently the regional clusters have varying levels of establishment, different structures, and different strategic directions, creating a mixed landscape

3.1.3 Mapping of other programmes

The UKC3 programme is part of a wider ecosystem of cyber security growth and innovation programmes across different stages of the ‘innovation pathway’. It is focused on supporting the regional and national clusters that are helping tackle barriers to company growth, developing digital skills and providing firms with a new route to develop their business acumen.

The UKC3 programme is also complemented by other government and private sector initiatives with a cyber security element, illustrated in the following table:

Table 3: Mapping of other programmes

Project name	Target group	Start and end date	Funders and funding	Expected outcomes
Cyber clusters	Regional businesses	Varying formation dates	Varying – devolved clusters receive government funding while others depend on voluntary effort.	The UKC3 programme supports cyber clusters to drive growth of the cyber sector within their nations and regions, encouraging greater collaboration across the UK’s cyber ecosystem.
Cyber Security Information Sharing Partnership (CiSP)	Professionals who have an obligation for cyber security within their organisation	Platform was set up in 2013 and is still ongoing today.	Joint industry and government initiative run by the NCSC.	CiSP is an initiative which allows UK organisations to share cyber threat information, creating a secure environment to engage with industry and government counterparts. This is expected to allow users to learn from the experiences, mistakes, and successes of other users while also being a source of advice.
Department for Levelling Up, Housing and Communities (DLUHC) Cyber Support Fund	Councils	Ongoing	DLUHC Cyber Support team is making funding available to councils to support specific remedial activities.	The funding can be used to improve the resilience of a council’s backups and security posture to address all areas of the DLUHC cyber report to minimise the impact of a ransomware attack.

Information above accessed February 2022

There are several programmes available to support innovation with the UK’s wider cyber security ecosystem. However, there are no other initiatives at the time of this report, focused on supporting the cyber clusters that exist or are encouraging greater collaboration across the UK’s cyber ecosystem.

3.1.4 Collaboration within cyber security firms and regional bodies in the UK

Some cyber security businesses in the UK engage with local cyber security clusters or local business and organisations such as Chambers of Commerce and artificial intelligence networks in their regional area to increase sales and increase their presence at industry events. They also work closely with regional universities and colleges where they get involved in activities such as updating and designing course content, training lecturers on digital security standards, and giving talks and demonstrations at universities.

The UK Cyber Security Sectoral Analysis notes that cyber security businesses in the UK rely on regional clusters and initiatives to network with each other. In the UK, 54% of cyber security firms were aware of these clusters (UKC3 clusters) and 59% collaborated with other cyber security businesses to improve their skills and their products. Getting involved with local cyber security clusters has proven beneficial to cyber security firms as they are able to access the latest information and knowledge in the industry as well as network and exchange ideas with people involved in cyber activities from a range of different sectors. The establishment of the UKC3 programme was needed to develop a common operating framework which would create a support network and foster collaboration for the clusters.

3.2 Programme overview and funding

3.2.1 History / background to the organisation

Clusters support innovation and growth through knowledge sharing, collaboration, infrastructure, a skills pool and career opportunities. Cluster networks often benefit from a wide membership, including industry, academia and government. This often gives them the critical mass to effect change and attract investment.

The 2022 Cyber Sectoral Analysis identifies that “one benefit of engaging with local Cyber Security clusters was having access to the latest information and knowledge, as well as networking with people engaged in cyber activities from a range of sectors. For example, as a result of being part of their local Cluster, one participant formed partnerships with local universities and police forces who were starting their ‘cyber journeys,’ i.e., looking to collaborate with local cyber security businesses. More generally, some participants felt these Clusters helped to raise awareness of cyber security among local businesses.”

Prior to the formation of the UKC3 programme, a DCMS funded project was delivered by a group of existing cyber cluster leads with the aim of defining a common operating framework and a governance model under which they could seek support and funding from central government. Involvement in this project was open to all UK cyber clusters with leads representing seven regions of England and the nations of Northern Ireland, Scotland, and Wales actively contributing to its development. The resulting framework was baselined and published in January 2021, followed by activity to develop the governance model which led to the formation of the UKC3 programme.

The rationale for the UKC3 programme was to provide an overarching cluster organisation that would formalise cluster governance and provide a route by which DCMS could provide funding. It was intended to act as a single voice for the cyber cluster community, representing the needs and interests of clusters and their members at a national level. This programme provides clusters with a clear route to funding and accreditation, as well as a network for knowledge sharing and increased participation across UK regions. UKC3 was established as a CIC.

3.2.2 Funding (2021/22)

DCMS funding was used to fund:

• administrative costs
• employment of a manager to oversee the work of the UKC3 programme
• cluster board members’ time commitment, which includes creating business plans for each of the three key themes (skills, growth and ecosystem development) and organising pan-cluster events, as well as standard board administrative tasks, such as finance and communications
• a cluster administration fund to increase the administrative capacity of clusters through paying cluster lead salaries and / or salaries of paid administrative staff
• projects within the regions relating to skills, growth, and ecosystem development

In addition, two grant variations took place increasing the original budget. Both variations used underspends from elsewhere within DCMS to allow the UKC3 programme to carry out further activities including marketing and administration activities.^{[footnote 9]}

Costs were monitored during regular progress meetings between DCMS and the cyber cluster board and benchmarked against comparable projects. The year 2 grant has been awarded and the value of the grant for years 3 and 4 is to be confirmed.

3.2.3 Key outcomes / impacts expected

The business case for the UKC3 programme outlines seven expected outcomes from which the success of the scheme in its pilot year (2021/22) can be evaluated.^{[footnote 10]} This includes:

1. the launch of the cyber cluster board
2. the increase in networking and knowledge sharing opportunities for cyber clusters
3. increased communication between clusters and the government, increasing the government’s understanding of regional activities and boosting the influence of clusters in policy making
4. the increase in the total number of UK cyber clusters
5. a more consistent stream of income for cyber clusters
6. wider adoption of strategies aimed at more inclusive recruitment, attracting candidates from a broader skills background and skills development
7. significant levels of engagement between the clusters and the Board which results in an increase in the number of funding bids and a significant number of clusters signing up to the operating principle and adopting the recommended governance structure

4. UKC3 programme process evaluation

This section details evaluation findings in relation to the UKC3 programme governance structure; key stakeholders, the application process, how the programme is delivered, and reporting requirements. It determines how effective the UKC3 programme has been in providing governance, direction, and structure to the cluster network.

4.1 Governance structure

The UKC3 programme is governed by a Board of directors made up of cyber cluster leads from across the UK. The Board of directors was operating on an interim basis for the first 12 months (April 2021 – March 2022) and members were appointed through a nomination and voting process which was open to all cyber cluster leads. Applications for funding from the clusters were assessed by the UKC3 Board in line with the cluster recognition assessment criteria.^{[footnote 11]} Each Board member has a single vote but cannot vote for applications involving their own cluster. In addition, an Advisory Group was established comprising cluster leads outside of the UKC3 Board from the Bristol & Bath, Northern Ireland, South-West and East of England clusters which provided input on processes such as cluster recognition and funding.

The governance structure for the UKC3 programme is outlined below:

Figure 2: UKC3 programme governance structure

4.1.1 Roles and responsibilities

The following table provides further detail on the roles and responsibilities of each organisation:

Table 4: Roles and responsibilities

Organisation	Role / responsibilities
DCMS	• the UKC3 programme is managed by a combination of policy and programme management staff supported by finance and commercial staff and analysts • DCMS policy leads join monthly UKC3 programme working group meetings to provide updates on relevant policy areas and to bring in other government departments such as Home Office or the NCSC
UKC3 Board Chair	The Chair is Director of the UKC3 CIC which: • chairs Board meetings • maintains and develops relationships with stakeholders • leads the work to define cluster recognition process and oversees its implementation
Interim Board	Responsibilities of the interim Board include to: • launch UKC3 programme and establish the interim Board • develop a UKC3 programme/cyber cluster strategy • secure grant funding from DCMS • establish fit-for-purpose process and governance around cyber cluster recognition and funding • administer, distribute and oversee funding to clusters in line with the defined processes • provide support and guidance to new and emerging clusters • represent clusters when engaging with national stakeholders • lead on monthly comms with UK cyber cluster leads • hold monthly progress meetings with the cyber cluster board of trustees to ensure that objectives and milestones are being met • conduct reviews: spending position, risk register, marketing and communications updates, cluster reports
Advisory Group comprising cluster leads outside of the UKC3 Board from clusters in: Bristol and Bath, Northern Ireland, South-West and East of England	The Advisory Group did not launch as planned due to difficulties securing the necessary time commitment from the members identified. The original plan was for the group to meet periodically (no fixed cadence was agreed) and for them to be consulted on major decisions around the recognition and funding processes. Due to capacity constraints (both theirs and that of UKC3 Board members) no regular meetings were scheduled. However, they were consulted on cluster recognition and funding processes and criteria. Going forward the role of the group will be reviewed when the new UKC3 Board is elected in Autumn 2022.
Cluster leads	The role of cluster leads is not predetermined by the UKC3 programme. Each cluster defines the roles and responsibilities within the cluster operating framework.[footnote 12]

4.1.2 Effectiveness of UKC3 programme in providing governance, direction and structure to the cluster network

This section discusses the effectiveness of UKC3 programme support and guidance to clusters as well as governance arrangements based on findings from interviews with cluster leads and partners.

Clusters have established formal governance structures - most clusters have steering groups composed of cluster members. The steering groups, also referred to as steering committees or Boards, support the cluster management team and are a mechanism to communicate the needs of members to the cluster leadership.

Some cluster managers or leads are volunteers who also run their own companies. However, many now receive funding from the UKC3 programme to pay for the time they spend managing the clusters. In addition, most clusters draw on paid staff, either full time or part time, for administrative tasks as well as other tasks such as finance planning and budgeting.

Most clusters are set up as CICs. The small number that are not CICs are part of, and overseen and governed by their LEP. However, feedback from one cluster suggested that the latter organisational approach made applying for recognition more complex as they had to prove the effectiveness of their existing governance structure.

The UKC3 programme developed a common operating framework together with the cluster leads - the framework sets out how clusters should operate and to what purpose. Clusters must operate in line with the framework to be recognised by the UKC3 programme. While all cluster leads were familiar with the framework, very few said they had used it to guide their activities or their structures. Instead, all clusters confirmed the most effective support they received from the UKC3 programme was funding to pay for administrative staff. This funding has allowed clusters to effectively communicate with their members while enabling cluster leads to focus on forward planning and developing cluster strategies. As a result, one cluster has developed a cluster strategy that sets out its objectives and how it will reach these.

Cluster membership is currently free and open to anyone with an interest in cyber security - members come from cyber security businesses, cyber security related teams in larger businesses, and academia. Some clusters also have students in their membership while others are considering introducing paid membership models, however these clusters stressed they would first like to engage with the UKC3 programme and other non-cyber security clusters on how to design a paid membership model and what its advantages and disadvantages may be.

All clusters stressed they value the UKC3 programme as an organisation to which they can turn for advice. Areas mentioned by cluster leads include membership approaches or information about cyber security related activity outside of their regions. This suggests that the UKC3 programme is seen by the clusters as a valuable source of guidance and direction.

4.2 Programme delivery

This section assesses how the UKC3 programme has been delivered to date and any potential improvements to delivery.

4.2.1 Key phases / stages

Table 5 outlines the key phases of the UKC3 programme.

Table 5: UKC3 Programme: key phases of development

Phase	Dates
Design of programme	January to May 2021
Sign-off of design	DCMS did not formally sign off the design however was involved in the design of the programme.
Go live	June 2021
Delivery	July 2021 onwards
Completion	Currently, discussions between DCMS and the UKC3 Board are taking place to determine the point at which DCMS funding ends. The current date is 31 March 2025.

The UKC3 programme was formed in May 2021 after consultations with DCMS, cyber security cluster leads from across the UK, TechUK, NCSC and NCRC leadership / BRIM.^{[footnote 13]}

4.2.2 Communications and promotion

The UKC3 programme engaged a marketing company to work with the Board on communications and promotion. Specific areas include:

• designing the UKC3 programme’s website and branding
• promotion of the UKC3 programme as well as the clusters and their activities (to enable this, there are fortnightly calls which the cluster leads join to discuss activities they are conducting which the provider can promote – this focuses on stories illustrating what clusters do and achieve)
• developing press releases and website content, as well as social media content

Cluster leads indicated that the UKC3 programme communicates its activities and purpose well. For example, one cluster lead highlighted that “UKC3 [Board] speaks at events to help spread word of what UKC3 [programme] does and what we [the cluster] are trying to do and who the clusters are in the region.”

When asked what the UKC3 programme does to support cyber security ecosystems a regional partner suggested communication focused on “keeping each other updated on what is happening and what [the UKC3 programme and clusters] are doing.”

However, one cluster lead suggested communications could potentially be improved by making UKC3 Board discussions more transparent, for instance by providing clusters with minutes or notes.

There’s not a huge amount of visibility of what the Board are discussing: minutes aren’t circulated with the clusters and it would be good if clusters had more visibility of this. I can see how wider [the] network must feel as they are far removed from Board communication and feel disconnected.

- Cluster lead

Regional partners lack understanding of the UKC3 programme

We would welcome [the] opportunity to attend a webinar or presentation about UKC3’s [programme] ambitions and what they’re able to do.

- Regional partner

All regional partners interviewed for this evaluation, such as Business Resilience Centres (BRCs), have a limited understanding of cluster activities and the role of the UKC3 programme however want to learn more about its purpose and ways of working. One regional partner said, “we could be better sighted on exactly what the clusters do, especially around what the UKC3 programme does around getting some commonality” with partner activities. Engagement with BRCs could take the form of webinars hosted by the UKC3 programme.

4.2.3 Application process

Eligibility

To be formally recognised by the UKC3 programme, a cyber cluster must demonstrate that they:^{[footnote 14]}

• operate in line with the cyber cluster operating framework
• have a unique regional focus
• are a legal entity and a not-for-profit organisation, such as a CIC
• support cyber sector growth in their region/nation
• have appropriate governance in place
• represent/support a cyber ecosystem and potential membership base of sufficient size to enable the cluster to deliver tangible impact

For new or emerging cyber clusters that do not currently meet these criteria, the UKC3 programme offers support and guidance to help them.

Application process

Applications to become formally recognised by the UKC3 programme can be submitted at any time using an online form. Once a cluster has been formally recognised by the UKC3 programme they can apply for funding from either the cluster administration or project fund.

Funding rounds are opened each quarter and clusters are given a window in which to submit their funding application (available on request from UKC3 Secretariat and Treasurer). There are several themes against which an application can be made, including:

• cluster administration – ongoing support for established cyber clusters
• cluster projects – for one-off projects which will benefit the cluster in the areas of:
  • ecosystem development – focusing on strengthening and growing the ecosystem of 1 or more cyber clusters
  • innovation and growth – focusing on supporting the start-up and scales up communities, inward investment, or international trading
  • cyber skills – focused on supporting the generation of a cyber skills pipeline and promotion of cyber security as a career

Clusters are able to determine how they utilise funding however must also justify and outline the activities and impact they expect to deliver.

Each application is reviewed independently and applications with sufficient benefits and value-adding expected outcomes are strongly considered for funding. Those considered to be too narrow or small or too costly for the benefits realised are provided with feedback to allow the bid to be improved and re-submitted.

Those who do not receive funding due to oversubscription are given priority in the next funding round or, if there are funds remaining, a second bid may be approved for some cyber clusters.

Only one cluster discussed difficulties that arose during its recognition and funding application processes. These related to (1) receiving conflicting information and guidance from the UKC3 programme regarding the success of their application and changes to the application form / process that were not communicated and (2) that the funding application process could be improved by moving to an application system that is not email-based.

Initially, the cluster got an email late in the evening saying that we had been recognised as a cluster, but 20 minutes later another email came in saying that we were not accepted. There have also been examples where templates for funding applications were changed and sent out again without notice to say that the form had been changed… UKC3 [programme] has a CRM system as far as we know, but so far the cluster can’t submit bids and forms through that, which means that it’s not clear where things are in the process and there’s no rolling update.

- Cluster lead

The remaining clusters did not report any specific issues with the recognition or funding application process.

4.2.4 Support provided

The UKC3 programme provides clusters with a route to funding and recognition as a UKC3 cyber security cluster. The list of what the funding can be spent on includes (note that this list is not exhaustive):

• resources – people’s time
• event related costs such as room hire
• expenses incurred through travel and subsistence – for cluster and event attendance for guest speakers, for example
• expenses incurred through the management and administration of the cluster except for anything listed above as being exempt
• marketing and promotion, including digital platform costs

The UKC3 programme also provides opportunities for networking, knowledge exchange and sharing best practice identified at a regional or national level. Over the period, the UKC3 programme has established 3 working groups, an Ecosystem Development Working Group, a Cyber Skills Growth Working Group and an Innovation Join-up Working Group. The working groups were established to foster collaboration between clusters while addressing the UKC3 programme’s goals in relation to the cyber security ecosystem, cyber skills growth, and innovation. Through the working groups, the UKC3 programme encourages clusters to cooperate in these three areas.

In addition, the UKC3 programme provides guidance to new and developing clusters based on the experience of older, more established clusters. This includes meetings and calls, the provision of information and supporting documentation about how to become a UKC3 programme recognised cluster, and support with marketing and promotion activities.

Details on the outcomes achieved with the support provided are included in section 5 of this report.

Money / funding

One of the most beneficial aspects of the UKC3 [programme] offering was the money.

- Cluster lead

All cluster leads indicated that the funding received from the UKC3 programme was the most useful support. Clusters use funding from the UKC3 programme to pay the salaries of staff, such as administrators, which would not have been possible without the programme. The funding has helped clusters to deliver activities such as launch events much faster than if they had to rely on volunteers giving their time. Clusters used funding to “hire venues, get catering in, bring people in.” For instance, one cluster lead said:

One of key things offered to the cluster to launch was operational funding to employ marketing people which allowed the cluster to launch in a matter of months, which would have been slower with only volunteers.

- Cluster lead

Other clusters use the funding for project specific work such as developing CRM systems for their membership or developing a taxonomy of cyber security skills and job descriptions. On the latter project, the cluster cooperated with the Cyber Council. Cluster leads stressed that admin funding supported the delivery projects as well, for instance:

The administration funding was the most obvious [benefit], to solidify some of the work. There has been a huge project that we have managed to do, which is updating our membership lists. And the admin budget has been great for that.

- Cluster lead

While funding has been received positively by the clusters, some regional partners felt that more funding should be made available. One regional partner pointed to scope for additional activities to promote cyber security skills on school curricula.

Networking

UKC3 [programme] has facilitated much more cross cluster collaboration and lots of economies of scale has been gained.

- Cluster lead

All the clusters mentioned benefits from the networking opportunities that the UKC3 programme provided, both with others from within their own region as well as elsewhere in the UK. Clusters engage in conversations to enable knowledge sharing and peer to peer support, which was highlighted as particularly useful by a regional partner. In addition, one cluster suggested that the UKC3 programme has “put them on the map”, while a regional partner stated the programme is doing “a good job to promote the cyber industry in the UK.”

Knowledge sharing through networking also helps the clusters learn about government initiatives, for example one cluster lead noted:

The ability to network with other clusters and gain useful knowledge on how other clusters have done things is a benefit. It was a useful source of information on what is happening and what government initiatives are going on.

- Cluster lead

While relationship building was highlighted as effective by various cluster leads, one cluster expressed a preference for face-to-face meetings, suggesting that more face-to-face interaction between clusters would be welcome in future.

Almost half of the regional partners (n=3) interviewed suggested that the UKC3 programme would benefit from involving more, different people and not only the “usual suspects”. For example, one regional partner involved with UKC3 programme events noted “at the beginning we only called people who were trusted partners which felt wrong”, suggesting that improved, additional communications from the UKC3 programme are necessary to raise awareness among a wider group of stakeholders.

Advice and guidance

The support of the UKC3 programme provides knowledge of cyber security developments across the UK and helps find solutions to cluster problems by exploring what other clusters have done in the past. One cluster emphasised how approachable the UKC3 Board members were, describing them as “peers” and “not just a central organisation”, suggesting this helps them learn how best to run a cluster:

It is good to have the ability to talk to someone who you think you can go to and ask for advice and a point of view. It’s an approachable thing. They are practitioners who are experienced and involved in running clusters.

- Cluster lead

This was consistent with the thoughts of other cluster leads who found the funding application process very collaborative and felt that UKC3 Board members are open to feedback. However, one regional partner described the UKC3 programme as being reactive rather than proactive, stating that the UKC3 programme tends to answer questions instead of coming to the cluster with opportunities.

Working groups

Most clusters are involved in one or more of the working groups, with some attending all three and most leads are satisfied with the working groups.

Feedback from clusters involved in the innovation working group suggests that the purpose of this working group was initially unclear:

They work maybe too independently, and the [UKC3] Board needs to come together in part on the innovation group as it is not clear what needs to happen in it.

- Cluster lead

However, the working group lead suggested the group now has members from across the clusters and a renewed focus, including applying to the UKC3 programme for funding to deliver an innovation themed series of events.

4.2.5 Data, meetings, and reporting

The UKC3 programme has reported on all objectives set out in the grant agreement. However, these are process and set up related objectives rather than impact objectives.

There were monthly meetings between DCMS (policy and programme delivery) and the UKC3 chair and co-chair supplemented by a mid-year and an end of year report from the UKC3 programme which outlined what had been delivered. Feedback from DCMS suggests this, along with the monthly meetings, provided the information needed to determine if the programme was delivering as intended and no immediate issues were identified at that present time. Monthly meetings were also held between DCMS and the cyber cluster Board of trustees to review progress on objectives and milestones. The Board was responsible for providing the mid-year and end of year report capturing deliverables and progress against meeting objectives.

Clusters that have received funding are asked to complete a monthly report summarising the work undertaken and the activities and impact delivered. Most clusters do not yet have indicators to measure outcomes or impacts and emphasised that it was too early in their development to measure these. However, they are keen to develop them going forward and would welcome the UKC3 programme support to do this, with one cluster lead noting that to date there is “no clarity from UKC3 [programme] on what KPIs and quantitative or qualitative outcomes are expected.”

One cluster did have KPIs and targets for the project they delivered with UKC3 programme funding including a target to understand the investment needs of SMEs and start-ups and of investment companies. In addition, some clusters described monitoring their engagement and outreach activities focusing on member numbers, social media engagement, and attendance at events. Clusters do not yet have systematic approaches to recording KPI information or acting on engagement and outreach activities however showed ambition to do so.

We want to bring that in but not currently set up. We can track engagement and track attendees at events, but we don’t have a yearly tracker or anything like that.

- Cluster lead

4.3 Summary of key findings

Overall, the UKC3 programme has been delivered effectively to date, for example:

• all clusters were involved in designing a common operating framework that codifies how a cluster should work and what objectives it should pursue (the clusters have set up governance structures that are in line with the framework and have enabled them to apply for recognition by and/or funding from the UKC3 programme)
• UKC3 programme funding was used to pay administrative staff or cluster leader salaries which allowed the cluster leadership team to focus on strategic planning to meets members’ needs

Potential improvements to the UKC3 programme’s delivery relate to two aspects: more transparent and wider communication, and formulation of outcome success measures.

While the UKC3 programme has successfully communicated its purpose to clusters, regional partners stressed they are unaware of the activities that the UKC3 programme and clusters deliver outside of their own region. Webinars or other events could be hosted by the UKC3 programme to address this. In addition, the UKC3 programme could consider sharing notes of UKC3 Board decisions with clusters to enhance transparency. To date it has been appropriate for KPIs to focus on the set up and development of the UKC3 programme and its support for clusters. However, going forward the UKC3 programme should help clusters develop indicators that will identify and track the outcomes of their funded activities. Potential outcomes to measure should be guided by the UKC3 programme ToC and could include SME business outcomes such as new start-ups formed, numbers of jobs created, or revenue increases, as well as skills-related outcomes such as number of individuals who receive ICSF qualifications.

