50% of UK businesses were hit by cyber-attacks in 2024, costing medium-sized firms an average of £10,830 each time. Yet most of these losses were avoidable. In fact, 97% of successful attacks could have been prevented with better cybersecurity.

So how can you assess if your cybersecurity investment is truly worth it? The answer lies in calculating your cyber risk reduction.

This post explores how to do that, using insights from CloudGuard’s 2025 Cybersecurity ROI Business Case.

What is cyber risk reduction and why it matters

You know that cybersecurity is more than a technical concern, it’s a strategic business issue. Attacks disrupt operations, damage customer trust, and hit your bottom line.

Real-world example: When a UK-based SME in financial services suffered a phishing attack, their portal was down for 9 days. They lost two major clients and took a £200,000 reputational hit. Had they tested their incident response plan, they could have recovered in just 5 days and saved over £170,000.

The stakes:

• 53% of businesses suffer reputational damage after a breach
• 24% experience long-term financial losses not covered by insurance
• Market value can drop 14% in two weeks post-attack

Despite this, cybersecurity budgets in 2024 remained flat. Most SMEs are maintaining, not scaling, their defences. That’s a risk.

Cybersecurity ROI: The stats every CFO needs to see

The basic risk formula is:

Risk = Likelihood × Business Impact

But CloudGuard goes deeper, classifying risks into:

• Known Knowns – predictable, measurable risks
• Known Unknowns – known risks with unclear probabilities
• Unknown Knowns – ignored or underestimated risks
• Unknown Unknowns – emergent threats like zero-days

Inspired by Donald Rumsfeld’s framework, the “Known and Unknown Matrix” helps businesses categorise cyber risks based on their awareness and understanding, ranging from clearly defined threats to unforeseeable vulnerabilities that emerge without warning.

CloudGuard also identifies key risk areas:

• People: Human error is the top vulnerability. From phishing scams to poor password hygiene, employees are often the first point of failure in a cyber incident. Ongoing training and a culture of security awareness are critical.
• Processes: Impersonation and workflow gaps allow attackers to exploit weak verification steps or lack of oversight in digital transactions. Businesses need clearly defined, secure workflows—especially in finance, procurement, and HR.
• Systems: Inadequate data classification & access controls lead to unmonitored exposure of sensitive information. A structured approach to data governance, including encryption and strict role-based access, is essential.
• External: Supply chain attacks surged 300% in 2023. Vendors, partners, and third-party services must be held to the same security standards, with contracts including cybersecurity clauses and periodic audits.

The true cost of doing nothing

67% of UK small businesses feel they do not have the in-house skills to manage cybersecurity issues.

Here’s what happens when cyber risk is ignored:

• 61% of SMEs fail within 6 months of a cyber incident
• Only 57% of UK SMEs have cyber insurance
• Average downtime: 12 days x £2,949/day = £35,388
• Tested IR plans reduce downtime by 45%

Even with cyber insurance, many claims fail due to gaps in security posture or untested Incident Response Plans.

Risk reduction ROI: The numbers that matter

Using CloudGuard’s risk calculator:

• Average incident exposure: £506,000
• Likelihood of attack without investment: 38%
• Likelihood with investment: 8%
• Risk reduction: 30% = £151,800

Cost scenarios (150-employee SME):

A managed service model offers the highest ROI with the lowest complexity.

Phishing, downtime and reputational risk

Phishing is still the most common threat, accounting for 83% of cyber attacks.

This prevalence is due to the human element, it only takes one employee clicking a malicious link to compromise an entire organisation. The cost ripples into customer trust, operational continuity and even market valuation.

Successful cyber strategies account for this by addressing both technical safeguards and human behaviour. A layered approach builds resilience across every level of the business:

• Cyber training every 6 months to refresh awareness and recognise evolving tactics
• Formal, tested incident response (IR) plans to reduce recovery time and regulatory exposure
• SaaS account audits to revoke access for all leavers and reduce the risk of insider threats
• AI-enhanced detection systems that provide real-time alerts and automate first-response actions

A strong response posture consists of minimising impact, rapid detection, coordinated containment and informed response. These are the pillars that determine whether a cyber incident is a hiccup or a headline.

Want to know your own risk profile?

The question isn’t if you’ll face a cyber incident, it’s when. The only real question is: how prepared will you be?

Download the full CloudGuard Cybersecurity ROI Business Case Guide to:

• Build your own risk model
• Calculate your risk-based ROI
• Access templates and planning frameworks
• Benchmark your cybersecurity maturity

Or reach out for a no-obligation consultation with CloudGuard experts.

Why having a plan matters

Third-party breaches are rising, and spreading faster. Did you know 98% of Europe’s largest companies have reported a third party breach? Now, if that’s happening to the big guys, the question isn’t just “Are we secure?” but “What happens when our vendors aren’t?”

On top of this, only 22% of UK businesses have a formal Incident Response plan, a significant gap in preparedness. 

From DORA’s new ICT supply chain requirements to real-world breaches like MOVEit and SolarWinds, regulators and customers now expect preparedness even when the compromise happens externally.

Spotlight: Secure File Transfer Under DORA
The MOVEit breach highlighted a huge gap, where secure file transfer tools are often overlooked as third-party risks. Under DORA, financial firms must ensure the resilience of data in transit, not just at rest. This includes assessing managed file transfer (MFT) platforms, SFTP services, and cloud-based file exchanges. Many mid-sized firms use such tools daily without formal vetting, monitoring, or breach response plans, despite the fact that data transfer outages or compromises can directly impact regulatory reporting obligations and customer trust.

Key challenges for mid-sized financial firms

• Low visibility into vendor infrastructure
• Dependency on partners for updates, logs, and timelines
• Lack of predefined response workflows for third-party incidents
• Pressure to communicate quickly, without all the facts

5-phase plan for third-party incident response

1. Detection & Awareness

• Subscribe to vendor status pages or threat intel feeds (some free ones include AlienVault & VirusTotal)
• Monitor for abnormal outbound connections or broken integrations
• Encourage staff to report unexplained vendor outages or degraded services

Red flag: MFA outage on SSO provider, SaaS tools timing out, or sudden webhook failures

2. Immediate Containment Steps

• Disable integrations or API keys to affected vendor systems
• Restrict outbound traffic/IPs related to vendor connections
• Review and rotate any shared credentials (API keys, SSO tokens)
• Force logout users and initiate session revocation if needed

Bonus: Pre-build automation to revoke shared tokens or disable integrations in one click

3. Internal Escalation & Activation

• Alert your IR lead, legal/regulatory liaison, and executive sponsor
• Review your contract or SLA for vendor breach obligations
• Determine if a regulatory threshold is crossed (see below)

Regulatory Triggers (UK)

You may need to notify regulators within 72 hours if:

• Customer data was exposed (GDPR)
• Operations were significantly disrupted (FCA/PRA)
• Systems supporting payment or financial transactions were impacted

4. Coordinate Communication

• Request a timeline and impact statement from the vendor
• Draft internal FAQs for customer support and sales
• Align messaging with vendor PR and status page updates

Message template (internal):
“We’re investigating a possible security issue involving [Vendor X]. While our systems are currently stable, we’ve paused integrations and initiated our IR workflow. Please route any client questions to [Channel X].”

External Customer Update Template:

“We are aware of a potential incident involving one of our service providers. While our systems remain secure, we’ve taken precautionary measures and continue to monitor the situation closely. We will provide updates as we learn more.”

