In 2023, I wrote about how local government can lead the way in cyber security – drawing on Newark and Sherwood District Council’s early steps to transform our approach. That article for the British Computer Society (BCS) (Cyber security: what we can learn from local government) captured the start of our journey and the importance of collaboration across the sector.
Since then, the landscape has only become more challenging. Cyber threats are more sophisticated, more frequent, and more impactful across local government, with real-world incidents disrupting services and eroding public trust.
At NSDC, we’ve responded by moving from improvement to embedded maturity – recognising that cyber security is not just an ICT issue but the whole organisation responsibility.
What did we change? (ownership, governance, culture)
Our biggest shift has been cultural.
Through the LGA Cyber360 programme, we gained independent, sector-led insight into our cyber maturity – helping us look beyond technology and focus on leadership, culture and organisational behaviour.
Key changes included:
- Distributed ownership of cyber risk
- Risk is no longer held centrally in IT – the team created an operational cyber risk distributed to all service areas.
- Information Asset Owners (IAOs) and services now own their cyber risks and understand their responsibilities.
- Stronger governance and leadership
- Cyber is now a standing agenda item across governance forums including operational team meetings and directorates.
- Senior leadership and political members are actively engaged in oversight and assurance, through our corporate information governance group and committees.
- Clear accountability and visibility
- Defined ownership across services.
- Transparent reporting into Audit & Accounts Committee.
- A shift to behaviour-led culture
- Moving beyond policies and compliance to real-world behaviours.
- Embedding cyber awareness into everyday decision-making.
This reflects a wider sector lesson – cyber resilience improves when it is treated as a business risk, not just a technical issue.
What did we embed? (projects, procurement, processes)
The real transformation has come from embedding cyber into how we operate – not treating it as a standalone programme.
We have embedded:
- Cyber into project delivery and procurement
- Security requirements built into every business case and procurement exercise.
- Clear cyber assurance expectations for suppliers from the outset.
- Stronger supplier and contract management
- Increased scrutiny of third-party access and risk.
- Ongoing assurance across the lifecycle of contracts – not just at onboarding.
- Identity and access management improvements
- Tighter controls over user access – utilising just in time access, privilege escalation and access management solutions.
- Therefore, providing stronger management of privileged accounts.
- Formalised vulnerability management and patching
- Clear standards and accountability.
- Regular scanning and prioritised remediation – including automated patch management solutions, that fit to our organisation’s needs.
- A move to 24/7/365 cyber monitoring
- Extended our in- and out-of-hours capability through a Security Operations Centre (SOC) with Maple Networks.
- Ensuring continuous visibility and faster response to threats, aligned to the need for round-the-clock monitoring highlighted across the sector.
- Investment in people and training
- All staff trained through NCSC-aligned awareness programmes – previously known as Cyber Ninjas.
- Ensuring cyber knowledge is accessible and relevant to non-technical colleagues – training videos to ensure everyone has read and understood our policies.
This has been about building cyber in – not bolting it on.
What did we test? (resilience, recovery, incidents)
Cyber resilience is only proven when tested.
Through engagement with MHCLG, sector partners, and real-life case studies of councils affected by cyber attacks, we recognised the importance of planning for impact – not just prevention.
We have strengthened:
- Resilience and recovery capability
- Regular testing of backups and restoration processes across multiple medias.
- Increased assurance of disaster recovery arrangements – working with key partners MapleNetworks and Centerprise.
- Cyber incident exercising
- Scenario-based exercises with senior leaders and services – multiple times and varying scenarios.
- Using tools from the NCSC and sector “grab bag” approaches.
- Capturing and embedding lessons learned
- Every exercise and incident feeds back into improvements.
- Continuous refinement of plans and processes.
This aligns with national learning: even with strong controls, incidents will happen and the ability to respond and recover quickly is critical.
Overall, this has been a journey – not a destination
If there’s one lesson from the past three years, it’s this:
Cyber security is not a fixed state – it’s a continuous journey.
Technology evolves. Threat actors adapt. Organisational complexity increases – especially as we move into Local Government Reorganisation and wider digital transformation.
The conversation shifted years ago from “if” to “when”.
And that changes everything.
- It reinforces the need for constant vigilance
- It demands shared responsibility across the organisation
- It requires ongoing investment in people, process and technology
At NSDC, we’ve made significant progress but we must acknowledge the journey continues.
Because in today’s environment, cyber resilience isn’t just about protecting systems.
It’s about protecting services, communities, and trust.