Most organisations that deliver into the public sector are not casual about cyber security. They have policies, training, risk registers, supplier questionnaires, access controls and board-level conversations. The problem is rarely a complete lack of intent. The problem is that intent does not carry much weight when a service is disrupted, sensitive information is exposed, or a contract review asks for evidence that controls are working as described. At that point, the question is not whether the organisation cared about cyber risk. The question is whether it understood the risk clearly enough to manage it.
Public sector work brings a different kind of scrutiny because the consequences are different. A weak control in a commercial setting may create downtime or reputational damage. In a government, defence or regulated environment, the same weakness can affect public services, operational delivery, citizen data, programme confidence, contractual compliance or national security interests. Good faith is not assurance. Cyber risk management has to be structured, repeatable and evidenced enough to stand up when someone asks, “How do you know?
Why public sector risk is different
Public sector cyber risk is often discussed in technical language, but the real issue is service impact. Government organisations and their suppliers do not just hold systems; they support functions that people rely on. Those functions may be visible, such as public-facing digital services, or they may sit deep inside defence, infrastructure, health, justice, local government or supply chain operations. Either way, the cyber risk is not limited to the compromise of a device or a network. It extends to the loss of confidence in the service, the interruption of delivery, and the inability to recover quickly enough when something goes wrong.
This is why a generic view of cyber risk falls short. A risk register that says “ransomware” or “data breach” may be technically accurate, but it does not explain what would actually happen if that risk materialised. Would a programme miss a milestone? Would sensitive information be unavailable or incorrectly shared? Would teams revert to manual workarounds? Would a supplier lose access to the environment it needs to deliver? Mature risk management connects the cyber scenario to the operational consequence, then uses that understanding to decide what should be protected, monitored, tested and assured first.
Start with what matters, not what is easiest to document
The practical starting point is not a control framework. It is a clear view of what matters. That means identifying the services, systems, data, people, suppliers and dependencies needed to deliver the organisation’s public sector obligations. This sounds obvious, but it is where many risk management efforts become thin. Asset lists exist, but they are incomplete. Supplier dependencies are known by individuals, but not formally captured. Legacy systems are tolerated because they have always been there. Information flows are assumed rather than mapped.
Good risk profiling looks wider than the core IT estate. It should include cloud services, managed service arrangements, identity platforms, collaboration environments, endpoints, privileged accounts, physical sites, operational technology where relevant, and the third parties that store, process or support sensitive information. It should also include the less glamorous dependencies that matter during an incident: backup arrangements, administrator access, support contracts, recovery procedures, out-of-hours escalation routes and the people who know how the service really works.
Frameworks help, but they do not do the work for you
Frameworks are useful because they create structure and a shared language. The NCSC Cyber Assessment Framework is particularly relevant because it focuses on outcomes: managing security risk, protecting against cyber attack, detecting cyber security events, and minimising the impact of incidents. That makes it a practical reference point for organisations that need to demonstrate resilience, not just list the controls they have purchased. ISO 27001, NIST and sector-specific requirements may also have a role, depending on the contract, environment and assurance route.
The mistake is treating the framework as the work. A framework can tell you what good should look like. It cannot tell you whether a supplier dependency is misunderstood, whether a privileged account is overused, whether a recovery plan has been tested under pressure, or whether a project team is quietly bypassing the agreed process because the official route is too slow. The value of a framework is that it forces a better conversation, but someone still has to investigate, challenge assumptions and gather evidence.
Risk ownership has to be real
Cyber risk is often owned in theory by the organisation but in practice by a small security or IT team. That is a weak model for public sector delivery because the decisions that create risk are rarely made by security alone. Commercial teams choose suppliers. Delivery teams shape deadlines. Programme teams decide whether to accept workarounds. Senior leaders approve investment or defer it. Users handle information every day. If risk ownership is vague, responsibility moves around until it eventually lands with whoever is closest to the incident.
A stronger model makes ownership explicit. Security teams should guide, assess and challenge, but operational leaders need to own the risks attached to the services they deliver. That includes accepting risk consciously, not by neglect. It also means understanding the difference between a tolerable risk and an unmanaged one. Constraints are real, but decisions should still be recorded, reviewed and supported by controls that are proportionate to the actual exposure.
Prioritise by consequence, not noise
Most organisations have more risks than they can realistically address at once. The danger is prioritising based on what is easiest to fix, what has the highest technical severity score, or what has recently made the most noise internally. Technical severity matters, but it is not the whole picture. In a public sector context, a moderate vulnerability in a system supporting a critical process may deserve more attention than a high-severity issue in an isolated, low-value environment. A control weakness affecting OFFICIAL-SENSITIVE handling may carry different consequences from the same weakness in a low-sensitivity internal system.