5. Post-Incident Review & Remediation

• Document timeline, vendor responsiveness, and decisions made
• Conduct a risk reassessment of the affected vendor
• Ensure recovery steps were fully executed (access, logs, tokens, backups)
• Update your vendor breach playbook accordingly

Vendor criticality matrix (simplified)

Must-have table: Who does what

Third-party breach checklist

Vendor contacted and response underway
Shared credentials (API keys, SSO) reviewed/reset
Integration disabled or traffic restricted
Leadership, legal, and customer support informed
Comms approved and published (if needed)
Vendor’s remediation reviewed and logged
Risk score and playbook updated

In the early days, our automation, ANSEL, while not necessarily immature, was certainly less advanced than where we are today.

Our initial focus was on developing automation to remove certain repetitive tasks from analysts, allowing them to focus on more strategic decision-making.

The first step in this journey was enabling automation to handle triage, the initial phase of incident analysis. We did this by enriching the data analysts would typically gather to understand a security event.

Once we had automation effectively managing triage, the next logical progression was enabling it to recommend outcomes based on the triage steps and the decision-making framework analysts used. As our capabilities matured, automation moved from simply providing recommendations to delivering actionable outcomes.

This meant that incidents could either be closed automatically, if deemed non-threatening or benign, or escalated to the customer when a genuine risk was identified.

In these cases, our automation not only escalated incidents but also provided clear recommendations on the next steps customers should take.

This led us to the final and most impactful stage: remediation.

ANSEL Now

Today, ANSEL is no longer the alerting tool it once was. It’s an active participant in cybersecurity operations, working alongside the SOC team. It can not only notify customers of threats but also take immediate action within their environments to mitigate and contain potential risks.

To put this into perspective, here’s the real-world impact of ANSEL:

• 67.3% of all security tickets fully automated by ANSEL
• ANSEL notified customers of threats in just 1.35 minutes on average
• Saved an average of 18 days per quarter on ticket resolution
• Reduced resolution time by up to 90% through automation

The transformation of ANSEL over the years shows a fundamental shift in how organisations can use automation to strengthen their security resilience.

The Role of Threat Intelligence in Automation

Another critical aspect of our approach has been the integration of enterprise-grade threat intelligence throughout the incident triage process.

This capability isn’t limited to automated incidents, it applies to all incidents, ensuring that every security event in our environment is enriched with high-quality intelligence. By doing so, we empower analysts with deeper insights and more context, leading to faster and more accurate decision-making.

Unlike many traditional models where enterprise-grade threat intelligence is provided on a per-customer basis, we’ve adopted a different approach.

Through our licensing model, we apply this intelligence across our entire customer base. This not only improves security effectiveness but also reduces costs, eliminating the need for you to make significant investments in standalone threat intelligence solutions.

This approach not only improves security effectiveness but also reduces costs, making advanced cybersecurity more accessible to organisations of all sizes.

What’s next for ANSEL and the future of automation in your security operations? Watch this space.

On the increasing risks facing UK governments, Gareth Davies, Head of the National Audit Office says:

The government will continue to find it difficult to catch up until it successfully addresses the longstanding shortage of cyber skills; strengthens accountability for cyber risk; and better manages the risks posed by legacy IT.

As you continue to embrace digital transformation, your reliance on online services, cloud platforms and digital workflows increases. While these advancements make service delivery more efficient, they also expand your exposure to cyber threats.

That’s why the Cyber Assessment Framework (CAF) for Local Government is such an important tool. It helps you assess, understand and strengthen your council’s cyber resilience.

At CloudGuard, we work closely with councils like yours. We help them build stronger defences against cyber threats. We know that keeping your services secure while juggling budget constraints and compliance demands is no easy task.

That’s why we believe the CAF for local government is a game-changer. It’s a practical, structured and effective way for you to manage cyber risk. Here’s why it matters to your council.

What is the local government CAF, and why does it matter to you?

The original CAF was originally developed by the National Cyber Security Centre (NCSC). You can read our full guide on that here.

The CAF’s goal is to provide a systematic, comprehensive approach to assessing cyber risks. While the NHS and Department for Work and Pensions (DWP) are adopting their own versions, local councils face unique challenges that demand an adapted version tailored to your needs.

Unlike traditional cybersecurity compliance measures, the CAF for local government is not just a tick-box exercise. It’s a practical tool designed to help you:

• Identify vulnerabilities in your critical systems
• Strengthen resilience against cyber attacks
• Prioritise resources effectively
• Benchmark against national cybersecurity standards

It also gives you a clear action plan to improve your cyber readiness, making it easier to justify security investments to leadership and stakeholders.

Cybersecurity isn’t just IT’s problem. It’s your whole council’s responsibility

One of the biggest challenges councils face is the belief that cybersecurity is solely an IT issue. But that’s a misconception, and the CAF for local government is designed to challenge that mindset.

Cybersecurity should be everyone’s responsibility. From leadership to frontline staff. The CAF for local government encourages collaboration across your departments, making sure that security is embedded into your council’s daily operations, policies and decision-making processes.

By adopting the CAF, you’re not just protecting your IT infrastructure. You’re also protecting critical services, sensitive data and the citizens who rely on you.

Designed with councils like yours in mind

The CAF isn’t just another government directive. It has been co-developed with local councils through pilot programmes. Over 20 councils took part in testing, providing feedback that directly shaped how the framework works in practice.

Because of this, the CAF for local government takes into account the unique challenges you face and is split into two key assessments:

1. Your council’s organisational approach to cybersecurity. This assesses how cybersecurity is managed at a leadership and policy level.
2. Your critical systems’ ability to withstand cyber threats. This looks at how well your essential services are protected against attacks and how prepared you are to detect and respond to incidents.

By applying both of these assessments, you get a full picture of your council’s cybersecurity landscape. This in turn will help you build a more resilient, security-first culture.

The CAF isn’t mandatory. So why should your council do it?

Right now, the CAF is a voluntary tool. BUT that doesn’t mean you should ignore it. The councils that have already used it are seeing huge benefits, including:

• Identifying cyber risks before they become crises
• Strengthening resilience against cyber attacks
• Focusing resources on the most urgent security gaps
• Receiving clear, actionable recommendations
• Benchmarking against a national cybersecurity standard

If you wait until a major cyber incident happens, it could cost your council millions.

That’s not just in recovery expenses but in lost public trust and service disruptions. Taking action now is far more effective (and cost-efficient) than reacting to a crisis later.

Could a single cybersecurity framework reduce your council’s compliance burden?

If your council works with the NHS, DWP or other government departments, you’re likely dealing with multiple overlapping cybersecurity standards like PSN, NHS IG, DWP security frameworks and more.

Each of these demands time, resources, and compliance efforts, creating a huge administrative burden for your team.

But things might be changing. With the DWP and NHS England moving towards CAF-based assessments, there’s a real opportunity for your council to benefit from a single, standardised approach to cybersecurity compliance.

The UK Government is already exploring how to streamline these requirements. Your council could be at the forefront of shaping this shift.

By adopting the CAF for local government now, you position yourself ahead of the curve. Potentially reducing future compliance workloads while strengthening your security.

How we can help your council implement the CAF

At CloudGuard, we specialise in helping councils like yours navigate cybersecurity challenges.

We understand the pressure you’re under to protect public services while managing tight budgets and complex regulations. That’s why we offer tailored support to help you make the most of the CAF for local government.

Here’s how we can help:

• CAF readiness assessments – We’ll evaluate your council’s cybersecurity posture, identifying areas where you’re already strong and where you need improvement.
• Gap analysis & remediation – We’ll help you identify vulnerabilities and develop a plan to address them.
• Training & awareness programmes – We’ll ensure your leadership and staff understand their role in maintaining cybersecurity.
• Incident response planning – We’ll help you prepare for and respond to cyber incidents quickly and effectively.

The bottom line? Take action now to protect your council’s future

The CAF for local government is a transformative tool that can help you strengthen your council’s cybersecurity, improve resilience and protect public services.

