Case Study · 001

When the board asked,
"Are we secure?"

How a large UK national charity transformed cybersecurity into an independent leadership capability through stronger governance, technical assurance and better decision-making.

Client
Large UK National Charity
Sector
Children & Families
Organisation Size
~4,000 colleagues
Role
Fractional CISO
Duration
15 Months
01

The Situation

A large UK national charity — with responsibilities to children, families, funders and the public — sat at a familiar inflection point. The organisation had grown. Its dependence on technology had grown faster still. And yet cybersecurity, the discipline meant to hold the whole thing together, had never been given its own seat at the table.

Security lived inside IT. Reports were technical, fragmented and written in a language the board could not confidently read. When trustees asked, in the way trustees do, whether the charity was secure, the honest answer was that no one in the room could tell them.

There was no failure here. There was an absence — of independence, of governance, of a shared vocabulary. What the organisation needed was not another tool. It needed a way of thinking, and someone to hold the pen while it learned to write in that language for itself.

02

What Needed To Change

The first shift was the hardest, and the most important: cybersecurity had to become a leadership question before it could become anything else. Reporting lines needed to be redrawn. The board needed a language that did not require translation. And the executive team needed to see itself as the ultimate steward of digital trust — not a passive recipient of IT's reassurances.

The board did not need more dashboards. It needed one true sentence it could act on.

The technical estate needed the same honesty. Assumptions accumulated over years — about who had access, about which suppliers were trusted, about which controls actually worked — had to be gently examined and, where necessary, retired. Commercial arrangements needed the same care: the point was never to spend less, but to spend deliberately.

And, quietly running beneath all of this, an ambition the organisation could name only after the work had begun: to build a capability that would outlast the engagement. Independence, not dependency, was the real goal from the first day.

03

The Work

The work unfolded in four movements. Each depended on the others, and none of them could have carried the organisation alone.

01

Governance

Cybersecurity had been treated as a technical function reporting into IT. Its independence — from the systems it was meant to assure — needed to be re-established. Governance was rebuilt so that assurance could be trusted.

  • A dedicated risk and assurance forum, chaired independently of IT.
  • A clear escalation path from operations to executive to board.
  • A single, honest reporting page written for trustees, not technologists.
02

Technical Foundations

Beneath the governance work sat the quieter, harder task: making sure the technical environment could bear the weight of the assurances being given. Foundations were tested, then made deserving of trust.

  • Identity, access and privilege reduced to what the work actually required.
  • Detection and response capabilities matched to the threats that matter.
  • A tested plan for the days when something goes wrong — not if, but when.
03

Commercial Stewardship

Security spending had grown quietly, in the way it often does — a tool here, a licence there, a renewal accepted without question. A careful pass through the estate returned meaningful funds to the mission without weakening the posture.

  • Consolidation of overlapping tooling.
  • Renegotiation of commercial terms with existing suppliers.
  • Reallocation of budget to areas of genuine risk reduction.
04

Executive Leadership

Perhaps the most enduring work was the least visible. Executives were coached in the language, the questions and the judgement calls of cybersecurity — until they no longer needed a translator in the room.

  • Board briefings rehearsed and refined for clarity.
  • Tabletop exercises with the executive team, not the technical team.
  • A recruited, briefed and supported permanent security leader to carry the work forward.
04

Commercial Impact

The commercial outcomes were meaningful, but they are best understood not as a headline figure. Each category reflects a different kind of decision and a different accounting treatment. They are presented, therefore, separately.

Commercial Savings
£105k+
Annual Cost Avoidance
~£65k
Recruitment Efficiency
£13k
Capability
Strengthened

Financial categories are presented separately to reflect different accounting treatment and governance requirements.

05

The Outcome

The measure of the work is not what changed during the engagement, but what remained after it. Six outcomes carried forward, each of them the property of the organisation itself.

01

Independent Governance

Cybersecurity was lifted out of IT and given its own line of sight to the executive and the board — with defined ownership, defined cadence, and defined accountability.

02

Board-ready Reporting

A single, honest page replaced fragmented dashboards. Trustees could read it, question it, and act on it — without translation.

03

Risk Appetite

For the first time, the organisation could articulate what it was and was not willing to accept. Risk became a decision, not a document.

04

Supplier Assurance

Third-party risk moved from procurement paperwork to a live, evidenced view of the organisations trusted with the charity's data.

05

Executive Preparedness

Leaders rehearsed the decisions they would one day have to make under pressure — before they had to make them.

06

Permanent Capability

The engagement ended, the capability remained. A permanent function, resourced, briefed and confident to carry the work forward.

Client Reflection

"Thank you, Sandeep. We now know what mountain we're climbing. Before this, we didn't even know if we were climbing the right mountain."

Chief Operating Officer
Large UK National Charity
07

Reflection

I have come to believe that the most important work in cybersecurity is not technical. It is the slow, patient work of helping an organisation see itself clearly — its dependencies, its decisions, the assumptions it has been quietly living inside.

The technology matters. It always will. But the technology is only ever as trustworthy as the governance surrounding it, and the governance is only ever as honest as the leaders willing to look at what it reveals. When those three — leadership, governance and technical excellence — are held together, something quietly remarkable happens. The organisation stops asking whether it is secure, and starts asking better questions about what it wants to protect, and why.

That, in the end, was the real gift of this engagement. Not a programme, not a report, not a set of metrics. A different way of seeing.

08 · In Closing

Could this apply to your organisation?

If the questions in this case study feel familiar — a board asking for reassurance, a leadership team asking for clarity, a function asking for independence — there may be a conversation worth having.