Nick Denning, CEO of IT consultancy Diegesis and veteran of multiple successful digital transformation projects, looks at how G-Cloud 14 can help to secure day-to-day operations while delivering digital innovations
Recent turbulence in global trade and tariffs has grabbed headlines, column inches and social media focus in 2025. This has perhaps obscured important changes in public sector procurement and opportunities which are happening much closer to home.
New Procurement Act – Live
A new Procurement Act 2023 governing public procurement went live on 24 February 2025. This impacts both public sector buyers and the suppliers hoping to win their business. These changes followed closely after the launch of G-Cloud 14 in 2024, which included enhancements to facilitate easier procurement of cloud services and solutions.
The new Act aims to improve how public procurement is regulated, making it more open to new entrants, such as small businesses, social enterprises, and new providers. The goal is to facilitate greater transparency and scrutiny of how taxpayers’ money is spent throughout the whole commercial lifecycle. The changes and enhancements brought with G-Cloud 14 should also support this goal.
Find new solutions and suppliers
The Crown Commercial Service says G-Cloud 14 now provides access to over 46,000 services across various categories, including cloud hosting, software, and support. This latest version of the framework offers a wider variety of specialist cloud services targeted at meeting needs which are specific to different areas of the public sector. G-Cloud search facilities have been enhanced to help organisations find the best solution for their needs.
More information and greater transparency
The drive to go digital comes at a time when cyberattacks are increasing. G-Cloud 14 now shows data on how suppliers meet increasingly important security standards to protect organisations and supply chains from cyber threats. It is vital that procurement processes achieve increased scrutiny, including information on how potential suppliers prove their cyber security credentials and certifications.
Staying secure
Cyber Essentials is a government- backed scheme sponsored by NCSC and managed by IASME that provides a governance framework that is as straightforward to understand as it is to implement. Organisations answer a questionnaire, and if the answer to a question is No, it is a fail. The phrasing of questions indicates actions required to be able to say Yes. The questions set provides practical cyber security advice to systems administrators and suppliers. Cyber Essentials Plus provides a technical audit of suppliers’ systems by a qualified assessor to give independent assurance of security controls. A current Cyber Essentials certificate may be a pre-requisite for suppliers to be able to bid where handling sensitive or personal data is involved.
IASME maintains a list of CE certification bodies that provide basic audit services. These organisations can also offer cost-effective consulting services to help organisations implement any required changes to achieve their certification.
An orderly transition
Change may be necessary to improve technology, bring hardware and software platforms up to the latest versions and remove vulnerabilities. For example, moving systems to the cloud or adopting cloud-based Software as a Service (SaaS) can reduce risk.
Digital transformation and exploring the possibilities of AI is important, but for most organisations, this needs to be done in tandem with keeping existing processes and systems running 24 hours a day, 365 days a year.
Transformation can be challenging. Understanding your current situation and the evolutionary steps to get to your destination requires a robust and well-thought-through strategy with options when a particular step fails, but it takes time.
Transformation may be technically driven. Here, delivering a return on investment is difficult, though it may be justified by savings when migrating from legacy COTS (Commercial-off-the Shelf) products to Open-Source technologies. Introducing new capabilities to support business change may drive value but needs careful modelling and planning.
Transformation strategies must have a clear vision of where the organisation wants to get to and when. The least risky or lowest-risk strategies typically involve running old and new systems in parallel for an extended period of time. Hence, a business case that relies on turning off old technology by a particular date has significant risk.
Legacy and innovation
The ideal scenario would be the ability to tap into people who understand both legacy systems and new technologies. It is often the case that skills in older technologies are those in the shortest supply. Keeping legacy technologies upgraded to the latest supported versions, with all security patches applied, is a key element of effective cyber security and will always need people who understand the current technology platform.
A key factor is whether the organisation owns the IPR of its current systems and plans to build a replacement system, whether it exploits third-party COTS applications and plans to migrate from one third-party solution to another, or is a combination of these factors.
Leveraging new G-cloud applications may bring many benefits. Still, it is almost certain that there will need to be an overarching BPM (Business Process Management) strategy to enrich, transform, route and coordinate business processes across a family of applications, each delivering particular functions. You may also need to retain your existing IPR to supplement the processes for specific functionality.
Right people in the right place
To manage transformation, you will need architects and analysts to design the process flows that deliver the required changing capabilities.
Carefully matching cost modelling and defining the unit of charge must be undertaken. For example, if a product is purchased based on a form of resource pricing, what constitutes a chargeable unit? If user pricing, what is a ‘user’? Does deploying a system into your infrastructure mean it must be licenced for every user in your Domain? Is it charged based on named users? On CPUs available or on sub-capacity CPU licensing, when the machine is up, is there elastic pricing for the number of CPUs running at any one time or on transactions? It’s a potential nightmare.
Care is needed regarding taking on and discarding applications, which are mass-market products that might change during the life of a contract. There might be implications for testing, delivered under G-Cloud contract terms, with a limited maximum life of a couple of years, and may not be offered on a subsequent G-Cloud iteration.
The new G-Cloud should not be viewed solely as a catalogue of ‘shiny new toys’ even as the government and media tend to focus on the promise of a wholly digital future in the cloud. Implementing point solutions alone is not an ideal way forward for overall success.
Realistic vision and strategy
An integrated vision owned, managed, and controlled by the buyer is needed. Systems must be supported and maintained so that security patches can be applied within 14 days with the associated staff costs.
You could rely on a G-Cloud provider to provide this support, but be aware of the SLAs and managing downtime. You can mitigate risk by investing in a 24/7 high-availability capability.
All is possible and manageable, provided you understand what you are buying. Including the flexibility to outsource to the cloud, return applications to your own data centre or work in a hybrid fashion, scale up and down, maintain cost controls or provide BC/DR are all important considerations.
Current systems and technologies need to be supported and upgraded to keep day-to-day operations running and protect from cyberattacks. Concurrently and in an orderly fashion, data and processes can be migrated to the cloud or new systems with enhanced functionality.
And just when you had it sorted, new regulation may trigger the need for further change.
The only constant is change, both to mitigate risk and exploit opportunity. Every organisation needs to employ the right people and create the right architecture to support business transformation.
Diegesis has expertise gained from numerous digital transformation projects, understanding how legacy systems function and how they can be evolved to embrace new technologies. We believe in the principles of ‘security by design,’ how systems work together and where vulnerabilities may exist. Our sister company, Policy Monitor, offers solutions that will ensure that people in your organisation remain aware of cyber threats and know what to do about them.
Visit https://diegesis.co.uk and https://policymonitor.co.uk for more information.
This work is licensed under Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International.