Prioritisation should be based on business impact, service criticality, threat exposure and the confidence level around existing controls. If a control is well designed, monitored and tested, the residual risk may be understood. If the control exists only as a policy statement, confidence should be lower. It is better to know that a control has not yet been proven than to assume it works because a document says it should.
Assurance closes the gap between policy and reality
Assurance is where good intentions either hold up or collapse. A policy may say that access is reviewed regularly. Assurance asks whether the reviews happen, whether the right people are included, whether inappropriate access is removed, and whether there is evidence. A recovery plan may say that systems can be restored within a target time. Assurance asks when that was last tested, what failed, what changed afterwards, and whether the same plan would still work after supplier, platform or staffing changes.
This is why assurance should not be left until the end of a project or the eve of a contract review. When it is treated as a late-stage exercise, it often becomes a scramble to assemble evidence after decisions have already been made. Built in earlier, assurance helps teams identify gaps while there is still time to correct them. It gives senior leaders a clearer view of residual risk and gives customers, procurement teams and partners more confidence that the organisation is not simply relying on written commitments.
Supply chain risk is now part of the centre ground
Public sector delivery depends on suppliers, subcontractors, managed services, cloud providers, software platforms and specialist consultants. That makes supply chain risk one of the central issues in cyber risk management. It is no longer enough for an organisation to say that its own internal systems are well controlled if critical work is being performed by third parties whose access, resilience and security practices are poorly understood. A supplier can become the route into sensitive information or the single point of failure for an essential service.
Good supply chain risk management is not solved by sending every supplier the same long questionnaire. It requires tiering suppliers by criticality, understanding what data and access they have, setting proportionate contractual expectations, and maintaining evidence that those expectations are being met. For higher-risk suppliers, that may include independent assurance, incident reporting expectations, continuity planning, privileged access controls and regular review. The direction of travel is clear: public sector organisations and strategic suppliers are being asked to understand aggregate risk across the services and supply chains they rely on.
Risk management has to keep moving
A risk picture that was accurate six months ago may be misleading today. Public sector organisations change through new contracts, new suppliers, new platforms, restructures, policy changes, staffing changes and new ways of sharing information. A supplier that was low risk at onboarding may become critical over time. A temporary workaround may become normal practice. A control that worked when the service was simple may fail when the service grows.
Continuous risk management does not need to mean constant bureaucracy. It means setting sensible review points and using real triggers. Significant system changes, new data flows, new suppliers, new contract requirements, assurance findings, incidents, near misses and changes to classification or handling requirements should all prompt a fresh look. The best organisations do not wait for an annual review to discover that their assumptions are stale. They treat risk management as part of delivery, not a parallel activity carried out by a different team in a different language.
What good looks like
Good public sector cyber risk management is visible in the way decisions are made. Security is involved early enough to shape delivery, not late enough only to object. Risk registers are not graveyards for unresolved issues; they are used to prioritise work and inform senior decisions. Suppliers are assessed according to the role they play, not processed through a generic form and forgotten. Controls are linked to actual risks, and the organisation can produce evidence that they operate in practice. Assurance findings lead to action, not just acceptance of another report.
There is also a cultural element. Mature organisations are more willing to admit uncertainty. They do not pretend every control is effective until an assessor proves otherwise. They know where confidence is strong and where it is thin. That honesty makes them easier to improve and easier to trust. In public sector delivery, the organisations that manage cyber risk well are not necessarily the ones with the most polished policy library. They are the ones that can explain their exposure clearly, show how it is being managed, and demonstrate that they keep testing the gap between what they believe and what is true.
Better decisions
Cyber risk management in the public sector is not a documentation exercise. It is a way of making better decisions about services, systems, suppliers and information that matter. Frameworks such as the CAF provide a valuable structure, but the real test is execution: whether risks are understood in context, whether ownership is clear, whether controls are proportionate, and whether assurance can prove they work.
Good intentions are a start. They show that the organisation recognises the importance of cyber security and wants to do the right thing. But public sector customers, regulators, procurement teams and delivery partners need more than intent. They need confidence. That confidence comes from evidence, repeatability and honest scrutiny. If your organisation is bidding into government, reassessing public sector delivery risk, or trying to understand whether its controls would stand up under review, now is the time to look beyond the policy set and test the reality underneath.
Related Links:
