The UK’s Devolution White Paper represents a significant milestone in the evolution of local governance. By transferring greater powers and funding to regions, devolution has the potential to rebalance the economy, drive local innovation, and improve public services in ways that reflect regional needs. However, while the policy direction is clear, ensuring that devolution delivers on its promise will require focus, leadership, and a commitment to making it work in practice. The opportunity ahead is vast. With both new Combined Strategic Authorities (CSAs) and new Unitary Authorities (UAs) set to emerge, the challenge is not just about establishing new structures but about delivering real outcomes for people, businesses, and communities. To do this, leaders must prioritise three key areas: getting early decisions right, establishing strong partnerships, and moving beyond governance to delivery. The First 100 Days: Setting a Clear Direction For newly devolved regions, the early months are crucial. The way new Combined Authorities and Unitary Authorities establish themselves will determine their credibility and effectiveness in the years to come. Experience from existing devolution settlements suggests that success depends on: A strong, unified vision that aligns political, business, and community interests. Early investment in strategic priorities such as transport, skills, and business support. Clear governance and decision-making structures that enable action rather than bureaucracy. For new Combined Strategic Authorities, which will bring together multiple local councils under a regional governance model, the key challenge will be to establish strong relationships between constituent authorities and ensure that devolution delivers meaningful economic and social benefits. These authorities must act as catalysts for regional growth, shaping investment strategies and infrastructure development. Meanwhile, new Unitary Authorities, which will replace existing two-tier local government structures in some areas, face a different challenge: ensuring a smooth transition from district and county councils while maintaining service delivery. Early decisions on financial sustainability, workforce integration, and community engagement will be critical to their success. When these new authorities get these fundamentals right, they build public confidence, attract investment, and demonstrate the real benefits of devolution. The alternative—slow decision-making, fragmented priorities, or uncertainty—risks undermining the potential benefits before they can be realised. Beyond Structures: Delivering Growth and Public Value For devolution to succeed, it must be measured not by the governance arrangements it creates but by the impact it delivers. At its best, devolution can: Support economic rebalancing – allowing regions to shape their own growth strategies and attract investment tailored to local strengths. Improve public services – integrating health, transport, and housing policies in ways that work for local communities. Drive innovation and sustainability – empowering regions to lead on green growth, digital transformation, and new models of service delivery. However, turning these ambitions into reality requires expertise, collaboration, and a focus on delivery. It is essential to recognise that devolution is not a one-size-fits-all solution. Challenges and Pitfalls to Avoid Devolution must be tailored to local needs rather than driven by central government’s preferred model. As Councillor John Merry, Chair of Key Cities and Deputy Mayor of Salford, has noted, the government’s current approach to devolution, which often emphasises large unitary authorities as a prerequisite for greater powers, does not suit all areas. While a move towards larger authorities may improve efficiency in some regions, it risks overlooking the distinct economic and social needs of smaller urban areas. Local leaders must be actively involved in shaping devolution settlements to ensure they work in practice, not just on paper. Similarly, the County Councils Network (CCN) has warned that while local government reorganisation may be necessary in some areas to unlock more ambitious devolution deals, it must be evidence-based. They have raised concerns that breaking up county councils into smaller unitary authorities could create structures that lack the scale to drive economic growth or deliver major infrastructure projects effectively. This highlights the need for carefully considered and locally led approaches to reform.  Another critical risk is funding uncertainty. Many local leaders have welcomed devolution in principle but remain concerned that new authorities will be given responsibility without the long-term financial certainty needed to deliver real change. Without multi-year funding settlements and greater fiscal autonomy, there is a danger that new authorities will find themselves constrained by short-term financial pressures rather than empowered to drive transformation. The National Opportunity While much of the focus has been on how local areas can use devolution to their advantage, the opportunity is equally significant for the UK as a whole. A successful devolution agenda would mean: A stronger, more balanced economy where growth is not concentrated in London and the South East but driven by thriving regional economies. A more responsive state, with policies shaped closer to the people and businesses they affect. Greater trust in government, as local leaders demonstrate the ability to deliver tangible improvements. The next phase of devolution must be a shared national effort—where central government, regional leaders, businesses, and communities work together to ensure that this is not just a shift in structures but a real shift in power, funding, and impact. The UK stands at a crossroads. If devolution is done well, it has the potential to unlock one of the most significant economic and social transformations in a generation. The question is whether we will seize this opportunity or allow it to become another layer of bureaucracy. The choice, and the challenge, lies ahead.