5. UKC3 programme impact evaluation - performance

This section provides an overview of the performance of the UKC3 programme against its KPIs, delivery objectives, and outputs as specified in the programme ToC. The sources used include UKC3 programme monitoring information as well as interviews with cluster leads, regional partners, and case studies.

5.1 Performance against key performance indicators

The UKC3 Board was given the mandate from cluster leads to deliver on several set-up objectives, and completion against each of these is outlined below.

Launch UKC3 programme and establish the interim Board – interim Board members were elected following establishment of the UKC3 programme as a CIC in May 2021. UKC3 Board member terms of reference were drafted and approved by the Board, and meetings have been held monthly.

Develop a UKC3 programme/cyber cluster strategy – strategy has been drafted with three strategic pillars: ecosystem development, innovation join-up, and cyber skills growth. Each of these pillars has a related working group with members from the clusters but also wider bodies (such as UK Cyber Security Council).

Secure grant funding from DCMS – grant agreement is in place with grant funding provided to the UKC3 programme.

Establish fit-for-purpose process and governance around cyber cluster recognition and funding – processes and governance arrangements have been put in place.

Administer and distribute funding to clusters in line with the defined processes – three funding rounds resulted in the UKC3 programme distributing funding to clusters for projects and operations.

Provide support and guidance to new and emerging clusters – a guidance document drafted and shared with clusters supports new and emerging clusters to set themselves up and operate in line with the operating framework. It includes guidance on areas such as “Getting started” for new clusters, information on the formal criteria for recognition by the UKC3 programme, and examples of activities that clusters can deliver.

Represent clusters when engaging with national stakeholders – UKC3 Board members formed relationships with NCRC Leadership, UK Cyber Security Council, TechUK and NCSC (UKC3 Board members have also attended events such as CyberUK, where clusters were able to attend and present with the UKC3 programme’s support).

Lead on monthly communications with UK cyber cluster leads – there are monthly cluster working group meetings chaired by UKC3 Board members.

Table 6: Performance against KPIs (2021/22)

Objective	Status	Notes from the UKC3 programme March 2022 report submitted to DCMS
1. Cluster recognition process defined and shared with clusters, with guidance on the application process and benefits of recognition outlined	Complete	“Process and form circulated to all clusters.”
2. Clusters invited to apply for UKC3 programme recognition	Complete	“Process and form circulated to all clusters.”
3. Cluster funding application process established by the UKC3 programme, with clear criteria for funding set out (clusters’ proposals must meet DCMS and UKC3 programme objectives to drive ecosystem development, innovation, and skills growth) and application guidance for clusters created and shared	Complete	“Process and form circulated to all clusters.”
4. Map of expected funding, ensuring that expected allocation would result in a fair distribution and meets ecosystem development, innovation and skills growth equally	Complete	“Process agreed by UKC3 Board.”
5. Clusters officially invited to apply for funding	Complete	“Process and form circulated to all clusters.”
6. UKC3 programme to work with the clusters to identify opportunities for sharing knowledge, processes, systems and events. Monthly meetings to be held with clusters to share opportunities and gather feedback on the progress of UKC3 programme, ensuring that clusters have input, including those less well represented	Complete	“UKC3 [programme] has now taken over the UK cyber clusters monthly meeting.”
7. Information about the UKC3 programme and new cluster opportunities updated on Cyber Exchange[footnote 15]	Ongoing	A relationship with Cyber Exchange has been developed. Cyber Exchange lists information about each cluster on its website
8. Develop an overarching cluster support strategy. First draft shared with DCMS for comment. Discussion to take place at the first monthly meeting with DCMS	Complete	Strategy approved in July 2021 by UKC3 Board. Discussed with DCMS in August 2021
9. Minimum of six clusters have applied for funding	Complete	As per the end of year report, all 12 clusters have now applied for funding
10. Assessment of cluster funding applications completed, and funding mapped to ensure that it would be fairly distributed and meet DCMS and UKC3 programme objectives to develop the cyber ecosystem, innovation, and skills growth. This will consider anticipated applications not yet submitted	Complete	“First round complete. Some carry forward to second round.” Note, as per the end of year report, two rounds of funding applications were assessed and completed. Projects have been funded across two pillars (ecosystem and skills growth).”
11. Working Groups for each area established	Complete	N/a Note, as per the end of year report, one working group was established for each pillar
12. Second round of cluster bids for funding Communications with clusters to encourage them to apply for funding if yet to do so. Funding re-mapped to understand areas that may need targeting, both regionally and in terms of objectives: skills, innovation and ecosystem	Complete	“Announced at the cyber security cluster working group on 15 September. Eleven bids received which will be assessed at the UKC3 October Board.” Note, second round of funding applications completed as per the end of year report
13. UKC3 programme supported initiatives developed for each area	Ongoing	Working groups were established for each area in June 2021. Projects were funded for two of the three areas (skills growth and ecosystem development)
14. More clusters are officially recognised through the Board’s accreditation process	Complete	Based on UKC3 programme’s end of year report, 12 clusters have been formally recognised. One more cluster (Surrey) is in the accreditation process
15. Mid-year report	Complete	Document was agreed by the UKC3 Board and reviewed by DCMS

Source: UKC3 programme March 2022 report to DCMS, UKC3 programme End of Year Report FY21/22, UKC3 programme responses to RSM questions.

Based on available reports from the UKC3 programme to DCMS, the UKC3 programme has met all objectives that had clear targets for the period 2021/22. However, as there were no specific targets set on the number or types of initiatives, it is not possible to conclude on whether these have been fully met or not.

The UKC3 programme’s end of year report to DCMS noted that funding allocated to clusters was used to create 19 new roles and deliver 110 events^{[footnote 16]}, as well as a variety of other activities.^{[footnote 17]} The events included, for instance, school presentations by the Yorkshire Cyber Security Cluster or a Cyber Fest held by Cyber North. Other activities undertaken to date include the translation of Cyber Wales’s website into Welsh, the development of cluster CRM systems and research into Northern Ireland’s cyber security sector by NI Cyber.

5.2 Performance against the Theory of Change

5.2.1 Thematic activities

In addition to the work completed and detailed in section 5.1, the UKC3 programme’s reporting to DCMS also details activities regarding the three thematic working groups: Ecosystem Development, Skills Growth, and Innovation Join Up. These activities are summarised in the table below.

Table 7: Thematic activities

Theme	Activities
Ecosystem Development	Five working group meetings held and agreement on the focus of the group, 2 events held (cluster management strategies and development training / a pan cluster event), cyber cluster meeting in Cheltenham, and regional events attended.
Skills Growth	Work has commenced on a new taxonomy of cyber skills and to map the current and potential skills development work against this taxonomy, to date the identification of career paths / typical jobs roles and analysis and definition of skills has been completed.
Innovation Join Up	First working group meeting held and thereafter activity has been centred around connecting the Innovation leads of UK clusters through the creation of UK cyber specialism communities. To achieve this aim, the working group has asked all cluster regional leads to complete a survey to inform the direction and focus on the group. Meetings are now bi-monthly.

In addition, feedback from the UKC3 Board chair highlights that clusters have been engaging and working with a number of cyber security organisations and government departments, for example:

• to help address the cyber security skills gap, a number of clusters have been involved in feeding back the challenges faced by their members to the DCMS skills team
• the UKC3 programme and clusters raised the need for support to activate the investment community in their areas, which led to initiatives being funded by DCMS through the UKC3 programme into some regions of the UK with the longer term view that this could be rolled out more widely across the UK
• the UKC3 programme has been working with DCMS, the Home Office, and the NCRC to influence changes in the CRC Trusted Partner model which was focused on a small percentage of the cyber community as ‘trusted partners’, excluding other cyber firms in the regions^{[footnote 18]}

5.2.2 Outcomes

This section discusses outcomes from the UKC3 programme, support provided to clusters for SMEs, the cyber security ecosystem, and the public sector. Most outcomes to date have occurred for the clusters themselves and the regional cyber security ecosystems. While clusters stage events and meetings, disseminate information, and signpost relevant opportunities to SMEs, they were unable to identify many notable outcomes for SMEs at this stage. Similarly, while UKC3 programme support has strengthened the cyber security sector’s voice, it has not yet led to public sector outcomes.

Cluster outcomes

The funding received through UKC3 [programme] has been invaluable in setting up and growing the cluster’s administration capacity.

- Regional partner

An important outcome of receiving funding to pay for staff has been the ability to strategically plan cluster activity. For example, one cluster has developed a cluster strategy structured by the pillars of ecosystem development, skills development and growth, and innovation. This strategy has helped the cluster to focus on delivering activities that support these three areas, aligned with the UKC3 programme working group themes.

Case study insight: for Cyber Wales, the primary benefit of the UKC3 programme has been the improved ability to plan how best to support members. Funding for administrative staff has been pivotal in this context as it has allowed the management team to focus on the big picture and less on day-to-day delivery. Projects funded by the UKC3 programme, such as one that maps the cluster’s members, their needs, and sectors, will help the cluster identify needs specific to individual businesses, thereby further improving the cluster’s future potential to help SMEs and other cyber security stakeholders in Wales.

Cluster leads reported that:

The access to funding, gives us the ability to scale up what we are already doing.

- Cluster lead

Alongside networking with one another:

• one cluster lead emphasised their improved ability to communicate with cyber security professionals and facilitate collaboration with them
• another cluster highlighted the assistance that the UKC3 programme provided with sourcing speakers to take part in their events
• a further cluster felt that meeting stakeholders had “enormously” improved their understanding of the market

Clusters suggested such networking would not have been possible without the UKC3 programme. While networking with the public sector was mentioned less frequently, a small number of cluster leads referred to improved networks with schools and education institutions regarding their training courses and opportunities for students in the cyber industry. For example, one cluster is delivering a Cyber First Schools pilot project for NCSC in the South-West of England and another successfully applied for funding to educate 60 children and 30 businesspeople for an ICSF qualification.

Cyber Wales discussed how the UKC3 programme support has helped to professionalise the cluster and its activities. The Cyber Wales case study is included below to illustrate the impact the UKC3 programme has had on clusters:

Case study – Cyber Wales: professionalising the cluster

About the case study cluster

Cyber Wales is the UKC3 programme accredited cluster for Wales. It is an umbrella body for eight Welsh clusters which all focus on cyber security-related themes. In 2014 the first cluster was established (the South Wales Cluster). It was followed in 2015 by the North Wales Cluster with others being established over following years. For example, a Data Privacy Cluster and Women in Cyber Wales. In early 2020, Cyber Wales registered as a CIC, adding a Steering Board to its management and governance structure. In addition to ‘domestic’ clusters, Cyber Wales also supported the establishment of a Middle East Cluster as members of Cyber Wales had a strong relationship with the Middle East and South Asia.

Context and challenges faced

Before the UKC3 programme was established, Cyber Wales’s members numbered around 900 organisations with 2,500 individuals. It was becoming increasingly difficult for the Cyber Wales team, all of whom were volunteers, to engage with each one of these members. This meant that it was difficult to understand the needs and challenges of individual members, or to know what their specific business was. In addition, Cyber Wales’s activities were self-funded by the Cyber Wales team, meaning that they paid for events, one of the main outputs for members, and material such as banners. With eight clusters forming part of Cyber Wales, one issue that arose was that each cluster, with its own leadership, sometimes planned and conducted events on their own not knowing that other clusters might be doing similar things but differently.

Cyber Wales realised that they needed to develop stronger, more professional governance, including better reporting to know who the members were, what needs they had, and what events were taking place for who.

Another motivating factor was that Cyber Wales wanted to work more closely with UK government departments. The UKC3 programme has enabled Cyber Wales to deal with the UK central government more confidently.

For these reasons, Cyber Wales supported the establishment of the UKC3 programme as a body to improve the credibility of the cyber security clusters across the UK.