You have the opportunity to take proactive steps today, rather than waiting for a disruptive cyber incident to force your hand.

The CAF for local government provides a clear roadmap for strengthening security. We’re here to help you every step of the way.

If your council is ready to implement the CAF for local government and take control of your cybersecurity future, get in touch with us today. We’ll help you turn the framework into an actionable, effective strategy that works for you.

But what if that simple search just opened the door to a cyberattack?

That’s exactly what happened here. A user thought they were downloading a harmless PDF editor.

Instead, they unknowingly installed malware, and just like that, attackers had remote access to their machine.

This is called malvertising (malware, advertising).

What is malvertising?

Malvertising is a technique used by cybercriminals to embed malicious content, such as code or programs, within online advertisements. These ads often appear on well-known websites, making them seem trustworthy. Once a user interacts with the ad, it can trigger the download of malware, spyware, or ransomware without their knowledge.

Let’s break it down attack and how you can prevent malvertising:

Step 1: The setup – A malicious Google ad

Cybercriminals don’t need to send phishing emails anymore, they just buy ads on Google and wait for you to come to them.

That’s what happened in this case.

1. The user searched for “PDF editor”
2. Clicked on a malvertising link
3. Downloaded an EXE file posing as a legit PDF tool
4. Ran the installer, unknowingly executing a trojanized program

At first, everything looked fine. No red flags. No warnings. Just a seemingly normal PDF editor. But behind the scenes? The malware had already made itself at home.

Step 2: The silent infection – What the malware did

Once executed, the EXE did exactly what the attackers designed it to do:

1. Created a scheduled task that launched the malware on every startup
2. Ran in hidden mode, so the user never noticed it running
3. Maintained persistence, surviving reboots
4. Established a backdoor, giving attackers remote access

Because the malware didn’t require admin privileges to install, even restricted users were vulnerable. It slipped past basic security measures without a hitch.

Traditional antiviruses can’t catch these types of attacks. Why? Because AV relies on known threats, and this EXE had never been flagged before.

Step 3: The attack meets a 24/7 SOC

This is where things took a turn…for the attackers.

When this file executed, it triggered a behavioural detection in our MXDR (Managed Extended Detection & Response) platform. Unlike traditional antivirus, MXDR looks at behaviour, not just known malware signatures, and something about this EXE didn’t add up.

How fast did we shut it down?

0 min → Indicators of Compromise (IOCs) are automatically analysed, enriched, and triaged using Threat Intelligence sources like Recorded Future
5 min → Identified the EXE launching command prompt activity
3 min → Traced the infection back to a malvertising download
10 sec → Isolated the machine, cutting off attacker access instantly

Total time to neutralise? Less than 10 minutes.

If this attack had gone unnoticed, it could have escalated quickly spreading across the network, stealing credentials, or deploying ransomware.

But our 24/7 SOC was on it, stopping the attack before it could do real damage.

Why this attack matters (and why you should care)

Attacks like this aren’t rare, they’re the new norm. Cybercriminals don’t rely on hacking in anymore. They’re using SEO poisoning, Google Ads, and social engineering to let users download the malware themselves.

And if you’re only relying on antivirus or don’t have a dedicated SOC team, these threats will slip through.

Here’s how you can prevent malvertising attacks:

1. Be cautious with Google Ads: malvertising is on the rise.
2. Monitor scheduled tasks: unexpected ones could be a red flag.
3. Restrict software installation permissions to prevent unauthorised installs.
4. Deploy MDR or MXDR (not just antivirus!) to catch behavioural threats.

But most importantly? You need a team that can catch and stop these attacks before they escalate.

Real-world examples of malvertising

This isn’t just a one-off incident. 1 in every 100 ads comes with malicious content . Here are some recent examples:

• January 2025 – Cybercriminals used fake Google ads mimicking the Homebrew website to target Mac users. Clicking the ad led to an infostealer malware that harvested credentials, browser data, and even cryptocurrency wallets. (Bleeping Computer)
• December 2024 – A large-scale malvertising campaign spread the Lumma Stealer malware through fake CAPTCHA verification pages. Users were tricked into running PowerShell commands, unknowingly installing malware. (Bleeping Computer)

These attacks prove that traditional antivirus alone isn’t enough.

Attackers are changing up their tactics, and businesses need real-time detection, behavioural analysis, and round-the-clock monitoring to ensure they’re preventing malvertising attacks.

Frequently Asked Questions

Stay Ahead of Cyber Threats with 24/7 Managed XDR

Don’t wait until an attack happens, stop threats in real time with proactive monitoring, behavioural detection, and expert SOC analysts. Learn more about CloudGuard Managed XDR here.

If your organisation is aligning with the NCSC’s Cyber Assessment Framework (CAF), you’re probably familiar with C1.a – Monitoring Coverage.

(That’s ‘objective c’, ‘principle 1’ and ‘contributing outcome a’ for those who really know your stuff).

This contributing outcome is all about ensuring that your organisation has robust, comprehensive and reliable monitoring in place to detect potential security incidents.

For many organisations, monitoring is one of the trickiest areas to get right. Whether it’s because of limited resources, fragmented tools or an incomplete understanding of what needs to be monitored, it’s easy to fall short.

But that’s where Managed Extended Detection and Response (XDR) services can make all the difference.

I’m going to break down what it means to achieve monitoring coverage under C1.a, why it matters and how a managed XDR service like CloudGuard’s can help you move from ‘not achieved’ to the gold standard of ‘achieved.’

By the end, you’ll have a clear understanding of what steps to take and why investing in Managed XDR could be the game-changer your organisation needs.

What does C1.a – Monitoring Coverage mean?

The CAF defines C1.a as the need for monitoring coverage that is comprehensive enough to reliably detect security incidents affecting your essential functions.

This means putting systems and processes in place to collect, analyse and act on data from across your organisation.

But what exactly does that look like?

You can learn more how CAF is structured here.

Now, let’s look at the three status levels or the ‘Indicators of Good Practice’ (IGPs) in a bit more detail.

Not achieved

If your organisation is in the ‘not achieved’ category for C1.a, you’ve got some work to do.

Here’s what this looks like:

• No data collection: Security and operational data about your essential functions aren’t being collected at all. Without data, there’s no way to detect threats or understand what’s happening in your environment.
• No IoC detection: Indicators of Compromise (IoCs)—such as malicious command and control signatures—aren’t being identified. This leaves you unable to detect threats that could already be active within your network.
• No user monitoring: There’s no ability to audit user activities or detect suspicious behaviour related to your essential functions.
• No network traffic monitoring: You’re not capturing traffic at your network boundary, even at a basic level (e.g., IP connections).

In short, you’re operating without visibility, which makes it impossible to respond to potential security incidents effectively.

Partially achieved

Moving to ‘partially achieved’ status means you’ve made some progress, but you’re not quite where you need to be.

Here’s what this looks like:

• Partial data collection: You’re collecting some security and operational data but the coverage is inconsistent or incomplete.
• Basic IoC detection: You can detect IoCs but the process may not be reliable or comprehensive.
• Limited user monitoring: You’re monitoring user activity but only for a narrow set of behaviours or policy violations.
• Basic network traffic monitoring: You’ve started monitoring traffic at your network boundary but the coverage isn’t extensive.

At this stage, you’ve got the foundation in place, but you need to expand and deepen your capabilities to reach full compliance with C1.a.

Achieved

To reach ‘achieved’ status, your organisation needs to have robust and proactive monitoring in place.

