September 23, 2025
Building Cyber and Digital Resilience – The four questions every public sector leader must answer.
Francesca Vallely
CRQ Advisory Manager

Cyber threats to the UK Public sector are at an all-time high. In 2024 the NCSC reported that attacks on public sector organisations increased by 25% compared to the previous year. Earlier this year the National Audit Office (NAO) warned that Government cyber resilience isn’t keeping up with the evolving threat. Unsurprisingly, digital and cyber resilience across public sector is now under unprecedented scrutiny and the pressure to act has never been higher. Knowing where to start can feel overwhelming. The challenge isn’t just technical, its strategic. And with finite resources, leaders are confronted with difficult choices.

Cyber and digital resilience is not a destination but a continuous process of improvement. The public sector organisations that succeed will be those that treat cyber and digital resilience as a core business risk, review it alongside other strategic priorities and hold themselves accountable for progress. I’ve seen first-hand what happens when cyber is treated solely as the CISOs responsibility. I believe the four questions presented below can help any organisation, no matter where they are on their journey.

1)     How well do we understand our existing technology estate and know the impact of disruption on our core and citizen facing services?

Cyber risk is more than just a technology problem. It is acritical business risk. It can stop essential services from reaching citizens. When disruption happens, vital operations can be delayed, personal and sensitive data might be exposed, and public trust can be lost.

When leaders treat cyber risk as a business issue, they can make more informed and effective investment decision. They can focus on the services that are most important to the public. This approach embeds resilience into everyday operations and helps to minimize disruption in the event of an attack. The goal should be to protect what matters most: keeping citizens safe, ensuring services are available, and maintaining confidence in government.

2)     What insights do we have about threat actors and their motivations?

Knowing who might target you and why is essential. It helps anticipate which attack types are most likely to disrupt your organisation.

Is the biggest threat a ransomware attack? A large data breach? A compromise from a third-party? Understanding this helps focus defences on controls and capabilities that will have the greatest impact and helps build a strong resilience plan.

You don't need to defend against every single threat in the same way. Focusing on risks that will cause the most disruption to core and citizen-facing services is key.  

 

3)     How confident are we in our current level of preparedness to respond to cyber threats?

Being prepared is more than just meeting compliance requirements. It’s confidence that your people, processes and technology can detect, protect, and respond to incidents effectively.

Using frameworks like CAF, underpinned by other industry standards, allows you to gain confidence that your compliance obligations are being met. However, they don’t necessarily tell you how prepared you are to respond to a real incident – like a ransomware attack. That’s why pairing your compliance activities with proactive risk management and scenario-based testing is so powerful. It exposes gaps in your defences and helps prioritise strengthening the areas where you are most vulnerable.

4)     How confident are we that we’re investing in the right capabilities and establishing the right accountabilities?

This is where everything comes together – threat landscape, control posture and the potential service impact. Quantifying cyber risks through determining the percentage likelihood of a risk occurring and the impact of business disruption enables public sector leaders to measure possible financial and operational losses – and compare cyber risks with other business risks. Leaders are empowered to make clear, strong, and data-driven investment decisions to best build resilience.

Having the right people accountable is just as vital. This goes from board oversight down to system owners. Building and keeping cyber and digital resilience must be everyone's job. Every pound spent is tied to protecting public services and reducing risk. This is how we build a resilient digital future.

How can we help you?

We’ve worked with hundreds of organisations to support them in a) understanding their current cyber risk exposure and compliance posture, and b) quantifying their cyber risks in financial and business terms. Part of that support utilises our own market leading technology, Cyber Risk Insights (CRI).

CRI leverages detailed threat scenarios to model potential attacks, giving you a clear understanding of who might target your organisation, their techniques and their objectives. CRI can harness existing data, such as GovAssure returns and other control assessments, to accurately assess your current posture. By combining this with an analysis of the potential disruption to your core services, CRI provides a comprehensive view of exposure.

The result? Being equipped to make confident data-driven decisions on where to invest ad understanding what the impact will be of that investment– ensuring every action strengthens your cyber and digital resilience.

Read the next blog in the series

No items found.
Francesca Vallely
CRQ Advisory Manager
Francesca is a CRQ Advisory Manager and lead for the Public Sector at CRI. With over 8 years of experience in Cyber, Francesca specialises in Cyber Governance, Risk, and Compliance (GRC) and is passionate about helping organisations transform the way they approach risk using data driven insights to make informed decisions and accelerate their cyber transformation. Based in Manchester, Francesca is also a strong advocate for gender equality in the cyber industry, leading KPMG UK's Women in Cyber community and volunteering as a UK STEM Ambassador to inspire the next generation of talent.‍
Blog
Building Cyber and Digital Resilience – The four questions every public sector leader must answer.
Get your copy below.
By submitting this form I agree that Cyber Risk Insights may collect, process and retain my data pursuant to its Privacy Policy.
Thank you! Use the button below to read now.
Oops! Something went wrong while submitting the form.