Cambridge MC engaged with a historic and world-famous university to support the reinvigoration of their Human Resource functions. Specifically, we were asked to improve HR service delivery, and establish the first steps towards change readiness preparation to support the HR function during a college-wide Enterprise Resource Planning (ERP) Project. To achieve these outcomes, we conducted a 3-dimensional process review model to assess their current HR operations. Within this, we evaluated and understood the university's HR department through multiple data streams, using the information collected to identify current quick wins and present recommendations going forward. Strategy Cambridge MC used a unique ‘3-dimensional process view model’ to evaluate the efficacy of the processes, people, and systems that formed the HR department at the outset of the project. These three dimensions include: A Maturity Assessment and identification of any Quick Wins to restore. confidence in HR delivery. A Process Map Review against future Employee Life Cycle, using our own ‘Employee Life Cycle Model’, and 40k Service Tickets to improve automation and efficiency. The development of an implementation plan and blueprint for the successful roll-out of HR ERP. Data Streams & Findings The HR Maturity Assessment highlighted strong management support experienced by participants, as well as a solid understanding of HR strategy and of overall University strategy. The HR Process & Programmes Review uncovered that 196 processes in Nimbus (an end-to-end patented cloud WorkForce Optimisation application) are not linked to the HR Sub Functions; the current SLAs are based on historical volume and thus are not fit for an SSO environment; and current expertise in the Hub is not sufficient to deal with the volume of service tickets. Five quick wins were identified as follows: Recruitment Fixed Term Contracts Review Current SLAs Re-Routing Payroll and Pension Queries One single mailbox for sending Service Tickets In the detailing phase, we implemented the aforementioned agreed quick wins, the blueprint for HR ERP, assured the build readiness of the HR team, and built the HR SSO to accommodate HR ERP. Finally, in the communications stage, we developed a Communications Grid for HR Maturity assessment, established Cambridge MC presence in the process, and implemented . Outcomes & Results  1. Cost Savings We identified quick wins that led to an annual saving of £500k, by tightening the relation and process flow between HR and payroll. 2. Systems Optimisation We analysed the efficacy of HR Service Tickets solutions delivery and recommended different workflows for the 1.8k tickets received per month. 3. Forward Planning Our ‘Employee Life Cycle Model’ was instrumental in analysing the gap between current and future HR process and systems needed in an ERP environment.

Introduction The National Counterintelligence & Security Center (NCSC) suggests that universities are particularly vulnerable to cyber crime because they are key contributors to the economy, skills development, and innovation. Cambridge MC was approached to conduct a comprehensive cyber capability maturity assessment for a major UK academic institution, leveraging a team of experts with technical understanding and frontline experience in cyber defence. This team carried out a thorough evaluation through a series of tests, interviews, and artefact examinations. Unlike conventional assessments, our strategy focused on actionable insights which were tailored to the unique operational context of the institution. The assessment was structured around recognised capability categories, informed by the team’s extensive experience defending against cyber attacks. The methodology was particularly effective for its sensitivity to the institution’s risk appetite—balancing cost, risk, and investment to propose solutions that were unique to their situation. Project Overview The primary challenge was the institution’s realisation that its existing cyber hygiene practices and IT discipline might not be sufficiently robust to withstand increasingly advanced tactics employed by cybercriminals and their growing interest in the education sector. The institution sought out Cambridge MC to identify these vulnerabilities, assess the overall maturity of its cybersecurity practices, and recommend strategic improvements. This meant not only highlighting technical deficiencies, but also providing a holistic evaluation of the institution’s security posture, considering the practical realities of defending against threats. This included an assessment of the institution’s risk readiness, infrastructure resilience and staff preparedness. Cambridge MC’s goal was to ensure that the recommendations produced as a result