Here’s what that looks like:

• Informed monitoring: Your monitoring is guided by a clear understanding of your networks, common attack methods, and the specific threats that could disrupt your essential functions.
• Detailed data collection: You’re gathering data that’s granular enough to reliably detect incidents and policy violations.
• Comprehensive IoC detection: Detecting IoCs is straightforward, reliable, and effective.
• Extensive user monitoring: You’re monitoring user activity comprehensively, with clear policies and tools to identify undesirable behaviours.
• Complete coverage: Your monitoring includes host-based monitoring, network gateways, and integration of new systems as they come online.

This is where you want to be—your monitoring capabilities are proactive, resilient, and capable of responding to evolving threats.

Why does monitoring coverage matter?

Reaching the ‘achieved’ level for C1.a isn’t just about ticking a box. It’s about ensuring that your organisation can detect and respond to threats before they escalate into full-blown incidents.

Without adequate monitoring, threats can go unnoticed for weeks, months or even years. This puts your essential functions at risk.

Good monitoring also supports other aspects of your cybersecurity strategy.

For example, it provides the visibility you need to conduct thorough investigations, improve your response processes, and continuously enhance your security posture.

How Managed XDR can take you from ‘not achieved’ to ‘achieved’

So, how can a Managed XDR service help?

I’m going to break it down step by step.

1. Comprehensive data collection

One of the biggest barriers to achieving C1.a is the lack of comprehensive data collection.

Managed XDR services solve this problem by aggregating data from a wide range of sources, including endpoints, network traffic, cloud platforms and user activity.

With Managed XDR, you’re not just collecting data. You’re centralising it in a way that makes it easier to analyse and act on.

This gives you the foundation you need to detect threats reliably.

2. Advanced IoC detection

Managed XDR platforms come equipped with advanced tools for detecting Indicators of Compromise (IoC).

Using AI, machine learning and up-to-date threat intelligence, these services can identify malicious activities like command and control traffic, ransomware or phishing attempts.

This aligns perfectly with the CAF’s requirements for ‘achieved’ status, where IoC detection is both reliable and proactive.

3. Robust user activity monitoring

User activity monitoring is critical for detecting insider threats, policy violations and other risks.

Managed XDR services often include behavioural analytics that can flag unusual or suspicious user actions.

This helps you move beyond basic monitoring to a more comprehensive approach, covering an agreed list of undesirable behaviours and potential policy breaches.

4. Network traffic visibility

Monitoring network traffic is another area where Managed XDR shines.

These services can capture and analyse traffic crossing your network boundary, as well as activity within your network.

For ‘achieved’ status, you need both host-based monitoring and gateway-level visibility.

Managed XDR provides this level of coverage, ensuring that you’re not missing any critical data points.

5. Proactive integration and scalability

Achieving ‘achieved’ status requires you to consider new systems and data sources as part of your monitoring strategy.

Managed XDR services are inherently scalable, allowing you to integrate new technologies and adapt to changing requirements.

This ensures that your monitoring remains comprehensive and effective over time, even as your organisation evolves.

Beyond the technology

While Managed XDR can give you the tools you need, it’s important to remember that reaching ‘achieved’ status for C1.a isn’t just about technology.

Here are a few additional considerations:

• Make sure your monitoring strategy aligns with your organisation’s overall risk management approach.
• Customise the XDR solution to focus on your essential functions and business priorities.
• Ensure your team is equipped to interpret alerts, respond effectively and maximise the value of the XDR platform.

Final thoughts

Reaching ‘achieved’ status for C1.a is about more than just compliance. It’s about building a monitoring strategy that protects your organisation’s most critical functions.

A Managed XDR service like CloudGuard PROTECT can play a key role in helping you get there. It can do this by addressing gaps in your data collection, IoC detection, user activity monitoring and network traffic visibility.

The journey from ‘not achieved’ to ‘achieved’ isn’t always easy, but with the right tools, support and mindset, it’s absolutely within your reach.

If you’re ready to take the next step, a Managed XDR service could be the partner you need to make it happen.

Remember, cybersecurity is a continuous process. Not a one-off project. By investing in the right capabilities today, you’re setting your organisation up for long-term success and resilience.

One of the biggest announcements to catch our attention came from Microsoft’s Ignite 2024 conference where they introduced a concept called “Agentic AI.”

If you have not heard that term before, imagine an AI that does more than just follow instructions. It learns, adapts and makes decisions on its own to achieve set goals. In other words, it is an AI with a level of autonomy we have not really seen until now.

In this blog, I will walk you through what Microsoft announced, explain the idea behind agentic AI and dig into why it could matter so much for cybersecurity teams everywhere.

Microsoft’s agentic AI announcement at Ignite 2024

At Ignite 2024 Microsoft showcased how they are pushing AI beyond the traditional rule-based approach.

Their vision: systems that adapt in real time without needing constant human input. Instead of just following preset instructions these new AI “agents” can map out their own mini- goals, change tactics on the fly and keep learning as fresh data comes in.

What exactly was announced?

During the keynote Microsoft demonstrated prototypes blending Agentic AI into different IT environments.

One agent coordinated software patches across a huge global network making calls without someone hovering over it. Another dove deep into enterprise-scale infrastructure to detect vulnerabilities. It scanned multiple layers found weak spots applied fixes and learned from each step to perform better over time.

For more details you can check out Microsoft Ignite’s official site or their blog on Responsible AI.

Microsoft’s vision and goals

Microsoft wants these AI agents to be not just powerful but also ethically aligned.

The idea is not to build rogue machines that act against human values. Rather it is about freeing up security professionals from repetitive or overly complicated tasks so they can focus on what really matters.

They highlighted their commitment to principles like fairness, reliability, safety, privacy, security, transparency and accountability. In other words the human element still sets the tone and defines the boundaries.

Microsoft’s stance echoes their Responsible AI Principles.

Community reactions and early feedback

After Ignite the community response was a mix of excitement and healthy skepticism.

Many cybersecurity experts were intrigued by how these capabilities could speed up threat detection. Imagine cutting down response times from days to minutes because your AI can outpace attackers who are changing their methods all the time.

On the flip side there were concerns.

Some asked if cybercriminals would also use agentic AI escalating attacks to a new level. Others wondered if these systems could create unexpected vulnerabilities or leave human analysts feeling less in control.

Microsoft addressed these worries by stressing built-in safeguards and a strong ethical code but the debate is far from settled.

For more context on how similar technologies have been discussed you might want to check out resources like Forrester’s AI research or industry expert commentary on managing new cybersecurity tools.

Why AI matters for cybersecurity

Make no mistake. Agentic AI represents a turning point.

Threats are getting more complex and automated and we need defenses that can keep up. Adaptive learning and autonomous problem-solving are powerful capabilities. Still, using them responsibly means considering new ethical dilemmas, and ensuring humans stay firmly in the driver’s seat.

At CloudGuard, we think it is critical to keep an open mind stay involved in these discussions and get ready for a future where autonomous AI-driven cybersecurity might be closer than we think.

How AI Cybersecurity Can Reduce Your Security Operations Costs

What Is agentic AI? (and what it isn’t)

Today’s reactive AI vs agentic AI

Right now most advanced AI models wait for commands.

They are like super smart assistants that answer questions and follow instructions but never take the initiative. In contrast, Agentic AI can spot objectives on its own break them down into smaller tasks and proactively pursue them.

Defining Agentic AI

Agentic AI is more than a passive tool.

Take a corporate network security scenario. A reactive AI might run scans and hand you a list of issues. Agentic AI would detect suspicious activities, suggest fixes, implement patches and then keep an eye on how attackers respond.

It would adjust its approach learning as it goes. This goal-oriented and adaptive nature gives it a real edge.

What agentic AI isn’t

Agentic AI is not magic and it is certainly not a step toward sentient robots.

It does not have feelings or desires. It also does not remove humans from the picture.

Security professionals still set the big goals, define compliance rules and outline ethical boundaries. The AI works within those guidelines.

