Senior officials in the UK's civil service understand that future cyber hires in Whitehall will need to be paid a salary higher than that of the Prime Minister if the government wants to get serious about fending off attacks.
The civil service's COO, Cat Little, told the UK's Public Accounts Committee (PAC) on Monday that the government knows its remuneration offers are too low to attract top cybersecurity talent – one of the main issues highlighted by a National Audit Office (NAO) report earlier this year.
That report was scathing about the government's lack of progress towards meeting the goal it set back in 2022 to become "substantially" cyber resilient to common cyber attacks by 2025. Part of that progress was inhibited by its recruitment policies, offering much lower salaries compared to the private sector.
Responding to comments from the PAC pushing back against the idea of paying them so much, Little said: "I can assure you that will need to be the case in order to attract the very [best]... We have got to pay these people more.
"They are very, very scarce competitive skills in a very hot market, and if we're going to deliver on our ambitions, we need the leadership and the technical expertise there to do it."
The idea of a civil servant, however senior they may be, being paid more than the Prime Minister has historically been seen as unacceptable in the UK. A tumultuous row broke out within the Labour party's ranks after it was revealed in September 2024 that former chief of staff Sue Gray was being paid £170,000 a year – which was £3,000 more than UK prime minister Keir Starmer at the time. Gray resigned shortly after amid speculation she would be sacked.
But it seems this attitude will soon change as Whitehall slowly realizes that the money it spends on contractors could be better spent on a few well-placed, permanent CIOs and CISOs in key government departments.
Little alluded to the possibility of hiring a few senior cybersecurity officials and deploying them strategically across government for maximum impact.
She also highlighted the introduction of the digital-specific pay framework that was implemented in recent years after realizing that highly skilled cyber experts won't, in fact, join the civil service and be paid the same as, say, a press officer of similar seniority.
Contributing to the discussion, PAC member and member of parliament (MP) Rachel Gilmour noted that the fixation should not be on how much an individual is paid but more so on the potential cost savings of employing a highly skilled cyber practitioner.
Gilmour pointed to the British Library's ransomware attack in 2023 and how its reserves were significantly depleted due to recovery costs reportedly running into the millions. The implication here is that if the UK spent more on top-quality defense talent and less on expensive contractors, central government would reduce its risk of suffering a similarly costly attack.
Graeme Stewart, head of public sector at Check Point Software, told The Register that the public sector pay issues, and associated skills gap, are perennial ones that bring about various challenges and economic inefficiencies.
He said: "Take London as an example – there's intense demand for cybersecurity talent, and the skills shortage is acute. We've commented on this before: public sector organizations are often reluctant to invest in training their staff because, once trained, those individuals can hop on the Tube, travel a few stops, and get a job at a bank or private firm for double the salary.
"That kind of churn is a real issue. As a result, many public bodies rely heavily on contractors to fill the gap. But that comes with its own problems – contractors often cost significantly more on a day rate, and the constant turnover means a lack of continuity.
"People come and go, knowledge is lost, and consistency suffers. So, while the root problem is lower public sector pay, the knock-on effect is greater dependence on expensive contractors – ultimately costing the public sector more in the long run. It's a frustrating cycle that continues because salaries aren't keeping pace with the market, and it's undermining long-term cybersecurity resilience."
Sea of legacy
Legacy systems and how they weaken the public sector's cyber resilience were a prominent theme in January's NAO report. It highlighted how recent audits revealed hundreds of systems were classed as legacy, although the number was believed to be much higher.
Joanna Davinson, the government's interim chief digital officer, said current numbers, updated since the report's publication, indicate there are nearly 100 more legacy systems (319) than what was noted in the NAO report (228). That's around 28 percent of the government's entire IT estate.
Almost a quarter of these were red-rated by the GovAssure assessment criteria too. Launched in April 2023, GovAssure is the self-assessment tool used to understand the cybersecurity postures of government departments' critical systems.
Davinson added that there is a big difference between departments in terms of IT maturity and their exposure to legacy tech. Depending on the department, some reported that 10 percent of their estate comprised legacy systems while others reported exposure in the realm of 60 percent. Fifteen percent couldn't even tell the Government Security Group (GSG) what it was – their IT was not mature enough to understand their exposure.
PAC members appeared irritated that their questions about the total number of legacy systems across government that hadn't yet been assessed for whether they qualify as legacy weren't met with straight answers.
Davinson explained this type of data isn't often collated centrally within departments, and Little jumped in to say that many of the issues here refer to arm's-length bodies – executive agencies like the DVLA, non-departmental public bodies like the Environment Agency, and non-ministerial departments like HMRC and Ofgem. Central government departments tend to have a much better understanding of things, she added.
Part of the issue also lies within the GovAssure system itself. Although the data is reviewed by the GSG, with GovAssure being a self-assessment tool, the data supplied using the framework is dependent on each department's ability to understand its exposure to legacy tech, which is far from uniform.
Combine that with the government's approach to information sharing, which by its own admission and Little's is not good, it means those arm's-length bodies have to share their data two or three stages up a departmental chain and that's not always done effectively.
Altogether this leads to an incomplete picture about the state of legacy tech across government. Labour MP and PAC member Luke Charters said: "It's just really disappointing that you don't seem to have a grip on where the legacy systems are across the arms-length bodies," a sentiment that Little acknowledged and shared earlier in the hearing.
Charters went on to point out that many arm's-length bodies are not inconsequential to the UK's overall national security. In addition to the aforementioned, the likes of the National Crime Agency, Crown Prosecution Service, and Nuclear Decommissioning Authority are all classified as such. Although it should be said that these weren't singled out because they are known for being exposed to legacy tech, just used as examples of important ALBs.
Davinson responded to Charters' question about improving the system by which this data is requisitioned by saying the GSG has worked with a number of organizations already, but not all ALBs. Thus far, those with the largest IT estates have been prioritized, she said, before Little explained why a greater understanding hasn't yet been achieved.
She said: "I just wanted to clarify it's not that we haven't worked with all arm's-length bodies, it's just the complex supply chain arrangements and the fact that you have got lots of different layers of accountability means it's just harder to get right down into the depth of understanding of systems – I was just explaining the challenges so we definitely have got lots of public bodies that we have worked with." ®