Support received from UKC3

In addition to the process of becoming a UKC3 programme recognised cluster, Cyber Wales has benefitted from UKC3 programme funding for administrative staff and projects. Access to other clusters across the UK has enabled Cyber Wales to network with and learn from other cyber security clusters. The UKC3 programme provides each cluster with a central point of contact that can provide information on cyber security related activities across the UK.

Cyber Wales used the project funding from the UKC3 programme for two projects: one was a CRM system to track Cyber Wales’s members, their sectors and business, their needs, and challenges. The second project, which is underway, was the development of a taxonomy of cyber security-related roles, job descriptions, and related skills. The purpose of the latter project was to identify typical job descriptions and required skills to improve how and what cyber security skills are taught. Another purpose was to improve how businesses advertise these roles and recruit for them. The UK Cyber Security Council, which is one of many cyber security related bodies which Cyber Wales is associated with, has been collaborating with the cluster on the taxonomy project. Cyber Wales pointed out that this collaboration was a specific benefit of the UKC3 programme: the Council had been working on a similar project and the UKC3 programme facilitated collaboration between the two to avoid duplication and pool resources.

Administration funding was used to recruit two administrators who support the cluster managers. The administrators help to communicate with members and plan events and maintain the cluster’s website.

The admin funding is number one, it was game changing and has allowed us to have that full time presence within the cluster.

- Cluster lead

Impact and benefits of support received

For Cyber Wales, receiving administration funding was the “number one” benefit. It enabled the cluster to professionalise the management of Cyber Wales as it no longer needed to rely on volunteers giving their spare time. In addition, paid staff delivering all administrative tasks allowed cluster leadership to focus on developing the cluster strategy in a way that best meets members’ needs. This is especially beneficial in combination with the newly developed Cyber Wales CRM system, which allows the cluster to track individual members’ needs. Furthermore, being able to engage with the UKC3 Board itself and through the UKC3 programme with the other clusters meant that Cyber Wales can now tap into a wider pool of knowledge to learn about and share challenges faced and solutions or approaches used by others.

Now governmental bodies know who you are, subtle change in their response to people asking about clusters is useful.

- Cluster lead

Cyber Wales also pointed to a more subtle benefit of the UKC3 programme and its cluster recognition process. As the UKC3 programme is DCMS-backed, it improves the credibility of individual clusters and the work they do. With respect to this benefit, Cyber Wales noted that DIT, for instance, is now more likely to respond positively to requests from clusters for support in conducting international work. In addition, government departments like DIT are more likely to know about the clusters, who they are, and work they do. Therefore, if international businesses contact DIT, DIT is now able to refer interested parties to the UKC3 programme and to clusters.

To date, much of the support received from the UKC3 programme has been focused on helping the cluster managers to run their clusters, while members of the ecosystem have benefited from opportunities to attend trade shows and cyber events on a Cyber Wales-funded stand. It anticipates an increase in the range of benefits from the projects started with UKC3 programme funding. For instance, addressing specific challenges faced by individual businesses that will emerge as the new CRM system is rolled out.

How the UKC3 programme could be improved and future outlook

Cyber Wales stressed that the UKC3 programme is a relatively new entity. As such, the cluster pointed out that any improvements needed are related to the UKC3 programme’s age and the need to test and try various approaches. Two specific areas were highlighted as having specific potential. The first was related to events.

At Infosec, [the] UKC3 [programme] have taken a stand, that is exciting to see. More support with events, that’s what members can’t access alone. This gives them access to opportunities they couldn’t have done otherwise, think this support should be encouraged and continued.

- Cluster lead

Cyber Wales noted that enabling cluster members to exhibit at, or participate in, events such as Infosec is very well received by members. In addition to facilitating participation at such events, the cluster also suggested that the UKC3 programme could support clusters who are located in similar regions to collaborate further, and to conduct regional-focused events. The second was to internationalise the support offered to clusters and cluster members. This could include involving DIT in the UKC3 programme alongside DCMS, where possible.

Cyber Wales is a well-established cluster with 2,500 individual members. It conducts a variety of activities to support its members. In future, Cyber Wales wants to see, and support, the establishment of more cyber security clusters. It also wants to explore ways to develop the cyber security ecosystem across the UK in collaboration with existing and new clusters as well as the UKC3 programme. Finally, now that Cyber Wales has set up new governance structures as a CIC and is recognised by the UKC3 programme, the cluster is looking forward to leveraging its strengthened strategic capacity for the benefit of its members.

Outcomes for SMEs

Clusters provide a variety of support for members, this includes:

• gathering members’ views on what the cluster should do and focus on - this enables clusters to deliver activities that best address members’ needs, leading to some support offered to members being ad-hoc and individual in nature as it responds to members’ queries (for instance reviewing business pitches to investors)
• events for members - most clusters hold events that include speaker presentations for their members, with one cluster engaging in these monthly, another cluster encourages members to attend large scale events to ask questions to industry experts and meet with other stakeholders in the sector (in one instance, a cluster paid for a stand at CYBERUK for SME members to join the event)
• mentoring and sharing lessons - at least one cluster expects members to offer their time to mentor others, to attend a minimum of three meetings or contribute to a meeting once every twelve months
• communication - at least one cluster has set up and maintains a slack channel for members to share challenges they are facing and connect with other members who have faced or solved similar challenges in the past
• sign-posting – clusters signpost members to available opportunities when they need funding or support, clusters also point their members to services that will help them to grow and develop, with one cluster lead highlighting the importance of this for saving businesses time and making the industry more transparent

Clusters suggested that, because of these UKC3 programme activities, SMEs and other members are more able to network with other businesses, investors, and education providers. For example, in one large region of England a challenge was people from across the region struggling to come together for meetings. To address this, the relevant cluster developed a bespoke approach whereby the region was sub-divided into four geographic areas in which events took place to reduce the need to travel long distances.

Ecosystem outcomes

One regional partner believed that UKC3 programme funding “has helped to build the cyber security industry in its own right [and] not a tail end of the digital industry.” Similarly, a cluster lead also noted that the UKC3 programme has helped to improve the focus and the profile of the cyber security industry.

UKC3 [programme] also provides a single voice to work and lobby with DCMS instead of each trying to do that individually.

- Cluster lead

Other outcomes were reported. This includes:

• stronger communication between clusters – with one cluster lead stating it uses the UKC3 programme cluster network to “coordinate approaches” with other clusters (another cluster agreed, stressing that the sector is growing and that it is therefore important to know how the cluster activities complement other cyber security activities, including those of BRCs)
• enabling clusters to pitch for government work collectively – this is supported by a regional partner who indicated that an indirect benefit of networking through the UKC3 programme is that it “gives visibility of the size and strength of the cluster which can attract more businesses, talent and investment into the space” according to clusters

Public sector outcomes

Clusters were not able to identify outcomes from their UKC3 programme supported activities on the public sector in their regions due to the limited timeframe since the formation of the UKC3 programme. No clusters referred to any objectives to create public sector outcomes in the future.

To illustrate the outcomes which clusters have achieved for regional industry, the CyNam case study is included below.

Case study – CyNam: engaging regional industry

About the case study cluster

CyNam is the cyber security cluster for Cheltenham and Gloucestershire. The cluster was founded in 2016. At the time, it was an informal group of likeminded businesses and individuals with a cyber security background. Now, CyNam has five paid employees, a Board of Directors and around 4,000 individual members. The cluster has put in place a cluster strategy which focuses on the three areas of innovation, ecosystem, and skills growth – aligned with the UKC3 programme working groups. Across these three pillars, CyNam holds events including three headline events per year with typically 300 to 350 attendees. CyNam has used UKC3 programme funding to develop ecosystem engagement and innovation & growth projects, part of which involved delivering related events.

Context and challenges faced

For CyNam, the motivation to join and to build the UKC3 programme was twofold. One, was to be able to access funding to take forward aspects of its strategy. Like other clusters, CyNam’s leadership volunteered their time before the UKC3 programme. However, the cluster also wanted to be part of the wider cyber security activities across the UK and had to first learn about these activities and build relationships. As a part of this, CyNam was interested in learning about and influencing national cyber security strategies.

One of the challenges was engaging on a national level: how would we influence and have greater visibility on national strategic decisions.

- Cluster lead

CyNam has established sponsorship partners with businesses, which contributes towards funding its five paid employees as well as covering external costs associated with running the cluster and delivering events. CyNam is also a partner in the delivery of the NCSC for Startups programme as well as the NCSC Cyber First Schools South West Pilot. CyNam delivers services under these contracts and earns revenue on an “at-cost” basis.

Support received from the UKC3 programme

The UKC3 programme has provided funding to CyNam to develop and implement projects. These projects were an investor engagement project delivered in FY21/22 and an Agritech engagement project which commenced in July 2022. The investor engagement project aimed to improve the network of potential investors and funders which CyNam’s members have access to and also educated founders on the investment process. The Agritech engagement project builds on an existing sectoral strength in the cluster’s region and draws on the local higher education institutions as well, with an aim to explore the links and opportunities for growth between cyber security and Agritech.

In addition, the UKC3 programme provided funding which CyNam used to take a delegation of start-ups to the Slush event in Helsinki in December 2021.

Impact and benefits of support received

While it is not fully attributable to UKC3 programme support, the cluster has been able to develop a cluster strategy, built around the three pillars of ecosystem, innovation, and skills growth. UKC3 programme support helped the cluster to define its work around these three pillars, and to be more focused on activities that support these three areas.

Before we just delivered events and the connections and opportunities made were mostly serendipitous.

- Cluster lead

For cluster members, the investor engagement project successfully raised the profile of local start-ups among investors. It enabled the cluster to increase the level of investor-related support for members. In particular, CyNam focuses more on early stage investment as it identified early stage capital as a gap that was limiting growth opportunities. Overall, there are now more investors who are interested and actively engage in the region, and more investors who offer support for early stage businesses. There are also investors that have recently launched early stage funds specifically aimed at closing this gap. At a higher level, recognition as a cluster by the UKC3 programme has elevated CyNam’s reputation – and that of the other clusters. Recognition by a DCMS backed organisation means that government and public sector bodies take the cluster more seriously. The National Cyber Strategy 2022 explicitly references the UKC3 programme and each of the clusters, including CyNam, demonstrating an increased awareness of cyber security clusters in general.

CyNam was able to reference some examples of early outcomes for SMEs from the work the cluster has done using UKC3 programme support. For example, one American cyber security business has established its UK base in the region. While this may not be directly attributable to the UKC3 programme, the cluster believes that the support CyNam and the UKC3 programme offer influenced the company’s decision making. CyNam has introduced some regional SMEs to large companies in the local supply chains, opening up partnerships and leading to commercial opportunities.

Recent growth and projects funded by the UKC3 programme do not come without challenges:

We have grown quickly and taken on lots of different work. With increased projects and more people, there has been more demand on the cluster, and we are sometimes in danger of taking on more than we can realistically achieve and as a consequence disappoint people.

- Cluster lead

However, due to the improved strategic focus that the UKC3 programme has supported, CyNam is positive that it will be able to prioritise the most strategically advantageous opportunities going forward.

How the UKC3 programme could be improved and future outlook

For CyNam’s cluster lead, who is also a member of the UKC3 Board, it has at times been challenging to balance the requirements and demands of the two roles. With regard to this, CyNam stressed the importance of full time UKC3 programme staff, which can focus on UKC3 programme activities. A related issue is that the UKC3 Board terms of reference state that Board members who are also cluster leads cannot vote on funding applications from their own cluster. This is to avoid biased decision making. However, at the same time, the cluster lead said that application decisions can still be, albeit unintentionally, influenced by Board members’ cluster roles: that is, if a funding application is approved, that means there is less funding available for each Board members’ own cluster. This does not appear to be a large problem, but for CyNam, it is important that at the upcoming Board elections in late 2022, there are candidates elected to the UKC3 Board without a direct interest in any cyber cluster.

External figures on the UKC3 Board can help with the independence of funding decisions.

- Cluster lead

Case study insight: CyNam was able to describe some early outcomes for SMEs. While these are not systematic, they illustrate the types of SME outcomes that clusters can achieve. For instance, one SME that participated in a UKC3 programme funded project aimed at expanding investor engagement regionally, was able to secure $1 million in seed funding. The cluster acknowledged that it is not possible to attribute this only to UKC3 programme support, however suggested networks built through the project helped to achieve this. In addition, it was suggested that two other SMEs, which had not previously considered raising external investment, have become more aspirational in their growth plans and are now considering seeking seed investment to accelerate their growth.