Humans shift from micromanaging to guiding, ensuring the AI’s actions align with the company’s core values.

Addressing Misconceptions

Some worry that Agentic AI will replace human cybersecurity experts.

Not so. Yes it can handle repetitive tasks or detection at a scale that would exhaust human teams but it still relies on our judgment and direction.

As Dr. Sarah Lin, a cybersecurity researcher at the University of Washington points out:

Agentic AI acts like a skilled problem-solver rather than a passive tool. Yet it still needs professionals to guide its objectives interpret results and make ethically sensitive decisions.

Expert Perspectives

John Martinez, a security consultant at Forrester noted:

Agentic AI can accelerate how we respond to threats but we must ensure it does not introduce new vulnerabilities or diminish human accountability.

This caution aligns with what we have seen, and is echoed in resources like our own incident response guides.

Practical Takeaways

For cybersecurity professionals, understanding agentic AI is not just about knowing the tech specs. It is about reshaping how we think about AI.

Instead of treating it like a tool that needs constant babysitting, we can see it as a partner working alongside us.

Your job will shift toward setting the objectives and ethical standards, and ensuring the AI’s actions reflect your organisation’s values.

The good, the bad and the ugly of agentic AI in cybersecurity

The good: Stronger defences and proactive security

• Faster Threat Detection and Response: Agentic AI can spot and neutralise threats in record time, potentially turning days into minutes.
• Adaptive defence mechanisms: Attackers evolve but Agentic AI can change its tactics just as fast, making it harder for bad actors to succeed.
• Proactive vulnerability identification: Agentic AI can find and fix weak spots before attackers even get a chance to exploit them.

The bad: Potential misuse and dependency

• Empowering attackers: Cybercriminals could deploy Agentic AI for their own malicious ends making attacks more adaptive and dangerous.
• Detection challenges: AI-powered attacks will require next-level defensive measures and not everyone might be ready.
• Over-reliance on AI: If you lean too heavily on agentic AI and it fails or is compromised your team could be caught off guard.

The ugly: Unintended consequences and ethical quandaries

• Collateral damage: Agentic AI might shut down a network segment due to suspicious activity accidentally locking out legitimate users.
• Ethical decision-making without humans: If the AI can act without asking first who is responsible if something goes wrong?
• Escalation of the AI arms race: As defenders use agentic AI so will attackers leading to an endless cycle of one-upmanship.

Cybersecurity automation: The good, the bad and the inevitable | Sean Tickle, Littlefish

Finding the right balance

We do not need to shy away from agentic AI just because it can introduce risks.

Instead we should acknowledge these issues and work proactively to manage them. Clear guidelines regular audits and strong human oversight can mitigate many of these problems.

Organisations should train their teams to understand how to guide and supervise these AI tools effectively. 

20 other annoucements at Ignite 2024

Beyond the agentic AI announcement, Microsoft rolled out a variety of other innovations at Ignite 2024.

While these topics may not be directly related to agentic AI, they paint a broader picture of Microsoft’s trajectory in AI, productivity, cloud computing and resilience.

1. A live cybersecurity challenge where participants tested their skills against simulated zero-day attacks. This spotlighted the importance of proactive security and fast responses.
2. A redesigned interface for Microsoft’s AI Copilot that makes AI tools more accessible and user friendly.
3. Enhanced automation features that let Copilot carry out specified commands. This cuts down on repetitive tasks and frees up time for more strategic work.
4. Intelligent AI agents integrated into Microsoft 365 that help with scheduling drafting emails and managing documents more efficiently.
5.  Specialised AI tools in SharePoint that assist with content organisation permissions and site management.
6. A platform that allows teams to build train and deploy custom AI agents without heavy coding or AI expertise.
7. Data-driven insights that help identify trends patterns and opportunities for better decision-making.
8. A cloud integration for Windows enabling seamless switching between physical desktops and cloud-based Windows environments.
9. Measures to improve Windows system stability reducing downtime and speeding up recovery from cyberattacks or failures.
10. Localised Azure services placed close to regional data centers improving latency and helping meet compliance requirements.
11. Security modules built into Azure’s infrastructure for stronger encryption and key management.
12. A dedicated data processing unit designed to accelerate network and security workloads in the cloud.
13.  Integrating NVIDIA’s advanced AI accelerators with Azure to handle more complex machine learning tasks.
14.  High-performance Azure computing instances that deliver increased processing power for demanding workloads.
15. A new way to manage and analyse large-scale databases within Microsoft’s Fabric ecosystem helping teams gain insights faster.
16. A platform for building refining and scaling AI models in a single environment reducing complexity and accelerating innovation.
17. Tools that let organisations tweak and refine AI models to meet their unique needs.
18. A service to simplify the deployment and management of AI agents making it easier to roll out intelligent solutions.
19. Built-in analytics that measure AI agent performance highlighting strengths and areas for improvement.
20. A partnership aimed at bringing quantum computing capabilities into the Azure cloud to tackle problems that traditional computers struggle to solve.

Wrapping up

Microsoft’s reveal of agentic AI at Ignite 2024 is not just another AI story.

It signals a big shift in how we defend our digital worlds. At CloudGuard, we think it is crucial to understand what this technology can do and what it means for ethics responsibility and the future of cybersecurity.

The technology offers game-changing capabilities. It can speed up threat responses and adapt on the fly. Yet it introduces new challenges and moral dilemmas.

The role of security professionals will not vanish. Instead it will evolve into something more strategic and values-driven. By staying informed and engaged we can shape a future that leverages Agentic AI’s potential without losing sight of what matters most: trust accountability and good old-fashioned human judgment.

Final thought

How would you integrate agentic AI into your organisation’s cybersecurity strategy while making sure you maintain responsibility and strong ethical oversight?

But as with any transformative technology, adopting automation in security operations can cause scepticism and raise questions.

From concerns about job displacement to fears of making the wrong configuration decisions, many organisations hesitate before fully committing to automated solutions. If you’re struggling with these concerns, you’re not alone.

Let’s walk through some common objections about automation with automation experts Yakub Desai (CloudGuard) and Sean Tickle (Littlefish).

They’ll show you how with the right approach, automation can enhance both the efficiency and effectiveness of your security operations.

Objection #1: Automation leads to complacency

One common worry is that automation could lead to complacency, especially if it creates a layer of “invisible” issues. The concern is that automation handling false positives might mask underlying detection issues, giving a false sense of security.

Counterpoint:

Automation isn’t a “set-and-forget” solution. For it to be truly effective, security teams must prioritise continuous tuning and regularly review detection rules.

Automation should complement human oversight, not replace it. This means teams stay actively involved in ensuring alerts remain accurate and relevant. Yakub said:

Automation without tuning can breed complacency, covering up inefficiencies instead of addressing them.

What we recommend:

1. Set up regular review cycles where your security team evaluates automated processes.
2. Consider implementing quarterly reviews of automation effectiveness with key stakeholders in your security team to keep detection rules optimised and ensure automation is always working for you.

Objection #2: Cybersecurity automation will replace jobs

Another worry is that automation might eliminate roles, particularly for Tier 1 analysts, creating anxiety about potential job loss. People fear that automation will take over entry-level tasks, potentially making some roles redundant.

Counterpoint:

The purpose of automation is to empower analysts, not replace them.

Allowing automation to handle repetitive tasks frees up valuable time for analysts. 71% of analysts face some type of burnout, and this is usually due to repetitive tasks.

Working with automation they can engage in higher-level work that requires critical thinking, creativity and strategic development. This shift enables security teams to become more efficient while also allowing analysts to grow their skills.