Summary

Cyber threats to the UK Public sector are at an all-time high. In 2024 the NCSC reported that attacks on public sector organisations increased by 25% compared to the previous year. Earlier this year the National Audit Office (NAO) warned that Government cyber resilience isn’t keeping up with the evolving threat. Unsurprisingly, digital and cyber resilience across public sector is now under unprecedented scrutiny and the pressure to act has never been higher. Knowing where to start can feel overwhelming. The challenge isn’t just technical, its strategic. And with finite resources, leaders are confronted with difficult choices.

Cyber and digital resilience is not a destination but a continuous process of improvement. The public sector organisations that succeed will be those that treat cyber and digital resilience as a core business risk, review it alongside other strategic priorities and hold themselves accountable for progress. I’ve seen first-hand what happens when cyber is treated solely as the CISOs responsibility. I believe the four questions presented below can help any organisation, no matter where they are on their journey.

1)     How well do we understand our existing technology estate and know the impact of disruption on our core and citizen facing services?

Cyber risk is more than just a technology problem. It is acritical business risk. It can stop essential services from reaching citizens. When disruption happens, vital operations can be delayed, personal and sensitive data might be exposed, and public trust can be lost.

When leaders treat cyber risk as a business issue, they can make more informed and effective investment decision. They can focus on the services that are most important to the public. This approach embeds resilience into everyday operations and helps to minimize disruption in the event of an attack. The goal should be to protect what matters most: keeping citizens safe, ensuring services are available, and maintaining confidence in government.

2)     What insights do we have about threat actors and their motivations?

Knowing who might target you and why is essential. It helps anticipate which attack types are most likely to disrupt your organisation.

Is the biggest threat a ransomware attack? A large data breach? A compromise from a third-party? Understanding this helps focus defences on controls and capabilities that will have the greatest impact and helps build a strong resilience plan.

You don't need to defend against every single threat in the same way. Focusing on risks that will cause the most disruption to core and citizen-facing services is key.  

 

3)     How confident are we in our current level of preparedness to respond to cyber threats?

Being prepared is more than just meeting compliance requirements. It’s confidence that your people, processes and technology can detect, protect, and respond to incidents effectively.

Using frameworks like CAF, underpinned by other industry standards, allows you to gain confidence that your compliance obligations are being met. However, they don’t necessarily tell you how prepared you are to respond to a real incident – like a ransomware attack. That’s why pairing your compliance activities with proactive risk management and scenario-based testing is so powerful. It exposes gaps in your defences and helps prioritise strengthening the areas where you are most vulnerable.

4)     How confident are we that we’re investing in the right capabilities and establishing the right accountabilities?

This is where everything comes together – threat landscape, control posture and the potential service impact. Quantifying cyber risks through determining the percentage likelihood of a risk occurring and the impact of business disruption enables public sector leaders to measure possible financial and operational losses – and compare cyber risks with other business risks. Leaders are empowered to make clear, strong, and data-driven investment decisions to best build resilience.

Having the right people accountable is just as vital. This goes from board oversight down to system owners. Building and keeping cyber and digital resilience must be everyone's job. Every pound spent is tied to protecting public services and reducing risk. This is how we build a resilient digital future.

How can we help you?

We’ve worked with hundreds of organisations to support them in a) understanding their current cyber risk exposure and compliance posture, and b) quantifying their cyber risks in financial and business terms. Part of that support utilises our own market leading technology, Cyber Risk Insights (CRI).

CRI leverages detailed threat scenarios to model potential attacks, giving you a clear understanding of who might target your organisation, their techniques and their objectives. CRI can harness existing data, such as GovAssure returns and other control assessments, to accurately assess your current posture. By combining this with an analysis of the potential disruption to your core services, CRI provides a comprehensive view of exposure.

The result? Being equipped to make confident data-driven decisions on where to invest ad understanding what the impact will be of that investment– ensuring every action strengthens your cyber and digital resilience.

Key messages

01

02

03

Blog
Building Cyber and Digital Resilience – The four questions every public sector leader must answer.