Clusters were unfortunately unable to identify any individual or specific examples beyond the outcome themes highlighted above.

5.2.3 Impacts

This section discusses emerging impacts of UKC3 programme support on the regional ecosystems, skills and recruitment, and awareness of national or regional cyber security-related strategies. Currently, cluster leads, managers, and regional partners were unable to identify many impacts attributable to the UKC3 programme given that the programme is in its pilot year. However, it is evident that clusters have contributed to stronger regional collaboration through events and communication activities.

Regional ecosystem impacts

The UKC3 programme has enabled clusters to build and support communities and networks. For example, one of the cluster leads suggested the UKC3 programme has “enabled [the cluster] to build a community of more than 600 people”. Another highlighted that improved links with businesses has, for instance, resulted in collaboration on bids and tender responses.

In addition, by learning from other clusters, one cluster lead noted they are able to ask important questions, and as a result are more ambitious with their projects. For instance, the cluster built on skills identification work being undertaken by another cluster and are now aiming to engage with academics to further develop this work:

We would have started slower and are now thinking actively about the cyber security skills side for example: we know there has been some work already in terms of identifying the wide range of skills and the roles, and we want to take this forward with academics and tying that in with what companies want. They wouldn’t have thought of doing this, and not had the confidence to do it on our own.

- Cluster lead

Relationship building between industry stakeholders was also mentioned by a regional partner who highlighted the programme’s ability to increase “joined-upness” in the industry. However, some regional partners also suggested there is a risk that the UKC3 programme and clusters could duplicate the work of other organisations, including BRCs.

The Scottish cluster demonstrates how clusters can help bring together cyber communities:

Case study – ScotlandIS Cyber: helping Scotland’s cyber community

About the case study cluster

ScotlandIS Cyber is the cyber security cluster for Scotland. As part of ScotlandIS (the trade body for the tech industry in Scotland) the cyber cluster focuses on bringing together cyber companies, large employers who have internal cyber teams, universities, and individuals with a background in cyber security.

The cluster was formed in 2019 and currently has a full time cluster manager as well as additional resources depending on funding levels, who are employees of ScotlandIS. The cluster manager role had initially been funded through Scottish Enterprise and then by Scottish government since the formation of the cluster in 2019. ScotlandIS Cyber offers ad hoc activities and support including networking opportunities, signposting information, reviewing business pitches, and hosting events. It is active across the three pillars of innovation, ecosystem development, and skills growth. The ScotlandIS Cyber cluster manager leads the UKC3 programme ecosystem development working group.

Context and challenges faced

A number of factors motivated ScotlandIS Cyber’s involvement in the UKC3 programme. Firstly, through the UKC3 programme, the cluster gained access to additional funding to start new projects and run events for businesses active in the cyber security sector across Scotland. Additional funding would allow them to provide targeted support for specific groups such as for start-up and scale-up businesses. Aside from receiving funding, through participating in the UKC3 programme, ScotlandIS Cyber wanted to raise its profile and gain more national recognition as a cluster. By supporting the formulation of a national framework for how clusters work and what they are, ScotlandIS Cyber hoped to improve knowledge of cluster activities and benefits across the UK.

We wanted to be as fully involved with [the] UKC3 [programme] as possible, raise the profile of the Scottish Cluster to the level of other clusters, and to see the benefits of this.

- Cluster lead

The cluster wanted the opportunity to learn from the experience of other clusters, share findings and knowledge, and benefit from the support of peers in other UKC3 clusters.

Support received from the UKC3 programme

ScotlandIS Cyber received funding for projects in the current financial year and past financial year. Last year the funding went towards a project which focused on collecting and distributing information on start-up and scale-up businesses active in the cyber security sector across Scotland. Funding provided through the UKC3 programme allowed the cluster to gather information on these businesses and collate a contact list in order to contact the businesses directly with information specific to each business.

Being able to run a project focusing on the cyber start-ups and scale-ups was great. As part of the cyber cluster we are particularly keen to support this section of the community and help them to build good connections and raise their profile across the UK.

- Cluster lead

Building on the work of the previous year’s project, this year’s UKC3 programme funded project involves the cluster running a showcase for cyber security start-up and scale-up businesses in autumn 2022. The event will be an opportunity for 12 of these businesses to pitch to investors and consequently gain visibility in the sector. The start-up and scale-up businesses which are successful will receive a programme of training to ensure they can deliver high quality pitches to investors. The event requires lots of resources, such as funding for the training and hiring the venue – UKC3 programme funding has made this possible.

Impact and benefits of support received

For ScotlandIS Cyber, involvement in the UKC3 programme has been hugely beneficial. A key benefit has been the opportunity to learn from the experiences of other clusters, hearing about their projects and ideas as a source of inspiration as well as understanding the challenges they face. The cluster lead feels that the UKC3 programme has provided them with a valuable peer support network. This peer support is important to the cluster as cluster leads have unique roles and experience that no one else has.

The cluster’s involvement in the UKC3 programme has been very valuable. At a recent UKC3 programme meeting in Cheltenham, the cluster lead learned about alternative funding models used by other clusters. These involve, for instance, business sponsorship or paid membership models. Through connections made in the UKC3 programme, the cluster has gained knowledge on managing a cluster and benefitted from the knowledge and experience of more established cluster leads.

Helping each other out by making those connections is key. A lot of the role is connecting, seeing what others are doing and getting inspiration from that, rather than reinventing the wheel.

- Cluster lead

How the UKC3 programme could be improved and future outlook

ScotlandIS Cyber’s cluster lead highlighted that the UKC3 programme was still a very young organisation having only been established in May 2021. A great deal was achieved in year one but in hindsight the volume of workload for the Board may have been unanticipated and having dedicated resources, as is in place now, earlier would have helped the early stages of the organisation.

For ScotlandIS Cyber, there is still much work to be done in terms of raising the profile of the UKC3 programme and the clusters. They felt that despite the impressive work which has been done to date, there are still many people and organisations in the sector who are not aware of the UKC3 programme and the clusters. Again they felt that this is not wholly unexpected due to the organisation being just over a year old.

Looking to the future, the main worry for ScotlandIS Cyber is uncertainty around the future of the UKC3 programme funding and the impact a lack of funding could have on the cluster.

It would be a shame to see the momentum that the clusters across the UK have gained having to stall when UKC3 [programme] funding ends.

- Cluster lead

The cluster lead highlighted the need for a stronger focus on sustainable funding in order to ensure the survival of the cluster. More certainty around future funding is linked to the support which the cluster can provide, as an increase in time the cluster lead spends trying to access sources of funding will result in less time for the leads to support cluster members.

Skills and recruitment impacts

There are some examples of skills and recruitment impacts. For instance, individual clusters:

• applied for and received community renewal funding due to UKC3 programme support which helped the cluster to develop its governance structure (the community renewal funding means the cluster now has the remit to educate 60 children and 30 businesspeople for an Information and Cyber Security Foundation qualification – because of this, their membership has increased and their reputation in the industry has been improved)
• are delivering a Cyber First Schools pilot project for NCSC in the South-West of England
• are delivering a cyber security skills project with Exeter College^{[footnote 19]}

Clusters were unable to identify any further impacts on skills and recruitment at this stage. Some cluster projects (for example the skills and job description taxonomy project) will likely impact on skills and recruitment in the future by making it easier to consistently identify skills needed for each job, however evidence of this is not available within the timeframe of this evaluation.

Awareness and strategic impacts

Clusters were unable to identify impacts on awareness of national strategies at a regional level, or on regional impacts in line with national strategies. However, clusters stressed the positive outcomes of networking and sharing information, which suggests this is a likely impact in the future. One cluster also noted that the National Cyber Strategy 2022 referenced the UKC3 programme and cyber security clusters.

Case study – NI Cyber Cluster: increasing capacity

About the case study cluster

The NI Cyber cluster brings the cyber security industry together in Northern Ireland, which is particularly centred around Belfast. NI Cyber facilitates knowledge sharing, peer learning, discussions on shared challenges, and identification of potential collaborations and trade opportunities. Cyber security start-ups, micro companies, SMEs, and multinational corporations with cyber security teams located in the region, are involved in cluster leadership and management. The steering group is representative of the industry and the chair is the co-founder and Chief Executive Officer (CEO) of a Northern Ireland-based cyber security company. The cluster has over 40 members including CSIT, the Centre for Secure Information Technologies’ research of Queen’s University Belfast, which has worked with industry to co-found and lead the development of the cluster. There are over 100 companies working in cyber security in Northern Ireland, and the cluster continues to grow through engagement with the wider sector. During the pandemic, NI Cyber’s role shifted to a more operational one with the aim of supporting its members to continue growing their business and teams, and raising awareness of the importance of cyber security across the wider business community. With the support of the UKC3 programme, NI Cyber is excited about the next phase of its strategic growth and development.

Context and challenges faced

Northern Ireland has an international reputation for having a strong talent pool in cyber security which has attracted companies from across the world to the region. The founders of NI Cyber identified an opportunity to leverage this world-leading reputation for the benefit of the SME and start-up community, as well as to identify shared challenges and opportunities across the sector.

For a number of years, Northern Ireland has been the number one location for US cyber security companies establishing operations in Europe.

- Cluster lead

Pre-pandemic, they wanted to formalise the cluster as a company to support its development, and to have an entity to allow them to apply for support. They have previous experience with local government where the funding received needed to go to an existing client company, and the administrative burden of claiming the funding became significant. During 2021, NI Cyber identified other sources of funding locally which – after successfully applying – proved to be false starts due to administration challenges within the funding organisation. In comparison, the cluster feels that the UKC3 programme has a more straightforward approach whereby funding is paid into the cluster bank account rather than a cluster member’s bank account, enabling NI Cyber to also build a trading history.

NI Cyber became a limited company in 2021 with currently one named director. Therefore, a lot of the work is new, for example tasks such as setting up a bank account had to be carried out to enable them to receive the DCMS funding and take advice on governance.

One of the challenges faced by the cluster was regional specific, namely, to connect the local cyber security industry with venture capitalists based outside of the region, who bring different networks and expertise. The cluster has managed to tap into networks outside of Northern Ireland, both individually and through its partners, and believe that venture capitalists are more aware of the region’s vibrant cyber security sector.

COVID-19 impacted their strategic focus – for example, plans for in-depth member surveys were no longer appropriate as companies had to rapidly identify and implement new working and business models. Instead, NI Cyber sought to provide support by delivering webinars giving advice on topical issues such as security around working from home and then returning to the office, and podcasts promoting careers in cyber security.

Support received from UKC3

The NI cluster received six months of funding to recruit a cluster manager and for projects around their website, communications, and marketing. Recruitment of a full-time worker has been challenging due to the short-term nature of the role, as a six-month post does not seem to be appealing to candidates. After two recruitment efforts for a cluster development manager, they instead appointed a small consultancy firm to carry out the work for them. The cluster has secured additional funding from the UKC3 programme for a one-year cluster development manager post and is currently waiting for feedback on funding for another year, which will enable them to advertise a two-year role which would be more appealing in the jobs market. This level of full-time, sustained resourcing will be “game changing” for the cluster in terms of planning, development, and delivery.

UKC3 [programme] has funded us to recruit a cluster development manager from August to May. This is fantastic support though we know from experience that it will be difficult to recruit these skills for a short-term contract.

- Cluster lead

Impact and benefits of support received

The NI cluster praised the application process referring to it as “straight-forward, concise and targeted”. This is important especially when volunteers are involved as they have limited capacity to partake in time-consuming funding applications.

First one is the funding. it has been transformational for us.

- Cluster lead

The UKC3 programme has enabled the NI cluster to engage with other clusters that are at the same stage as them. This provided a sense of reassurance as it confirmed that the challenges they faced were programme wide and gave them an opportunity to find solutions collaboratively. While the cluster had pre-existing relationships with other clusters, these have been strengthened through the UKC3 programme.