Rather than eliminating jobs, automation opens new avenues for career growth by enabling teams to focus on the tasks that add the most value, like investigating complex threats or learning new techniques. Sean said:

We’re not cutting headcount, we’re giving our analysts room to grow and become more skilled. They’re no longer bogged down by menial work; they’re mentoring, learning and making real impact.

What we recommend:

1. Invest in continuous training for your team to ensure they are prepared for the higher-level tasks automation will enable them to focus on.
2. Encourage your analysts to develop new skills in areas like incident response, threat hunting, or data analysis. It’s more than likely they want to grow and move into more impactful positions.

Objection #3: Over-automation can create inefficiency

When automation is applied indiscriminately, there’s a risk of over-automation. This could lead to inefficiency, where processes are automated without addressing root causes, creating more issues than it solves.

Counterpoint:

For automation to be successful, it should be closely coupled with process improvement. Automation should be applied thoughtfully and selectively, with a focus on streamlining and optimising workflows.

After automating a task, make sure to periodically go back, evaluate and rework the process to ensure it is productive and effective.

This approach not only makes the process more efficient but also helps the automation itself run smoother, solving problems from the ground up.

For example, at CloudGuard, the cost optimisation layer of our PROTECT service ensures that your automation efforts are both effective and efficient.

We carefully select the data ingested into Microsoft Sentinel to reduce unnecessary data and associated costs. This makes automation more targeted and resource efficient.

When calculating ROI, you can factor in not only the cost savings from automation but also the reduced risk of costly security breaches and the increase in operational uptime.

Streamlining workflows and reducing unnecessary data ingestion allows organisations to see measurable improvements in both efficiency and security posture, ultimately translating into a stronger return on investment.

What we recommend:

1. Before automating any process, perform a thorough assessment of the existing workflow to identify pain points.
2. Start with automating low-risk tasks first to establish quick wins. Once those processes are running smoothly, revisit and refine more complex workflows. Yakub said:

It might seem like you’ve spent like a day automating something that only takes someone 5 minutes to do. But then you’ve saved 5 minutes every single time that process is used, and that huge savings.

Objection #4: Cybersecurity automation could decrease alert visibility

There’s concern that by automatically handling certain alerts, automation might hide important warnings or misclassify significant threats, leading to missed incidents.

Counterpoint:

When configured well automation can improve visibility by prioritising alerts and reducing noise. Rather than masking critical issues, automation can help security teams focus on the most pressing threats.

Remember, a typical SOC receives around 4,484 alerts daily, and these are usually low priority or repetitive tasks.

Automation can take care of false positives and managing lower-priority tasks. This will ensure that urgent alerts rise to the top, so your analysts don’t waste time on routine issues. Yakub said:

Automation should help us reduce the noise, not mask it. It’s there to support us, not to hide the inefficiencies.

What we recommend:

1. To improve alert visibility, configure your automation system to prioritise high-severity alerts and ensure false positives are filtered out.
2. Implement tiered alerting where the most pressing incidents are flagged for immediate action, while lower-priority events are reviewed in a secondary round.

Objection #5: Automated attacks are increasing, how can we keep up?

Attackers are increasingly using automation for fast, sophisticated attacks, and defenders worry they’re constantly playing catch-up.

Counterpoint:

The only effective way to combat automated attacks is with better defensive automation.

Implementing intelligent automation ensures cybersecurity teams can respond as quickly as attackers. Automated defences can adapt to new threats faster than manual processes ever could.

When automation is proactive and designed to evolve alongside emerging threats, it keeps security teams one step ahead, empowering them to adapt to new vulnerabilities and attack techniques. Sean said:

It’s about making our analysts quicker and more effective, letting automation handle the heavy lifting so they can make strategic decisions.

What we recommend:

1. To keep pace with automated threats, implement proactive threat hunting as part of your automation strategy.
2. Use machine learning to identify emerging patterns in attack behaviour, allowing your team to respond faster than ever.
3. Pair automated detection with manual investigation, allowing your analysts to focus on the most complex threats while your automation system handles the repetitive tasks.

Objection #6: AI will make attacks more sophisticated

With the rise of generative AI, attackers are using this technology to craft more sophisticated phishing attacks and other complex threats that bypass traditional defences.

You’re not alone in thinking this. A recently study by Kaspersky showed that three quarters of those responsible for managing their business’s cybersecurity are concerned about AI-amplified cyber attacks.

Counterpoint:

Attackers use AI to their advantage and so defenders can also use Generative AI for good. Security teams can use AI to analyse behaviour, classify incidents more precisely and provide comprehensive context for alerts.

AI can efficiently process large amounts of data, identifying patterns and subtle indicators of compromise that may otherwise go unnoticed.

Security teams can match the sophistication of AI-driven attacks, increasing the efficiency and accuracy of their response. Yakub said:

We’re not just reacting anymore, we’re predicting and preparing. That’s the real power of AI on the defence side.

What we recommend:

To stay ahead of AI-powered threats, make sure your automation solution integrates advanced AI capabilities for real-time threat detection.

Use a automation for the analysis of large datasets and identify subtle signs of compromise that traditional methods might miss. Regularly update your AI models with the latest threat intelligence to ensure they remain accurate in detecting evolving threats.

Threat intelligence feeds like Recorded Future make this easy.

Final Thoughts

It’s a no-brainer that businesses should start experimenting with automation today. It helps take care of repetitive tasks, giving your team more time to focus on more strategic activities.

Remember, automation should be used to strengthen and complement human capabilities, not replace them.

It’s important for teams to address these common objections head-on and approach automation with a growth mindset. Why? So, security teams can achieve more effective, proactive defences, ensuring they stay agile and ready for evolving threats.

Can I get an encore?

Do you want more? If you enjoyed reading this, be sure to listen to the full conversation on cybersecurity automation with Yakub and Sean.

As an IT leader in local government, you already have a lot on your plate. The added pressure of CAF for local government might seem like just another challenge to add to the list.

But here’s the good news. You don’t have to tackle it alone and it doesn’t have to be as daunting as it might first seem.

The NCSC’s Cyber Assessment Framework (CAF) provides a structured approach to improving your local gov’s cybersecurity.

But understanding the “what” is only the start. It’s the “how” that often leaves you feeling overwhelmed.

Let’s walk through the four objectives of CAF for local government. Together, we’ll tackle the challenges you’re facing and create a practical roadmap for you to start making progress today.

The goal? To help you feel less overwhelmed and more confident as you take on the journey to CAF compliance.

So, what is the Cyber Assessment Framework (CAF)?

The Cyber Asessment Framework (CAF) was created by the National Cyber Security Centre (NCSC). You might hear this being referred to as ‘pure CAF’ or ‘vanilla CAF’ as it’s the original source.

The Ministry of Housing, Communities and Local Government (MHCLG) Local Digital team took this and created an overlay called ‘CAF for local government’. Its designed to provide a clear cybersecurity standard for the sector.

Because the CAF takes a whole-organisation approach to cybersecurity, you can gain a better understanding of your council’s cyber resilience and how it compares to the targets for local government.

The CAF for local government is voluntary at the moment. However, it will most likely become mandatory in 2025 and beyond. The Government Cyber Security Strategy makes it clear that the CAF is the future, so it’s best to get ahead of game. 

The CAF for local government is designed to focus on outcomes rather than just ticking boxes. It’s about what you need to achieve, not prescribing exactly how you get there.

Here’s how the CAF is structured:

• The four high-level objectives (A-D)
  • 14 principles set the overall direction grouped under the objectives
    • 39 contributing outcomes – a detailed list that shows what “good” looks like in practice
      • Indicators of Good Practice (IGPs) – that rate each outcome as either ‘not achieved’, ‘partially achieved’, or ‘achieved’ based on the statements provided

When you assess your organisation with the CAF, you’ll evaluate each contributing outcome against the IGPs – this will help you determine where you stand against the principles and objectives. We’ll break those down a bit later on.