of this assessment were not only technically sound but contextually appropriate and aligned with the institution’s strategic objectives and resources constraints. This personalised approach was crucial in designing a cyber security strategy that was both achievable and sustainable. Strategy What we did Our approach involved a thorough assessment of the institution’s cyber infrastructure, including tests, interviews, and the examination of artefacts to gain a holistic understanding of their cyber maturity. To do this, we engaged experts with significant technical depth and extensive experience in cyber defence and leadership roles; a blend which was crucial in conducting a maturity assessment that focused on pragmatic gap closures. Why we did it this way Our methodology was designed to move beyond mere technical details and address the practical aspects of cyber security. By organising our work into recognised capability categories, we targeted areas that, if weak, would likely lead to vulnerability and a high risk of attack. This approach allowed us to pinpoint critical gaps in the institution’s cyber security practices and propose target improvements. Concepts and methodologies applied We applied a risk-based approach, sensitive to the institution’s risk appetite, to make practical trade-offs between cost, risk, and investment. This ensured that our recommendations were contextually appropriate and aligned with the institution’s strategic objectives. Our assessment framework was grounded in industry-best practices and standards, tailored to the unique needs and challenges of the academic sector. Obstacles encountered and overcoming them One of the main obstacles we encountered was resistance to change, a common challenge for institutions with established routines and cultures. To overcome this, we emphasised the importance of cyber hygiene and IT discipline through clear, evidence-based findings and recommendations. We conducted workshops and discussions to engage stakeholders at all levels, highlighting the tangible benefits of enhancing their cyber security posture and demonstrating how our recommendations could be implemented in a manageable manner. The Team The Cambridge MC cyber security team tasked with supporting on this project was comprised of: A technically adept practitioner specialising in vulnerability testing, equipped with cutting-edge knowledge of tools and techniques for identifying weaknesses in the institution’s cyber defences. This role was crucial for uncovering hidden vulnerabilities that could be exploited by attackers, providing a technical foundation for the assessment. Back-office risk experts with a deep understanding of the broader risk landscape and risk management principles, ensuring that the assessment considered not just technical vulnerabilities but also organisational and procedural risks, aligning the cyber security strategy with the institution’s overall risk appetite. A security leader with 30 years of experience building and running security services, who offered strategic oversight and practical insight into effective cyber defence mechanisms and was vital in ensuring the recommendations were not only theoretically sound but also pragmatically achievable. Together, these professionals ensured a comprehensive, nuanced, and highly practical assessment, underlining the importance of a balanced team in addressing complex cyber security challenges. Outcome & Results Optimised Cyber Resilience We recommended and outlined a robust workflow and identity management system across all of the institution’s systems, emphasising the need for multi-stakeholder cooperation. This highlighted the challenge of managing over tens of thousands of accounts for a community of many fewer staff and students. Longevity We made clear, actionable recommendations describing implementation plans for changes, such as improving the security culture and some operational deliverables associated with SOC efficacy, all of which were agreed upon by the leadership team who assured us that these changes would be in place at this institution for the next three years. Staff Readiness We enhanced the security awareness and training of the staff, postgraduate researchers, and students, including specialised training for the Information Security team. We also made recommendations for improving security posture, such as the adoption of Cloud Access Security Broker (CASB) and Data Leakage Prevention (DLP) solutions, and the development of a quantitative risk forecasting methodology. Forward Planning We also made suggestions for future improvements, including SOC operational activities, creating new initiatives targeting cyber kill chain strategy areas, and planning disaster recovery tests for ICT systems.