The NI cluster has been involved in an array of conversations that facilitate cross-cluster knowledge sharing, for example, on Industry 4.0 with Midlands Cyber. Another example is that the NI cluster is adding a ‘call’ function to its website, as used on the Scottish BRC, having identified that there was no one place for NI companies to seek advice or signposting outside of law enforcement. However, these interactions can be quite time consuming for those employed on a voluntary basis and therefore the cluster highlights their need for a manager. The cluster feels that they will have more capacity to engage in UKC3 programme activities once they have recruited this dedicated worker. Their primary focus until then is to deliver value to their members within existing capacity, specifically prioritising a return to in-person engagement post COVID-19. Following the programme, they have identified continued increases in employment and Gross Value Added (GVA) but the NI cluster feels these trends are still too early to attribute to specific activities or programmes such as support from the UKC3 programme.

Other support accessed

The NI cluster has accessed various small amounts of funding from multiple sources. Two of these have been from Invest NI and some others from industry partners. They generally host their events within the Institute of Electronics, Communications and Information Technology (ECIT), Queen’s University Belfast (where CSIT is located), and recently attended Infosecurity in London with the UKC3 programme. They note that events such as this were disrupted by the pandemic, including their activities such as the Northern Ireland Cyber Security Roadshow to the US which was held in 2019, supported by Invest NI. The cluster is optimistic that these events will restart in the coming months.

In the absence of the UKC3 programme, the cluster would have sought alternative funding but highlighted that there have been no other programmes, similar to the UKC3 programme, which would have been sufficient. They are unsure of what the outcomes would have been due to their limited capacity. They rely on goodwill from cluster members who volunteer time and support, and funding to formalise this work is necessary.

How the UKC3 programme could be improved and future outlook

Meetings are a little long, according to the cluster who feel that they could be cut down from an hour and a half. The possibility of the UKC3 programme collaborating with ADS Group or other similar bodies was also suggested as a possible improvement to the programme.

To be able to justify dedicating time and resources to the UKC3 programme, it would be useful if the programme stated clear objectives. Despite the importance of the programme, the cluster believes that once the network is stronger, the need for support from the UKC3 programme may diminish.

Clusters give DCMS insight on what is happening in the regions and enable government stakeholders to disseminate opportunities to the regions (such as LORCA, Cyber Runway).

- Cluster lead

The cluster suggests that it would be beneficial to connect the UKC3 programme to cluster members but also acknowledges the potential for this to confuse things. They also feel that while UKC3 programme funding is great, it would be better if the timeframe was extended to allow for more delivery time.

…would be better if it was for 2 years. After application and other administrative processes, such as tendering and recruitment, you end up only having 8 months delivery time, [despite the programme lasting a year].

- Cluster lead

Looking to the future, the NI cyber cluster hopes to recruit more and gain deeper engagement with member companies. They will engage in making a career in cyber more attractive and continue to create more short videos and podcasts. They aim to connect marketing people across the cyber security industry and want to facilitate deep technical niche areas to allow for sharing best practice and learning about how other businesses innovate.

They would participate in another Cyber Growth and Innovation programme, and while requiring significant input of time, felt co-designing the support with DCMS and other clusters was valuable, noting support from DCMS was “brilliant”.

5.3 Contribution analysis

Based on the ToC outcomes and impacts, the following contribution statements describe the results to which the UKC3 programme is expected to contribute, ensuring that:

• supports lead to increased collaboration and knowledge sharing between the regional clusters
• the UKC3 programme helps to develop more interventions linked to regional needs
• DCMS and the clusters improve their knowledge and understanding of regional activities and their strengths and weaknesses, enabling strategy delivery
• clusters are increasingly represented at UK Cyber Security Council, Cyber Growth Partnerships, CRCs and cluster working groups

Using evidence gathered through interviews and case studies, and reviewing documentation provided by DCMS, the evaluation has found the following evidence of the UKC3 programme’s contribution to each of these results. The analysis also considers evidence of other factors that contribute to the observed result. The categories of contribution are:

• strong contribution - indicates that the UKC3 programme has achieved substantial results with few or no other contributing factors
• some contribution - indicates that the UKC3 programme has achieved some, but no substantial results with evidence that other contribution factors are at play
• negligible contribution - indicates that the UKC3 programme has not or not yet achieved any or only very limited results or that the results are effects of other contributing factors

In addition, the contribution analysis assesses the strength of evidence underpinning the contribution findings as follows:

• strong evidence - is evidence from multiple sources that is clear with limited need for interpretation or prompting
• weak evidence - indicates that participants and others discussed the result but that there is either only limited evidence for it materialising or that the evidence needed interpretation or prompts
• negligible evidence - indicates that there is no or very little evidence for the result

Table 8: Contribution analysis

Contribution statement	Evidence and other contributing factors	Strength of the UKC3 programme’s contribution to the result	Strength of evidence underpinning the findings
UKC3 programme support leads to increased collaboration and knowledge sharing between the regional clusters	Managers and regional partners provided numerous examples of knowledge sharing events and opportunities taking place, including through cluster working groups. Regional partners stated the collaboration and knowledge sharing outside of clusters could be strengthened to improve collaboration and to avoid duplication. Regional partners also pointed to other initiatives and organisations such as BRCs who facilitate similar collaboration.	Strong contribution: there is strong evidence that the UKC3 programme is improving the collaboration between clusters. We recommend that the UKC3 programme and clusters explain more of what they do and the results / impacts they are delivering to regional partners, via methods such as webinars.	Strong evidence: evidence emerges in interviews and case studies. While other organisations also deliver events and support collaboration, the UKC3 programme’s contribution to cluster knowledge sharing is nonetheless evident.
UKC3 programme helps to develop more interventions linked to regional needs	End of year reporting from the UKC3 programme identifies 10 projects, with four focused on specific regional needs, four on networking and meetings for members, and two on developing CRM systems to manage members. Clusters that developed and delivered regionally focused projects discussed these in their interview feedback and case studies.	Some contribution: the UKC3 programme has helped ensure interventions are linked to regional needs. To date, many clusters are focusing on administration funding, building their knowledge base, and communication with other clusters.	Weak evidence: evidence emerges in interviews, case studies, and project information received from the UKC3 programme (for example, end-of-year report). However, there is no evidence about the types of activities delivered prior to the UKC3 programme and if they were regionally focused.
DCMS and the clusters improve their knowledge and understanding of regional activities and their strengths and weaknesses	Consistently mentioned by clusters in interviews and case studies, with at least one discussing developing a CRM system for its members which will further enhance their capacity to understand regional activities. At least one cluster has implemented a Slack channel for members to communicate with each other. Administration funding has enabled cluster managers to focus more on strategy and planning based on feedback from members through events, meetings, and informal communications. Regional partners think more could be done to share this knowledge and understanding along with the purpose of the UKC3 programme and each cluster. Most clusters have been in existence since before the UKC3 programme. Therefore, they already have knowledge of regional needs, strengths, and weaknesses.	Some contribution: UKC3 programme has built on and strengthened clusters’ existing knowledge of regional needs, strengths, and weaknesses. However, there is no evidence DCMS have better insight of regional needs due to communication channelled through the UKC3 programme. We recommend the UKC3 programme further builds on this and shares examples of the work with other clusters (such as Member CRM system, communication channels being used, and how to continue to build knowledge of regions’ needs).	Weak evidence: improvement in cluster knowledge is mentioned across interviews and case studies. This evidence is clear with little need for prompts or follow up questions. However, no evidence of the UKC3 programme and DCMS regularly communicating and sharing understanding.
Clusters are increasingly represented at UK Cyber Security Council, Cyber Growth Partnerships, CRCs and cluster working groups	Through interviews with clusters and case studies, it is clear that all clusters are involved in at least one cluster working group. In interviews with BRCs and other regional partners, those partners mention that clusters partner with and communicate with partners such as BRCs, but that the UKC3 programme could make its purpose clearer. At least one cluster works with or is a member of all of these organisations. Clusters have been in existence since before the UKC3 programme. Some relationships predate the UKC3 programme, including also with LEPs. Others have been strengthened since the UKC3 programme, for example relationships with the UK Cyber Security Council.	Strong contribution: There is strong evidence to suggest that the UKC3 programme has strengthened the pre-existing relationships of clusters with various regional partners and national organisations.	Strong evidence: this was mentioned across interviews and case studies. Limited prompts needed, and evidence is clear with little or no need for interpretation.

5.4 Cluster blueprint

Analysis of data on how the clusters have used the grant money provided and findings from the interviews and case studies have been used to inform an assessment of common practices that successful clusters share.

A blueprint for success is outlined in the following table and is structured based on the European Cluster Excellence Initiative (ECEI) quality indicators focused on cluster management to assess: (1) structure, (2) governance and co-operation, (3) management, (4) services / support provided, and (5) achievements.^{[footnote 20]}

Table 9: Cluster blueprint

Quality indictor	Common practices that successful clusters share / activities
Structure and governance	• steering group / board in place and working groups as needed with a specific focus and remit • admin staff in place to support the work of the cluster
Co-operation	• cluster engagement is a priority • knowledge sharing and engagement events held • membership to include non-cyber practitioners (for example academia, corporates, and SMEs) • engagement with existing cyber security businesses in the region and potential interest groups • supporting start-ups’ growth and business development plans by offering them greater visibility
Management	• cluster lead / manager appointed • relevant job roles in place (for example marketing lead, community manager – as relevant to the cluster’s needs)
Services / support provided	• marketing plan and communications channels in place • digital platform in place • focus on key topics / issues to increase engagement in the ecosystem
Achievements	This is based on recognition of the cluster at regional / national or international level (for example in press publications), success stories and feedback from cluster members on outcomes being achieved, and satisfaction levels with the support provided. As the UKC3 programme has just completed its pilot year there is limited evidence of outcomes and recognition to date. However it is important for both the UKC3 programme and the clusters it supports to established success measures / metrics that are SMART and incorporate the above.[footnote 21]

5.5 Summary of key findings

Based on the available monitoring information, the UKC3 programme has been delivered as planned to date. Systematic approaches to monitoring performance going forward should be considered including (1) formulation of outcome KPIs informed by data collected from individual clusters as the UKC3 programme continues to support the work of clusters at a regional level as well as (2) KPIs in relation to the three working groups.

Some outcomes, especially for the clusters, have been achieved and clusters have very positive views about the support the UKC3 programme provides. For clusters, the strongest benefits have centred on developing bespoke projects, recruiting paid administrative staff, and communicating with other clusters. The latter cluster benefit has contributed to a stronger, more unified voice for the cyber security sector as whole, including government.

Based on the contribution analysis conducted, the UKC3 programme has had:

• a strong contribution to an increase in collaboration and knowledge sharing between clusters and to clusters’ representation at organisations such as the UK Cyber Security Council

• some contribution to the development of new interventions tackling regional needs and to DCMS’s knowledge of regional needs

It is possible that projects developed and started by the clusters will contribute to skills and recruitment outcomes, while improved networking among SMEs has the potential to help to address issues SMEs face in their growth and to help refine products or develop new products.

6. Conclusions and recommendations

This section outlines conclusions based on the evidence collected against the evaluation questions and recommendations to inform future programmes.

6.1 Process evaluation

Was the programme funding process delivered as intended? / How could this funding process be improved?

The programme was delivered as intended in the grant offer letter between DCMS and the UKC3 Board. Grant funding was used to:

• increase UKC3 programme and cluster marketing activities
• provide administrative and operational funding for newly recognised clusters
• provide transitional funding for April and May 2022 (to cover the gap between FY21/22 and funding being secured and allocated to clusters for FY22/23)

The UKC3 programme administered and distributed monies to support the work of cyber clusters via two main funds. These are the:

• Cluster Administration Fund - aimed at enabling clusters to bring in dedicated resource to help run and deliver the day-to-day activities of a cyber cluster
• Project Fund - focused on supporting cyber clusters to deliver specific projects or initiatives that focus on ecosystem development, innovation, or skills growth

When the UKC3 programme launched as a Community Interest Company (CIC) in May 2021 an interim Board was elected.^{[footnote 22]} It initially focused on setting up the processes needed to distribute funding to cyber clusters. These processes work as the majority of clusters did not report any issues with the UKC3 programme funding allocation process. Three working groups were set up in June 2021 as planned to focus on: (1) developing the ecosystem, (2) cyber skills growth, and (3) joined-up innovation. However these progressed slowly and were initially not funded, limiting the impact they could have and the speed at which progress could be made in the areas they were focused on.