A quick word on CAF profiles

I must stress that you are NOT required to rate all 39 contributing outcomes as ‘achieved’ to successfully complete the CAF. That would involve a massive undertaking that would consume all of your time, energy and resources.

CAF profiles essentially tell you which outcomes need to be ‘achieved’, ‘partially achieved’ or ‘not achieved’ for your sector.

The CAF for local government profile is under development at the moment and I will update you when it’s available.

Don’t start just yet

My advice? Take time to understand the CAF and its objectives first beyond starting any form of self-assessment.

You also need to realise the scope of the assessment, define your organisational context and identify:

• Key roles and responsibilities for the assessment
• Essential services
• Critical systems

Let’s begin by exploring what CAF’s four objectives mean for you in more detail.

The four objectives of CAF. Let’s break them down

When it comes to cybersecurity, the CAF for local government is all about building resilience.

To make things a bit easier, Local Digital has split the four CAF objectives into two self-assessments groups.

• Group 1: Self assessment of your organsation (objectives A and D)
• Group 2: Self assessment of your critical systems (objectives B and C)

Think of it as a roadmap for tackling security from both an organisational level and a critical systems level.

Here’s how it breaks down.

Self assessment of your organisation

1. Managing security risk (objective A)

This is the foundation.

Managing risks starts with having the right structures, policies and processes in place to understand and address potential threats.

Ask yourself:

• Do we have clear governance for how we approach cybersecurity?
• Are we actively identifying, assessing and prioritising risks to essential systems?
• Do we understand which systems and services are critical to our operations?
• Are we managing risks introduced by external suppliers?

If this feels overwhelming, don’t worry. You don’t need to tackle everything at once. Focus on your most critical systems first, and build out from there.

2. Minimising the impact of cyber security incidents (objective D)

This one’s about being prepared.

Let’s be honest here. No system is 100% foolproof. So, the question is, how ready are you to respond if something goes wrong?

This objective is all about resilience:

• Do you have an incident response plan that covers containment, mitigation, and recovery?
• Are you learning from past incidents to make your organisation stronger?

Jon McGinty, Managing Director at Gloucester City Council explains how they managed a cyber attack in 2021. McGinty said:

Prepare as best you can to defend, protect and reduce your risk, but make sure you prepare and practice for the near certainty that this will happen to you and your organisation at some point in the future

Start small. Outline who’s responsible for what and run regular practice exercises. The goal is to be able to bounce back quickly while keeping essential services running.

Self-assessment of your critical systems

3. Protecting against cyber attacks (objective B)

Now, let’s look at your defences.

This objective asks if you have proportionate security measures in place to protect your critical systems.

Think about:

• Are there clear policies for securing systems and data?
• Is access to critical systems tightly controlled?
• Are sensitive data and critical systems protected from known threats?
• Do your networks have the resilience to stand up to an attack?
• Are staff trained and aware of their role in maintaining security?

You don’t need to have everything perfect. Every step you take strengthens your security posture.

4. Detecting cyber security events (objective C)

Finally, let’s talk detection.

It’s not just about building strong walls. It’s also about knowing when someone’s trying to climb over them.

This objective focuses on whether your organisation can detect threats effectively. You should be asking:

• Are you monitoring your systems for unusual activity?
• Do you have tools in place to proactively discover vulnerabilities or breaches?

Even basic detection capabilities can make a huge difference. The key is acting quickly before issues escalate.

Feedback from the ‘Future Councils’ CAF pilot

In September 2022, the UK government’s Local Digital team began a CAF pilot with 30 UK councils to explore how it could be used to help assess and manage cyber risks across local government .

Responding as part of the 2022 pilot , one council IT leader said:

We’re used to doing technical assessments, but this is more than that, and already it’s made us look at an area we had been ignoring.

This shows that CAF isn’t about perfection. It’s about continuous improvement. Another said:

It certainly highlighted some things that do need to be fixed and some things we’re doing alright on – it’s a good exercise!

It’s flexible enough to suit your organisation’s specific needs while giving you a clear structure to follow. However, there needs to be engagement from leaders outside of the IT team for this to be affective. As one council pointed out:

There is a base level understanding at board level, but in order to achieve certain areas of the CAF, we would need to have a wider understanding of cyber.

Setting the scope for your CAF assessment

Defining the scope for your CAF self-assessment is where things start to get real.

The challenge here? Striking the right balance between being thorough and keeping things manageable. If you scope too wide, you risk overwhelming your team. Scope too narrow, and you might miss critical vulnerabilities.

Why scoping matters in CAF for local government

Getting your scope right sets the foundation for everything else. It helps you understand your organisational context, including your mission, priorities and risk appetite.

Without a well-defined scope, your CAF assessment risks being unfocused and less effective.

How to approach scoping

1. Start with your council’s mission
   Think about what your council is here to do. Its key priorities and the services that matter most to your community. These will guide your decisions about what to include.
2. Map out your essential services
   Identify the services that your council simply cannot do without. These are the ones that directly support your priorities and ensure your council’s objectives are met.
3. Pinpoint your critical systems
   Once you’ve identified your essential services, the next step is figuring out the systems that keep them running. Use tools like the five-lens approach to prioritise which systems are critical for your assessment.
4. Document everything
   Use the CAF scoping workbook to record your decisions. This will be your single source of truth throughout the process. It’s essential for keeping everyone aligned.
5. Collaborate widely
   Scoping isn’t a job for one person. Bring in service leads, business system owners, IT and cyber security teams and other relevant stakeholders. Consider running workshops to get input from across the organisation.

The time investment

Plan to spend around 30–35 hours on this step. It’s time well spent. Proper scoping ensures you focus your efforts on the right areas later in the assessment.

Once your scoping workbook is complete, get it reviewed by your independent assurer and CAF approver. Their feedback will help you ensure nothing’s been missed and that your scope is robust.

Tip: Don’t rush this stage. A well-defined scope will make the rest of the process smoother and more focused.

Identifying your essential services for CAF

Defining your council’s essential services is one of the first steps in your CAF self-assessment.

A big challenge councils face is getting everyone on the same page. Each team has its own view of what’s “essential,” and those priorities don’t always align.

So, how do you make this work? Start by acknowledging that everyone’s perspective is valid. To move forward, you need a clear process and collaboration. Here’s how you can tackle it.

Getting everyone to agree on essentials

The housing team might say their tenant systems are essential, while IT focuses on keeping the network online. Both are right. But how do you prioritise?

Host a workshop or meeting with key stakeholders from different departments. Use this time to talk through each service’s importance and the potential impact if it were unavailable.

Frame the discussion around shared goals i.e. how the council serves residents and stays resilient.

Spotting the hidden connections

Another big hurdle is uncovering dependencies.

It’s easy to focus on the service itself and forget what it relies on. For instance, your benefits system might be critical, but it won’t function without specific IT infrastructure or third-party support.

Work with someone who knows your systems inside out. Reach out to someone like an IT architect or systems mapper. They can help you untangle these connections and show everyone the bigger picture.

A visual map of dependencies can be a game-changer here.

What you’ll get out of this

By the end of this process, you’ll have a shortlist of truly essential services that everyone agrees on. These are the ones that:

• Residents can’t do without.
• Keep people safe or meet legal obligations.
• Would cause major disruption if they failed.

Document this list and make sure everyone’s signed off on it.

This isn’t just for the CAF. It’s the foundation for protecting what really matters in your council.

Remember, it’s not about whose service is “most important.” It’s about making decisions together to protect the council’s ability to deliver for residents.

With the right tools and approach, you can make this a collaborative success.