"Is it Snowing in Space?!" “Is it snowing in space?!” Asks a disgruntled Bill Murray in the film Groundhog Day when he is told that he cannot call out from the snowbound town of Punxsutawney, Pennsylvania. If there is a remake, Bill might not have to worry: signal dead zones may soon be a thing of the past due to recent advancements in satellite technology. Whereas the old picture of satellite communications was a scientist in the wilderness with a big clunky antenna, these days the technological payload is all in space. Recent advancements such as Low Earth Orbit (LEO) satellites, advanced beamforming, and the use of mobile spectrum bands means that any phone supporting 4G LTE can potentially receive satellite data directly. This integration of satellite and terrestrial networks is set to reshape the mobile industry, creating both opportunities and challenges for traditional mobile network operators (MNOs) and mobile virtual network operators (MVNOs). In this article we give an overview of the technological advancements, the major players in the market, and then consider the effects this will have on traditional wholesale mobile market structures; concluding with the emerging opportunities for new revenue and growth. The Evolution of Satellite Connectivity Historically, satellite communications operated independently from terrestrial networks, serving specialised markets with limited scalability and high entry barriers. However, recent advancements, particularly in Low Earth Orbit (LEO) satellite technology, have dramatically altered this scenario. The most well-known example is obviously SpaceX, which has played a pivotal role in democratising space: reducing barriers to entry and making satellite connectivity more scalable, performant, and accessible. SpaceX and other companies have found innovative ways to dramatically reduce costs. Since Sputnik 1 in 1957, launching payloads into space has been prohibitively expensive, with costs exceeding $100,000 per kilogram in the 1960s and averaging $16,000/kg for heavy payloads from 1970 to 2010. SpaceX’s innovations have brought these costs down through reusable rockets, vertical integration, economies of scale, and advancements in materials and manufacturing processes: leading to price points as low as $100 per kilogram in recent years. However, cost is just one of the barriers. The real gambit has been provided by Low Earth Orbit (LEO) satellites, which typically orbit at altitudes ranging from approximately 160 to 2,000 km and offer low-latency, high-speed connectivity — making them ideal for real-time applications and direct-to-device communications. The latest generation of technologies now enable LTE mobile phones to connect directly to satellites without specialised hardware, marking a significant milestone in mobile communications. The Major Satellite-to-Cell Players While SpaceX's Starlink has garnered the most attention, several other major companies are actively developing satellite-to-cell technologies and forming strategic partnerships with terrestrial mobile operators. As of April 2024, Starlink had established 15 partnerships with mobile carriers globally — including T-Mobile in the US. T-Mobile has structured its beta program to begin with text messaging capabilities, gradually expanding to include picture messages, data connectivity, and eventually voice calls. As of February 2025, it is reported that 7,086 Starlink satellites are in orbit, with 7,052 being operational. AST SpaceMobile has emerged as a significant innovator, achieving a historic milestone in April 2023 with the first-ever two-way voice call directly with an unmodified smartphone, via their BlueWalker 3 satellite. AST SpaceMobile launched its first five commercial satellites, the BlueBird 1-5 mission, on September 12, 2024, aboard a SpaceX Falcon 9 rocket. Lynk Global represents another significant player. In a recent expense report, it revealed that each satellite costs around $400,000 to build and up to $815,000 to launch into space. They hope to have up to 1000 satellites (for full continuous broadband coverage) in orbit by 2025 and 32 mobile network operator (MNO) partnerships by the end of 2025. The company has successfully demonstrated text messaging capabilities from satellites to standard cellular devices and continues to expand its constellation and service offerings. Huawei has partnered with China Telecom to demonstrate satellite-to-phone messaging capabilities, while Apple has worked with Globalstar to implement emergency satellite messaging features in recent iPhone models. Implications for Traditional Wholesale Mobile Market Structures Traditionally, the wholesale mobile market has been structured around MNOs, MVNOs, and wholesale aggregators. Revenue streams have typically included MVNO wholesale pricing, and IoT and machine-to-machine (M2M) solutions. However, the rise of satellite-to-cell technology poses potential threats to this established model. Disintermediation of MNOs and MVNOs Satellite-to-cell connectivity introduces the potential for disintermediation, where control traditionally held by MNOs could become fragmented across multiple parties in the value chain. As satellite providers increasingly offer direct-to-device services, traditional operators risk losing their central role in network management and customer relationships. Pricing Pressure on Wholesale Markets The increased availability and competition from satellite connectivity providers could exert downward pressure on wholesale pricing. As satellite services become more affordable and accessible, traditional wholesale providers may face challenges in maintaining their pricing structures and profitability. Competitive Pressure in IoT and Enterprise Applications Satellite connectivity is particularly well-suited for IoT and enterprise applications, especially in remote or challenging environments. As satellite-to-cell technology matures, traditional wholesale providers may face intensified