In addition, there was a lack of dedicated UKC3 programme resource to engage with the clusters, meaning it took more time to respond to any enquiries and challenges raised.^{[footnote 23]}

How did the UKC3 programme and clusters use grant funding? / What worked well, or less well, for different clusters and why?

In its pilot year, the UKC3 programme used funding to recognise clusters in 12 regions and nations with a further two emerging clusters expected to be formally recognised in the next six months. The clusters used the funding on:

• supporting the development of digital platforms (for example website development or enhancement, or creation of a slack channel) – 67%
• knowledge sharing / engagement events – 58%
• staff recruitment – 50%
• marketing and communications – 50%

Most clusters indicated they felt supported by the UKC3 programme and that it provides a useful central point for communications and queries, for instance to learn about the work of other clusters. Further areas identified as working well for different clusters include:

• being recognised as a cluster by the UKC3 programme, which was seen by cluster leads as an asset that allows them to confidently communicate with government
• project funding to deliver skills development, innovation, and ecosystem development projects (for more established clusters)
• using a Customer Relationship Management (CRM) system for member communications, with feedback suggesting this system has provided more organisation and structure to previously “ad-hoc” communication to ensure ‘the right information gets to the right people’ However, regional partners suggested the UKC3 programme could do more to help increase communication across clusters and in doing so improve efficiency and avoid duplication of efforts or projects. All 7 regional partners interviewed for this evaluation reported a limited understanding of cluster activities and the role of the UKC3 programme, although regional partners are keen to learn more about its purpose and ways of working.

Recommendation 1:

• we recommend that the UKC3 programme develops a communication strategy, which sets out how they will ensure all clusters and regional partners are provided with the information they need on (a) the UKC3 programme business plan and objectives, (b) progress, achievements, and results being achieved, and (c) the on-going work across clusters, including cross cluster working and emerging best practice
• the strategy should detail the methods that will be used, such as reports setting out progress against objectives and webinars to communicate learnings and new initiatives

Did clusters experience any unexpected or unintended issues in the delivery of the programme?

A minority of clusters reported difficulties demonstrating that their existing governance structures met UKC3 programme expectations. The majority of clusters are set up as CICs while a small number who are not a CIC are part of, and overseen / governed by, their Local Enterprise Partnership (LEP). Feedback suggested this made applying for recognition more complex as they had to prove the effectiveness of their existing governance structure.

What can be learned from the delivery methods used by the UKC3 programme?

Feedback from cluster leads suggests the UKC3 programme approach has been working well, with cluster leads noting that:

• all clusters were involved in designing the common operating framework and have set up governance structures that are in line with it which has enabled them to apply for recognition by, and / or funding from, the UKC3 programme
• UKC3 programme funding to pay administrative staff or cluster leader salaries has been particularly effective as it has allowed cluster leads to focus on strategic planning to address members’ needs

Potential improvements to the UKC3 programme’s delivery going forward includes:

• more transparent communication on what other clusters are delivering
• supporting clusters with the measurement of outcomes from their funded activities

Recommendation 2: we recommend that the UKC3 programme develop SMART outcomes, linked to the UKC3 programme Theory of Change (ToC), for example:

Measure 1: increased representation on major cyber security groups from current baseline (to be established via engagement with clusters)

Measure 2: evidence of joint working between clusters (case studies to be developed by UKC3 programme)

Measure 3: UKC3 programme to identify gaps in ecosystem and demonstrate how these have been actioned

Measure 4: UKC3 programme to report on work involved in supporting clusters to deal with local needs. Monthly reporting on help to local clusters regarding meeting local needs and implementation

Measure 5: UKC3 programme to report on support provided to help clusters align with the National Cyber Strategy 2022 (NCS)

Measure 6: UKC3 programme to provide an annual report setting out state of the cyber security ecosystem and how their work has contributed to:

• an increased number of set ups / development and growth of cyber businesses within regions
• filling the gaps regionally
• greater collaboration between government, law enforcement, academia, educators, innovators, and industry
• increased regional investment in cyber security technology, skills, and services
• UK economic growth

6.2 Impact evaluation

Has the UKC3 programme led to more formalised cluster governance at a cluster level and at board level?

The UKC3 programme developed a cyber cluster operating framework in collaboration with cyber cluster leads. As part of becoming formally recognised and funded by the UKC3 programme, a cyber cluster must operate in line with the framework.

As a result, all clusters have formal governance arrangements. While feedback from cluster leads suggests the UKC3 programme did not have a significant role in establishing these, by making them a requirement of accreditation it ensures formal governance is in place.

Has the UKC3 programme led to an increase in the number of networking, collaboration and knowledge sharing opportunities and events between clusters and for cluster members?

All clusters offer events with the aim of growing the cluster ecosystem in their local areas and promoting networking opportunities. Many have developed event plans and in total 110 new events were delivered as of March 2022.^{[footnote 24]} Events included those focused on:

• knowledge sharing (for example events focused on defence)
• raising awareness of the cluster, its members, and work undertaken / planned (for example cluster launch events)
• member engagement following launch events (for example to ascertain member interest in active involvement with cluster activities)

Many clusters have also enabled members to attend cyber security events such as Cyber UK or Infosec, with cluster leads noting that without funding from the UKC3 programme, attendance would not have been possible due to the associated costs for most Small and Medium-sized Enterprises (SMEs).

Based on the contribution analysis conducted, the UKC3 programme has:

• strongly contributed to increased collaboration and knowledge sharing between clusters, and to clusters’ representation at organisations such as the UK Cyber Security Council
• had some contribution to the development of new interventions tackling regional needs and to the knowledge and understanding of regional activities by DCMS and other clusters

Has the UKC3 programme led to the delivery of pilot activities to support growth and skills?

The three strategic pillars underpinning the UKC3 programme’s work are:

1. Ecosystem Development
2. Cyber Skills Growth
3. Innovation Join-up

A working group for each of the three pillars above has now been established to foster collaboration between clusters, cluster leads, and sector experts. Each are at different stages of development with varying levels of activity and no evidence of outcomes or impacts from these are available at this time.

Recommendation 3: we recommend outcome and impact measures are developed for each working group, linked to their aims and critical success factors and reported on monthly to the UKC3 Board.

Has the UKC3 programme led to increased representation of clusters (and therefore regions) in cyber security organisations / greater knowledge sharing between clusters and UK government?

UKC3 clusters have been engaging and working with a number of cyber security organisations and government departments. For example:

• some clusters were able to cooperate with the UK Cyber Security Council on a taxonomy of cyber security roles project due to the support received from the UKC3 programme
• a number of clusters were involved in communicating the challenges faced by their members to the DCMS skills team, in order to help address the cyber security skills gap
• initiatives have been funded by DCMS (via the UKC3 programme) into some regions of the UK with the longer term view that they will generate further investment and be rolled out more widely. This includes:
  1. CyNam’s Investment Community Engagement Project (DCMS / UKC3 funded) which has resulted in the cluster forming relationships with 25 investors that are active in the cyber sector. Feedback from the UKC3 chair suggests these activities could be replicated in other regions to engage investors there
  2. two Cyber Wales projects that are designed to be rolled out more widely: the Cyber Security Body of Knowledge (CyBOK) project (centred around skills mapping) and the CRM project (centred around developing open source CRM software for use by clusters too large to use free tools however did not want to buy off-the-shelf products)^{[footnote 25]}
• the UKC3 programme has been working with DCMS, the Home Office, and the National Cyber Resilience Centre (NCRC) to influence changes in the CRC Trusted Partner model which focuses on a group of cyber businesses as ‘trusted partners’ potentially excluding other cyber firms in the regions

Feedback from the chair of the UKC3 Board also notes that it has formed links with the UK Cyber Security Council and other national stakeholders such as TechUK, NCRC, National Cyber Security Centre (NCSC), DCMS and Department for International Trade (DIT), as well as NCSC’s Cyber First and Cyber Explorers to ensure a joined up approach to skills development.

Recommendation 4: to illustrate increased representation and knowledge sharing we recommend the UKC3 programme develops case studies based on evidence and learning from more mature clusters that have increased regional investment in cyber security skills or increased cyber security innovation and business growth. These could help other less mature clusters learn and develop.

Has the UKC3 programme led to an increased number of local partnerships with schools and employers?

There is some evidence of formal partnerships between clusters and schools and employers, including:

• one cluster establishing a formal project to support 90 individuals to gain an Information and Cyber Security Foundation (ICSF) qualification
• the South-West cluster supporting skills training in Exeter College
• another cluster delivering a Cyber First schools pilot

Other clusters suggested they have supported individual business members by referring them to schools, colleges and universities when looking for potential employees. This is an important area of work that clusters should be focused on and ideally should have targets for.

Recommendation 5: we recommend that UKC3 supports clusters to share best practice in this area with each other, for example how relationships with schools / colleges are developed and sustained.

Has the UKC3 programme led to better recruitment guidance focused on increasing diversity to support the adoption of more inclusive recruitment and skills?

The UKC3 programme has not developed recruitment guidance. However, the UKC3 Chair advised that if this is developed by individual clusters they will ensure it is shared across the cluster community.

Recommendation 6: we recommend the UKC3 programme coordinates the sharing of any recruitment guidance developed by individual clusters to avoid duplication and make best use of resources

7. Acronyms and glossary

ADS Group	Trade organisation representing the aerospace, defence, security and space industries in the UK
BEIS	Department for Business, Energy and Industrial Strategy
BRCs	Business Resilience Centres
BRIM	Company contracted to deliver the CRCs in each UK region
CEO	Chief Executive Officer
CIC	Community Interest Company
CiSP	Cyber Security Information Sharing Partnership
CRC	Cyber Resilience Centre
CSIT	Centre for Secure Information Technologies
CyberASAP	Cyber Security Academic Start-up Accelerator Programme: a pre-seed accelerator programme to support cyber security innovation and commercialisation
Cyber Runway	A programme of cyber accelerators and bootcamps with three workstreams: ‘Launch’, developing proposals and establishing new businesses, ‘Grow’, providing business skills to help start-ups survive and grow, and ‘Scale’, building skills and networks to address barriers to growth nationally and abroad
CyBOK	The Cyber Security Body of Knowledge
DIT	Department for International Trade
DCMS	Department for Digital, Culture, Media and Sport
DLUHC	Department for Levelling Up, Housing and Communities
ECEI	The European Cluster Excellence Initiative
ECIT	Institute of Electronics, Communications and Information Technology
FTE	Full Time Equivalent
GVA	Gross Value Added
ICSF	Information and Cyber Security Foundation
KPI	Key Performance Indicator
LEP	Local Enterprise Partnership
LORCA	London Office for Rapid Cybersecurity Advancement
MoU	Memorandum of Understanding
NCF	National Cyber Force
NCRC	National Cyber Resilience Centre
NCSC	The National Cyber Security Centre
NCS	National Cyber Strategy 2022
PETRAS	Privacy, Ethics, Trust, Reliability, Acceptability, and Security
R&D	Research and Development
SMART	Specific, Measurable, Achievable, Realistic and Timebound
SMEs	Small and Medium-sized Enterprises
ToC	Theory of Change
UKC3	UK Cyber Cluster Collaboration

8. Appendix A - evaluation questions

Evaluation questions

Process evaluation questions: Was the programme funding process delivered as intended? How could this funding process be improved? How did the UKC3 programme and clusters use grant funding? What worked well, or less well, for different clusters and why? Did clusters experience any unexpected or unintended issues in the delivery of programme? What can be learned from the delivery methods used by the UKC3 programme?

