The gap between current digital capability and operational requirement in UK defence is a present risk, not a future one. Understanding the unique constraints — and what genuine progress looks like — matters for every organisation operating in this sector.
The UK defence sector faces a digitalisation challenge that is structurally unlike any other. The operational stakes are categorically different. The security requirements are non-negotiable. The legacy infrastructure is deeply embedded and frequently undocumented. And the consequences of getting the transition wrong are measured not in financial loss but in operational capability.
That context does not make digital modernisation optional. If anything, it makes it more urgent. As Deloitte's defence practice has noted, the gap between military capability built on legacy digital infrastructure and potential adversaries deploying AI-enabled systems is not a future risk — it is a present one. The question is not whether to modernise, but how to do so without creating the vulnerabilities that the modernisation is designed to close.
National Audit Office: Digital Transformation in Defence, 2024
The Ministry of Defence's own assessments acknowledge significant gaps between current digital capability and what operational requirements demand. The Defence Digital strategy identifies data as a strategic asset, AI as a critical capability enabler and cyber resilience as a foundational requirement. The implementation of that strategy is where ambition and reality diverge.
KPMG's analysis of public sector digital programmes identifies three consistent failure modes: underestimation of the complexity of legacy system dependencies; insufficient investment in the organisational change required to make new systems work; and procurement approaches that were designed for a different era of technology delivery. All three are acutely present in defence digital programmes.
Commercial AI and cloud platforms are not directly deployable in classified defence environments. Air-gapped networks, NCSC-aligned security architectures and the handling of SECRET and above material require bespoke engineering approaches that add significant complexity and cost to any digital programme. Organisations that attempt to adapt commercial solutions without this expertise consistently discover the gaps at the worst possible moment.
The National Cyber Security Centre's Cloud Security Guidance and the Secure by Design principles that underpin government technology policy both point in the same direction: security must be designed in from the start, not retrofitted. In defence environments, where the threat actors include nation-state adversaries with significant capability, the cost of getting this wrong is not recoverable.
Defence systems cannot simply be taken offline for replacement. Operational commitments, readiness requirements and the global deployment of platforms mean that modernisation must be achieved while the existing systems continue to function. This imposes a migration complexity on defence digital programmes that commercial technology transformations do not face.
The Strangler Fig pattern — incrementally replacing legacy components while maintaining operational continuity — is well established in enterprise technology architecture. Its application in classified defence environments requires additional design consideration, but the principle holds: successful digital modernisation in defence is evolutionary, not revolutionary.
"The question in defence digital is never whether to transform. It is how to transform without creating the window of vulnerability that the transformation is designed to close."
Digital modernisation changes how people work. In a defence context, this is not a peripheral concern — it is central to whether the capability delivered is actually used. McKinsey's research on large-scale transformation programmes consistently finds that organisations underestimate the people dimension of technology change. In defence, where ways of working are embedded in doctrine, training and professional identity, the change management challenge is correspondingly larger.
Kotter's eight-step change model provides a useful framework for the cultural dimension of defence digital transformation. Creating a sense of urgency in an environment where operational pace and hierarchical decision-making are features rather than bugs requires careful navigation. Building the guiding coalition across military and civilian lines, and generating short-term wins that are visible within security constraints, demands change leadership capability that is as important as technical capability.
McKinsey: Delivering Large-Scale IT Projects On Time, On Budget, and On Value, 2023
The skills required to build, maintain and evolve modern digital systems are in short supply across the economy and particularly acute in defence. Competition for cleared technical talent — engineers, data scientists, cyber specialists — is intense. The public sector pay scales that govern civil service employment make direct competition with the private sector for this talent extremely difficult.
The most effective approaches combine direct recruitment of cleared talent at market rates through specialised vehicles, investment in upskilling existing personnel, and structured use of specialist contractors who hold the required clearances and can work within the operational constraints. Hybrid models that embed contractor capability alongside civil servant teams — with explicit knowledge transfer requirements — build internal capability over time rather than creating permanent dependency.
The organisations making genuine progress on defence digital modernisation share a set of common characteristics. They treat security architecture as a first-order design constraint, not a compliance requirement to be addressed at the end. They invest in data infrastructure as the foundation on which all other digital capability depends. They apply structured change management to the organisational dimension of transformation, not just the technical one. And they take a pragmatic, incremental approach to replacing legacy systems — delivering operational value at each step rather than deferring all benefit to a single, high-risk cutover.
The Agile delivery methodologies that have transformed commercial software development require significant adaptation for classified defence environments, but the underlying principle — deliver value frequently, learn and adjust, reduce risk through iteration — is as valid in defence as anywhere. Programmes that adopt a genuinely iterative approach, with governance designed to enable rather than inhibit it, consistently outperform those that attempt to specify and deliver complete capability in a single cycle.
Cairn Novaris's Defence & Security practice brings SC and DV cleared practitioners with direct MOD programme experience. We work on capability programmes, digital modernisation and AI deployment in environments where the security requirements are non-negotiable.
Thinking from practitioners — direct to your inbox.