competition in these segments, necessitating strategic adjustments to remain competitive. Emerging Opportunities in Satellite-to-Cell Connectivity Despite these challenges, the integration of satellite connectivity into mobile networks also presents substantial opportunities for innovation and growth. Forward-thinking operators can leverage satellite-to-cell technology to develop new business models and revenue streams. Hybrid Terrestrial-Satellite Subscription Models Providing Ubiquitous Connectivity Operators can offer hybrid subscription plans that seamlessly integrate terrestrial and satellite connectivity. Such models provide customers with uninterrupted coverage, enhancing user experience and creating differentiated service offerings. Wholesale Satellite Resale for MVNOs Satellite-to-cell technology opens new avenues for MVNOs to expand their service portfolios. By reselling satellite connectivity, MVNOs can offer enhanced coverage and reliability, particularly in underserved or remote regions, thereby attracting new customer segments. IoT and Enterprise-Focused Applications Satellite connectivity is a natural fit for IoT and enterprise applications, such as remote monitoring, asset tracking, and industrial automation. Mobile operators can forge strategic partnerships with satellite providers to deliver specialised solutions for these markets, tapping into new revenue opportunities. Emergency-Only and Disaster Recovery Plans Satellite-to-cell technology can play a crucial role in emergency and disaster recovery scenarios, providing a reliable backup to terrestrial networks when they are unavailable or overwhelmed. Operators can develop emergency-only plans that leverage satellite connectivity to ensure critical communications during crises. Conclusion Satellite-to-cell technology represents a convergence of space and terrestrial communications systems that promises to fundamentally alter global connectivity markets and players. The dramatic reduction in launch costs by a factor of 20 has enabled the deployment of massive satellite constellations that were previously economically unfeasible. The competitive landscape continues to evolve rapidly, with SpaceX, AST SpaceMobile, and Lynk, and traditional telecommunications companies all pursuing various technological approaches and business models. Commercial text messaging services are already becoming available through beta programs, with video calling capabilities demonstrated and voice calls progressing toward wider availability. The integration of 5G standards with satellite networks continues to advance through collaborative industry initiatives, with projections of a $50 billion market by 2032. As this technology continues to mature throughout 2025 and beyond, it promises to eliminate mobile dead zones and create new application possibilities that were previously unimaginable. The future of mobile communications is undoubtably hybrid: blending terrestrial and non-terrestrial networks into seamless connectivity solutions that follow users wherever they go. This has wide reaching implications for connectivity in remote and isolated regions, and offers perhaps the fastest and most cost-efficient route to bridging the digital divide. It will also transform how we respond in disaster zones and hazardous areas — increasing the ability to protect and save lives with faster and safer humanitarian and emergency services.

What Problem do Too Many SaaS Providers Have in Common? Many SaaS security providers have a history of treating important safety and security features as something to upsell. This raises the important question of whether a software vendor has a moral responsibility for the secure operation of their solution. In this article, we explore the implications of treating important security and safety features as an upsell, using Boeing as a test case of where this can go wrong. The Case of Boeing and the Aviation Industry The case against Boeing is emblematic of a more systemic issue across the aviation industry, and many other industries. The public became aware of this issue under tragic circumstances when the Lion Air and Ethiopian Air Boeing 737 Max airliners crashed in 2018 and 2019 respectively. According to the widely quoted New York Times article , the crash could have been avoided if the pilots had access to two safety features that were sold by Boeing as optional extras. According to the incident reports, at the root of the incident were the angle-of-attack sensors. These mechanical sensors operate in a similar fashion to a weathervane to measure whether the aircraft’s nose is pointing above or below the direction of airflow. Being mechanical, they may be prone to malfunction, perhaps jamming after having been installed incorrectly — as was believed to be the case for the Lion Air aircraft . The system that led to the aircraft’s demise, which identifies the risk of the aircraft stalling, only listened to one of the sensors. A difference in the signal being sent by the two sensors was not recognised by the anti-stall system; and the instruments that would have alerted the pilots to the conflicting signals were upsell items. This wasn’t a fancy, nice-to-have bell or whistle that makes the flight more comfortable, efficient, or profitable. It is an underlying safety feature of the aircraft. If there was no safety requirement for the redundancy of two sensors, it is difficult to see why there would ever be more than one. Boeing has now addressed the issue, and the anti-stall system listens to both sensors, responding safely in the event of conflicting signals. It should also be noted that the investigation identified pilot error and deficiencies in the training that contributed to the disasters (and this will be relevant to our points regarding many SaaS product decisions as well). The SaaS Parallels Cloud-delivered Software as a Service (SaaS) has revolutionised the tech industry, and catalysed a phenomenal level of innovation and growth. It