Impact evaluation questions: Has the UKC3 programme led to: More formalised cluster governance, both at a cluster level and at Board level An increase in the number of networking, collaboration and knowledge sharing opportunities and events between clusters and for cluster members The delivery of pilot activities to support growth and skills Increased representation of clusters (and therefore regions) in organisations such as Cyber Council, Cyber Growth Partnership, Cyber Resilience Centres, Cluster Working Group Greater knowledge sharing between clusters and UK government An increased number of local partnerships with schools and employers Better recruitment guidance focused on increasing diversity to support the adoption of more inclusive recruitment and skills

9. Appendix B - theory of change

9.1 Introduction

A ToC explains how activities undertaken by a programme could contribute to outcomes and impacts. It includes linkages between:

• inputs: resources required to deliver the programme
• activities: what is delivered
• outputs: what the recipient receives from the resources or intervention (direct benefits)
• outcomes: long term results of activities and outputs achieved
• impacts: wider economic and social outcomes

9.2 UKC3 programme theory of change

The initial ToC was informed by complementary approaches. This included:

The initial ToC was informed by complementary approaches. This included:

• a review of programme documentation outlining the aims, objectives and anticipated outputs, outcomes and impacts for the programme
• a review of existing ToC for the UKC3 programme
• an internal workshop with DCMS stakeholders including those responsible for the design and delivery of the programme

The ToC is outlined on the following page.

Figure 3: UKC3 programme ToC

10. Appendix C - regional partner and working group interview questions

List of cluster leads interviewed:

• Scotland IS Cyber lead
• North East Cyber / Dynamo lead
• North West Cyber Security Cluster lead
• Cyber Wales lead
• Cyber East lead
• CyNam (Cyber Cheltenham) lead
• Bristol & Bath Cyber Cluster lead
• Swindon and Wiltshire Cyber Cluster lead
• Yorkshire Cyber Security Cluster lead
• NI Cyber (Northern Ireland) lead
• South West Cyber Security Cluster lead
• Midlands Cyber lead

List of regional partners interviewed:

• Cheltenham Borough Council (CBC)
• Cheltenham Festival
• IOTEC
• North East Business Resilience Centre
• GFirst LEP
• South West Cyber Resilience Centre

UKC3 Programme Regional Partners Interview Guide

Background information: role of the interviewee
1. Please tell me about your role, and that of your organisation.

The role and impact of the UKC3 programme
2. Please describe your understanding of the UKC3 programme?

3. What is your experience working with the UKC3 Board / Board members?

4. What does the UKC3 programme do to support regional cyber security ecosystems?

5. How would you describe the role of the UKC3 programme and regional collaboration?

6. What do you see as the main early impacts of the UKC3 programme for the sector?

7. And what do you see as the main early impacts for businesses generally?

8. In your view, what early impact has the UKC3 programme had on the public sector?

9. Are there gaps in the support which the UKC3 programme provides?

10. In your view, is there anything which the clusters or the UKC3 programme as a whole should not be doing?

11. And is there anything the clusters or the UKC3 programme are not doing but should be doing?

Closing the interview
12. Are there any final comments or thoughts you would like to share?

UKC3 Working Group Leads and Managers Interview Guide

Background information: role of the interviewee
1. Please tell me about your role in the cluster.

Cluster structure
2. Please describe the structure of your cluster

3. What processes do you have in place for governance and co-operation within your cluster and how effective are these?

4. What are the roles and responsibilities within your cluster?

5. How is the cluster led and managed?

6. What technology, tools and infrastructure are used within your cluster?

7. What is the current stage of your cluster’s development?

8. What services / support is provided to cluster members?

9. What are the success measures or Key Performance Indicators for your cluster?

10. Has your role in the cluster and its delivery changed over time?

Effectiveness of the UKC3 programme
The following questions are about UKC3 – UK Cyber Cluster Collaboration – programme: its structures and effectiveness.

11. What is your understanding of the UKC3 programme?

12. What is your view of the common operating framework?

13. What is your view of the working groups on Ecosystem, Skills and Innovation?

14. What aspects of the UKC3 programme have been most beneficial?

15. What aspects of the UKC3 programme have been least beneficial?

16. What role has coronavirus (COVID-19) played in the delivery of the UKC3 programme to date and in what way?

17. What other external issues have affected delivery of the UKC3 programme to date and in what way?

Impact of the UKC3 programme
The following questions are about early impacts of the UKC3 programme on your cluster and the cyber security ecosystem.

18. What have been the early impacts of the UKC3 programme on your cluster?

19. What does the UKC3 programme do to support the regional cyber security ecosystem?

Effectiveness of the cluster
The following questions are about your cluster, its activities and early impacts.

20. Is your cluster a member of organisations such as the Cyber Security Council, Cyber Growth Partnership, Cyber Resilience Centres, or the Cluster Working Groups?

21. Have you observed any conflicts within or among your cluster members?

22. Please describe how your cluster members collaborate with each other

23. What are the outcomes your cluster has achieved to date?

24. How has your cluster impacted on local businesses?

25. In your view, what impact have the cyber security clusters had on the public sector?

26. Are there gaps in the support which the cyber security clusters provide?

27. What have you learned from the delivery of the cluster?

28. Is there anything which the clusters or the UKC3 programme as a whole should not be doing?

29. Is there anything the clusters or the UKC3 programme are not doing but should be doing?

Closing the interview
30. Are there any final comments or thoughts you would like to share?

11. Appendix D - analysis of cluster funding and success

Funding used for	Number of clusters (% of total clusters)[footnote 26]	Activity	Success (examples of positive outcomes from activities sourced from the DCMS half year report as well as regional partner / cluster lead interviews)
Admin staff recruitment / retention Administrative / business management functions	3 / 12 (25%) used funding to recruit or retain admin staff members 4 / 12 (33%) used funding on these functions	Admin staff were either hired or retained to work across a range of functions, including: • website development • membership management • cluster engagement • meeting organisation Admin functions included: • the provision of monthly reports • a review of member lists • assessment of governance and risk management • budget management • the mapping out of a 2022 activity plan	• “The funding received through [the] UKC3 [programme] has been invaluable in setting up and growing up the cluster’s administration capacity” -regional partner quote • admin funding allowed cluster leads to have a full time presence • enhancement of governance functions • mapping out of 2022 activity plan allowed the cluster to highlight roles and responsibilities where additional support will be needed for delivery
Knowledge sharing / engagement events	7 / 12 (58%) used funding on knowledge sharing and engagement events	This included: • knowledge sharing (for example events focused on defence) and engagement events • a cyber practitioner conference • events aimed at raising awareness (such as cluster launch events)	• increased engagement in the ecosystem as a result of their focus on key topics / issues • new cluster members have engaged as a result of events • UKC3 programme funding allowed for travel internationally to attend an event
Management / co-ordinator / lead / delivery partner recruitment	6 / 12 (50%) used funding to employ project managers	Activities related to these roles included: • recruitment of new industry partners • recruitment of a community manager • recruitment of co-ordinators for areas such as skills and marketing and for each of the 5 knowledge areas in the CyBOK Skills Mapping project	• new industry partners have become involved in the cluster and feedback from all members has been positive • marketing lead in place • skills co-ordinator recruited
Marketing / Comms Webinars and presentations	6 / 12 (50%) used funding on marketing investment 1 / 12 (8%) used funding to provide webinars	Activities related to marketing and communication included: • raising brand awareness and promotion of the ecosystem to attract new partners and members • engaging marketing agencies • developing marketing materials (such as brochures) Activities related to webinars and presentations include: • continuation of monthly webinars to maintain member involvement and academic engagement • provision of 9 school presentations	• greater engagement with cluster members • enhanced marketing and cluster comms has led to an increase in membership • a greater understanding of the regional cyber sector has emerged as a result • implementation of a marketing plan
Digital platform development	8 / 12 (67%) used funding to develop their digital platforms	Activities related to digital platform development included: • creation of a slack channel • website enhancement • new website development • working with graphic designers • providing an information base for members	• increased number of connections made between start-ups, leading to increased innovation • new students are being reached as a result of social media presence • enhancing the overall reach of the clusters
Cluster engagement / networking (not including events)	5 / 12 (42%) used funding to expand both internal cluster engagement, and wider regional networking efforts	Activities related to cluster engagement and networking included: • bringing together the region to increase networking • increasing connections to other national networking organisations • engagement with potential interest groups • improve engagement with existing cyber security businesses in the region • responding to cluster enquiries • engagement with investors and other representatives from financial services firms • increase cluster member engagement by involving them in penetration testing and vulnerability assessments, for example	• increase in the number of collaboration, innovation and business development opportunities as a result of networking and delegation visits • supporting start-ups’ growth and business development plans by offering them greater visibility • engaging the cluster members in a more active role • increased engagement with other clusters has had a reassuring effect
Team / member recruitment	3 / 12 (25%) used funding to recruit team members	Activities related to team and member recruitment included: • promoting recruitment pathways • recruiting and onboarding new members • recruitment for the hosting of a girls competition • assemble a new team	• new job roles created • new team was successfully assembled
Working group and steering board development	2 / 12 (17%) used funding to develop working groups and / or steering boards	Activities related to working groups and steering boards included: • establishment of a pan-cluster group to encourage cluster collaboration • expansion of working groups within the cluster from 2 to 3 separate bodies • used the steering board to set activities and structure for next 12 months • refresh and extend the steering board • weekly steering committee calls	• greater engagement with cluster members • working group meetings are being delivered at a higher rate
Training / skills development	3 / 12 (25%) used funding to improve on training and skills development	Activities related to training and skills development included: • tutoring sessions for local collages • creation of a regional skills development strategy	• feedback from tutoring sessions has been positive, with lessons being learned for future implementation

1. DCMS (2021) Project Initiation Document (PID) - UK Cyber Cluster Collaboration ↩

2. A CIC is a special type of limited company which exists to benefit the community rather than private shareholders ↩

3. Note: UKC3 programme has now recruited a dedicated UKC3 Engagement and Operations Manager ↩

4. UKC3 Programme End of Year Report FY21/22 ↩

5. Information provided by UKC3 to RSM UK Consulting (December 2022) ↩

6. In February 2023, the parts of UK government responsible for cyber security policy moved to the new Department for Science, Innovation and Technology ↩

7. DCMS (2021) Project Initiation Document (PID) - UK Cyber Cluster Collaboration ↩

8. Note that case study interviews are not reported anonymously in this report, whereas consultations are reported anonymously. ↩

9. Cabinet office underspend from across the whole cyber programme ↩

10. Business case: UK Cyber Cluster collaboration pilot (6 November 2020) ↩

11. These include operating in line with the common operating framework and having a specific regional focus. ↩

12. The framework comprises principles, objectives and outcomes that are designed to guide how a cyber security cluster functions. Clusters must operate in line with the framework so that they can be recognised by UKC3 programme as a cluster. ↩

13. BRIM is the company contracted to deliver the CRCs in each UK region. ↩

14. UKC3 Cluster Recognition Assessment Criteria ↩

15. DCMS and TechUK developed Cyber Exchange to help map the UK cyber security sector. The platform helps organisations discover innovative cyber companies, supports investment and highlights key opportunities across the UK sector. ↩

16. Cluster reporting only captured the number of events held, not titles or further details. ↩

17. UKC3 (2021). UKC3 Half Year Report FY21/22. ↩

18. Trusted Partners are a group of certified partners the CRC recommend to provide additional cyber security services. ↩

19. UKC3 programme End of Year Report FY21/22. ↩

20. The European Cluster Excellence Initiative (ECEI) was initiated by the European Commission, DG Enterprise and Industry in 2009 to develop a European cluster benchmarking methodology that would improve cluster organisations’ management processes and the quality of services for their members. ↩

21. Specific, Measurable, Achievable, Realistic and Timebound ↩

22. A CIC is a special type of limited company which exists to benefit the community rather than private shareholders ↩

23. Note: UKC3 programme has now recruited a dedicated UKC3 Engagement and Operations Manager ↩

24. UKC3 Programme End of Year Report FY21/22 ↩

25. Information provided by UKC3 to RSM UK Consulting (December 2022) ↩

26. UKC3 programme Half Year Report FY21/22 (covers activity up to October 2021); the final report is not yet available. ↩