Summary

Cyber threats to the UK Public sector are at an all-time high. In 2024 the NCSC reported that attacks on public sector organisations increased by 25% compared to the previous year. Earlier this year the National Audit Office (NAO) warned that Government cyber resilience isn’t keeping up with the evolving threat. Unsurprisingly, digital and cyber resilience across public sector is now under unprecedented scrutiny and the pressure to act has never been higher. Knowing where to start can feel overwhelming. The challenge isn’t just technical, its strategic. And with finite resources, leaders are confronted with difficult choices.

Cyber and digital resilience is not a destination but a continuous process of improvement. The public sector organisations that succeed will be those that treat cyber and digital resilience as a core business risk, review it alongside other strategic priorities and hold themselves accountable for progress. I’ve seen first-hand what happens when cyber is treated solely as the CISOs responsibility. I believe the four questions presented below can help any organisation, no matter where they are on their journey.

1)     How well do we understand our existing technology estate and know the impact of disruption on our core and citizen facing services?

Cyber risk is more than just a technology problem. It is acritical business risk. It can stop essential services from reaching citizens. When disruption happens, vital operations can be delayed, personal and sensitive data might be exposed, and public trust can be lost.

When leaders treat cyber risk as a business issue, they can make more informed and effective investment decision. They can focus on the services that are most important to the public. This approach embeds resilience into everyday operations and helps to minimize disruption in the event of an attack. The goal should be to protect what matters most: keeping citizens safe, ensuring services are available, and maintaining confidence in government.

2)     What insights do we have about threat actors and their motivations?

Knowing who might target you and why is essential. It helps anticipate which attack types are most likely to disrupt your organisation.

Is the biggest threat a ransomware attack? A large data breach? A compromise from a third-party? Understanding this helps focus defences on controls and capabilities that will have the greatest impact and helps build a strong resilience plan.

You don't need to defend against every single threat in the same way. Focusing on risks that will cause the most disruption to core and citizen-facing services is key.  

 

3)     How confident are we in our current level of preparedness to respond to cyber threats?

Being prepared is more than just meeting compliance requirements. It’s confidence that your people, processes and technology can detect, protect, and respond to incidents effectively.

Using frameworks like CAF, underpinned by other industry standards, allows you to gain confidence that your compliance obligations are being met. However, they don’t necessarily tell you how prepared you are to respond to a real incident – like a ransomware attack. That’s why pairing your compliance activities with proactive risk management and scenario-based testing is so powerful. It exposes gaps in your defences and helps prioritise strengthening the areas where you are most vulnerable.

4)     How confident are we that we’re investing in the right capabilities and establishing the right accountabilities?

This is where everything comes together – threat landscape, control posture and the potential service impact. Quantifying cyber risks through determining the percentage likelihood of a risk occurring and the impact of business disruption enables public sector leaders to measure possible financial and operational losses – and compare cyber risks with other business risks. Leaders are empowered to make clear, strong, and data-driven investment decisions to best build resilience.

Having the right people accountable is just as vital. This goes from board oversight down to system owners. Building and keeping cyber and digital resilience must be everyone's job. Every pound spent is tied to protecting public services and reducing risk. This is how we build a resilient digital future.

How can we help you?

We’ve worked with hundreds of organisations to support them in a) understanding their current cyber risk exposure and compliance posture, and b) quantifying their cyber risks in financial and business terms. Part of that support utilises our own market leading technology, Cyber Risk Insights (CRI).

CRI leverages detailed threat scenarios to model potential attacks, giving you a clear understanding of who might target your organisation, their techniques and their objectives. CRI can harness existing data, such as GovAssure returns and other control assessments, to accurately assess your current posture. By combining this with an analysis of the potential disruption to your core services, CRI provides a comprehensive view of exposure.

The result? Being equipped to make confident data-driven decisions on where to invest ad understanding what the impact will be of that investment– ensuring every action strengthens your cyber and digital resilience.

Key messages

01

02

03

Recent Insights

Five Principles for Building Cyber Resilience

Many organisations say they want to be “cyber resilient”, but the term is often vague. At its core, resilience means ensuring the business can continue to operate despite inevitable events – cyber or otherwise. The problem is that resilience is still too often treated as an aspiration, rather than a discipline.
James Hanbury
Blog

Are your cyber metrics giving you a false sense of security?

Is your organisation primarily using a traffic light system (red, amber, green) to manage cyber risk? You could be overlooking a crucial dimension of risk management.
Elizabeth Huthman
Blog

5 lessons from the frontline: What UK retailers can learn from 2025’s ransomware attacks

As UK retailers made the press in a series of cyber-related incidents a familiar question surfaced again from colleagues - “Do we have a summary of key themes we can share with clients to support cyber conversations?”
Martin Tyley
Blog

See CRI in action

Book a personalised demo and discover how CRI can help you make smarter cyber risk decisions.
Book a demo