has enabled new software capabilities to be brought to market faster than ever before, and facilitated the ability to reach a scale with costs defrayed across multiple customers that would have been unimaginable 30 years ago. However, the benefits of being able to access a service from anywhere, at any time, by anyone also presents significant risks. The ‘anyone’ can be a malicious party operating outside of the reach of law enforcement or extradition. As a result, there are clear commercial responsibilities placed on SaaS providers to secure their infrastructure from attack, and those that do not are unlikely to last long in the marketplace. But just like the aviation industry, there are different flavours of security, and different perceptions of what is considered essential. Taking due care and applying due diligence to ensure that the platform itself is adequately secured from a direct attack is clearly the vendor’s responsibility – but what about those elements of security that relate to risk owned by their customers? One key element of customer risk relates to the security of a user’s password. It is their responsibility to make sure they choose a long and random string drawn from upper case, lower case, numerical, and special characters (if allowed). It is also their responsibility to ensure that they do not ever use the same password for multiple applications or services. But, we know that compromised credentials is a common failure mode. Just because it is the user’s responsibility to mitigate this risk, this doesn’t mean that system developers do not also have some mutual responsibility to make it easier for the user to exercise that responsibility; controls have been developed specifically for that purpose. The most obvious ones are Multi Factor Authentication (MFA, or 2FA), and Single Sign On (SSO). With MFA, we improve the security of the credentials by also verifying that the user is in possession of their trusted device before we trust them at sign in. With SSO, we minimise the number of credentials and accounts to manage by federating with a single corporate account; we can then concentrate our effort to secure that corporate account rather than spreading our resources thinly. Both are relatively easily implemented these days, particularly in the case of SSO where the OAuth protocols are widely offered by Identity Providers. Once implemented, both are essentially free to operate, particularly if MFA uses an Authenticator app rather than SMS text messages. SaaS providers recognise that this security is important, and they will frequently implement MFA and SSO controls into their applications to meet that customer demand. But, too frequently, we see them only offered as part of the more expensive subscription options. This element of security is not enhancing the vendor’s core proposition; it is not making their offering more functional, better looking, or more efficient for their users. It is just making it more secure, and therefore to treat it as an item to upsell comes across as price-gouging rather than the responsible application of good security practice. It is almost as though these vendors have run out of innovative bells and whistles that their clients would value in their core product, so they have had to resort to undermining the security of their cheaper options in order to encourage their customers to pay for their more expensive ones. It is equivalent to a bank only using the CSC code on a card to secure transactions for customers who pay for their premium banking services, because, after all, it is the customer’s responsibility to protect their card details. Conclusion What we have described here is not universal, and probably is not even representative of the majority of SaaS providers. But, when you are reviewing a new service, we urge you to take a closer look at what security your provider is charging extra for. If low cost, high value security controls are being upsold, then you may want to consider what other security good practices are not being considered essential. For more information about our cyber security consulting services and Secure by Design principles in action, please contact Tom Burton, Partner for Cyber Security, using the form below.

As the UK's ageing copper landline network becomes increasingly unstable, Cambridge Management Consulting reports that BT is urging Critical National Infrastructure (CNI) providers to expedite their transition from analogue to digital voice. With the Public Switched Telephone Network (PSTN) nearing the end of its life, organisations face significant risks if they delay planning and execution for this essential upgrade. Recent data indicates that 60% of CNI providers in the UK still lack a strategic plan to migrate from the legacy analogue network. This statistic underscores an urgent need for action to safeguard essential public services, such as healthcare, water, energy, emergency services, and government operations. The transition is not merely a technological upgrade; it is a once-in-a-generation programme to future-proof communications and improve service reliability. The PSTN, our communications backbone for over a century, is becoming increasingly prone to faults and difficult to maintain, with recent reports showing a 45% increase in significant resilience incidents. The impact of this transition is wide-reaching, affecting critical systems such as telemetry monitoring sensors, emergency phone lines, telecare alarms in hospitals and care homes, CCTV, intruder and fire alarms and older EPOS machines.  As the below graphic shows, a broad spectrum of devices and services will be affected by the analogue switch off, including ISDN, ASDL and Fibre to the Cabinet (FTTC) broadband services. The majority of organisations are almost certainly in the dark when it comes to common knowledge of all of the devices affected, lacking the internal expertise and records to identify and audit complex, interrelated legacy systems.