Identifying your critical systems

After defining your essential services, the next step is identifying potential critical systems for your CAF for local government self-assessment.

Critical systems are the network and information systems that your essential services depend on. These are the systems most important to protect, as their compromise could lead to severe financial, legal, reputational or safety consequences for your organisation.

I know I mentioned this but use a framework like the Five Lens Model. It gives you an impartial way to evaluate services, so discussions don’t turn into debates.

The challenge with identifying critical systems

Identifying critical systems can feel like a minefield. Especially when faced with numerous systems and limited resources.

How do you choose which ones are truly critical? And how do you ensure the process is thorough without consuming excessive time?

How to address this challenge

By following a structured approach and collaborating effectively, you can make informed decisions without unnecessary complexity. Here’s how:

1. Identify critical systems

Start by listing systems that underpin your council’s essential services. These could include systems hosted on-premises, in the cloud or by third-party providers.

Examples of critical systems include:

• Social care systems
• Revenue and benefits systems
• Electoral systems
• Active Directory or Azure AD for authentication and access control
• Corporate systems like Microsoft Office 365

The challenge here is recognising dependencies that might not be immediately obvious. Work with technical experts and system owners to avoid overlooking anything.

2. Document critical systems

Update your CAF scoping workbook with the following details for each identified critical system:

• System name
• Essential service it supports
• Core IT infrastructure (e.g., network or cloud provider)
• Breakdown of backend systems/applications (if applicable)
• Decision on whether the system is in scope for assessment

This step requires attention to detail but a collaborative effort can lighten the load.

Consider using shared tools like Excel or project management software to keep everyone aligned.

3. Prioritise critical systems

During scoping, aim to identify and prioritise three critical systems that you may decide to take forward for self-assessment.

These should be the systems that, if disrupted, would have the most significant impact on your council’s ability to deliver essential services.

Prioritisation often sparks debate. Encourage team discussions to ensure diverse perspectives are considered.

Use criteria like impact severity and likelihood of compromise to guide decisions.

Addressing commercial and shared services challenges

Critical systems hosted externally by third-party providers or shared services can introduce complexity.

How do you ensure security measures meet your needs? Clear contracts defining responsibilities for security controls are essential.

Work closely with procurement and legal teams to verify compliance.

Next steps

After identifying and documenting critical systems, review and finalise the shortlist as a team.

Ensure all decisions are captured in your scoping workbook before submitting it for review. By working collaboratively and systematically, you can overcome challenges and ensure your council’s critical systems are accurately identified and prioritised.

Getting the right people involved

Getting the right people involved in your CAF for local government self-assessment can feel like herding cats.

Everyone is busy and some may not immediately see how their role fits into the process. That’s why it’s important to plan carefully and make collaboration as smooth as possible.

Start by defining the core roles

There are a few key roles you’ll need to fill for the CAF for local government process:

• CAF Lead: The person who takes charge of coordinating everything. Ideally, this should be someone with a good understanding of cybersecurity and local government systems. They’ll need to dedicate a significant amount of time (around 100 hours), so make sure they have the capacity to focus.
• Approver: A senior leader who can advocate for the CAF at the board level and take accountability for the final submission. This might be your CIO or Head of ICT. Their involvement (about 25 hours) is crucial for setting the right tone and priorities.
• Collaborators: Specialists from across your council who contribute their expertise. These might include service leads, system owners, IT architects and procurement or risk managers. Their time commitments will vary depending on the stage, but they’ll often provide the detailed evidence and insights you need.
• Systems Mapper: Someone with technical expertise who can map out your critical systems in detail. If you don’t have this role in-house, you might need to seek external support.
• Quality Assurer: Someone to double-check that your assessment is accurate and complete before submission. This role could be taken on by the CAF lead or a senior IT professional.

The challenges of getting everyone on board

One of the biggest hurdles in this process is making time for people who are already juggling other responsibilities.

It’s not just about asking for their help. It’s about making it as easy as possible for them to contribute.

Here are some common challenges you might face:

• Limited Availability: People are busy, and finding time for workshops or meetings can be tricky.
• Unclear Roles: Without clear expectations, team members might not know what they’re supposed to do.
• Competing Priorities: Some collaborators might not see the CAF for local government as a priority compared to their other work.

Solutions for better collaboration

To stay on track with your team, start by planning ahead.

Once you know who you need, check their availability and book meetings or workshops early. Make sure everyone understands how their role supports the bigger goal. When they see the value, they’ll engage more.

Break the process into manageable steps, starting with a scoping session to agree on priorities and assign clear follow-up actions.

Use collaboration tools like Teams or Slack to keep communication easy and transparent.

Lastly, keep in touch regularly with quick check-ins, whether through email or a short call. This should help you spot any blockers early and keep things moving smoothly.

Navigating time pressures

Let’s talk about the elephant in the room: time.

Completing the CAF for local government is a big commitment. It could take around 220 hours to complete. If you’re like most councils, you’re already juggling a mountain of competing priorities. Time is tight, but here’s the good news: it’s doable, especially if you know where the pitfalls are and how to avoid them.

Finding time when there’s none to spare

Balancing day-to-day operations with a detailed assessment process isn’t easy.

You’re looking at anywhere from 45 to 60 hours for some stages. Not counting the time it takes to coordinate meetings, chase down information or handle last-minute surprises. Here’s an example CAF schedule you can use to map out timings and activities that can be done simultaneously.

For councils with smaller teams or stretched resources, that can feel overwhelming.

And let’s not forget the added complexity if you have limited access to key stakeholders. Getting everyone in the same room (or even on the same Teams call) can be an uphill battle.

Plan, prioritise and stay flexible

Here’s how you can take the pressure off:

1. Break it down

Instead of treating the CAF for local government as one massive task, divide it into smaller, manageable stages. Focus on the tasks you can complete now, like preparing for the CAF and setting the scope. Save more time-intensive tasks, like mapping critical systems, for later when additional guidance becomes available.

2. Make use of downtime

Use quiet periods in your council’s schedule to tackle bigger chunks of work. For example, align your efforts with times when major projects or audits are wrapping up.

3. Prioritise collaboration early

The quicker you can identify your key players and book collaboration sessions, the smoother the process will be. Scheduling recurring check-ins or progress updates can also help you stay on track without scrambling for time later.

4. Stay realistic about timelines

If you’re stretched thin, be honest about what’s achievable. It’s better to do fewer stages thoroughly than rush through and miss critical details. The CAF for local government is designed to be flexible. Use that to your advantage.

Addressing the pressure points

What if a stage is taking longer than expected?

Don’t panic. Break the stage into even smaller tasks and focus on clearing bottlenecks one by one. For example, if mapping systems feels like it’s dragging, assign subtasks like gathering data or creating diagrams to specific team members.

What if you’re falling behind schedule?

Reassess your priorities and adjust where needed. Consider shifting non-urgent council tasks or seeking temporary support – whether that’s internal reallocations or external expertise.

Remember the bigger picture

Yes, the CAF takes time, but think of it as an investment in your council’s resilience.

The effort you put in now could prevent far greater disruptions down the line. Start by tackling what you can with the resources available and keep communicating with your team about progress and roadblocks.

Remember, it’s not about completing everything perfectly in one go. It’s about building a strong foundation, one step at a time.

What’s next?

The CAF for local government is designed to be flexible and outcomes-focused.

By breaking it into two self-assessments, one for your organisation, the other for your critical systems, you can involve the right collaborators and focus your efforts where they’ll have the biggest impact.

Take it step by step. Remember to:

1. Start with the basics.
2. Assess your gaps.
3. Prioritise your critical systems.

Remember, this isn’t about perfection.

It’s about progress. With a solid plan and consistent effort, you’ll build a stronger, more resilient organisation.