A public sector organization worked with Intarmour to build a scalable, auditable cybersecurity framework in just 90 days—meeting NIS2 requirements and transforming how leadership approached risk and accountability.
The Challange
When NIS2 became applicable to this public service provider, the stakes shifted — fast.
The organization delivered essential digital services across departments, but operated without centralized governance. Cybersecurity was ad hoc, handled separately by different teams with no shared framework, no defined ownership, and no incident response protocol.
At the leadership level, cyber risk was still seen as an IT issue. There was no security officer, no documented policy set, and no visibility into third-party dependencies. With the new regulation approaching, executive urgency changed everything.
Building the Foundation
Transformation started with awareness — and alignment.
We facilitated a dedicated workshop for the leadership team, walking them through NIS2 requirements, responsibilities, and exposure points. This set the tone: compliance would not be a checklist, but a shared operational shift.
In the first two weeks, a security lead was appointed, escalation paths were clarified, and new policies were created — from access control to asset management. These were not downloaded templates, but living documents, built in dialogue with each department.
Risk Meets Reality
Visibility was the next step. And visibility requires honesty.
We conducted a detailed assessment of technical and procedural posture. This wasn’t a gap analysis for reporting — it was a real evaluation of system ownership, reporting workflows, and where the biggest vulnerabilities lay.
From there, we acted quickly. Access controls were tightened. MFA became standard. Backup and patch cycles were documented, tested, and improved. Vendor contracts were reviewed and updated to include security clauses — something that had never been done before.
Making It Sustainable
Compliance is not just about controls. It’s about culture.
We created an incident response plan that could be realistically executed — and tested it. Over 40 staff members across departments were trained in phishing detection, reporting flows, and the basics of data protection.
A communication campaign reinforced that cybersecurity is everyone’s responsibility. Meanwhile, behind the scenes, we introduced lightweight tools to generate logs and artifacts — audit-ready documentation that didn’t add friction to day-to-day work.
The Outcome
In 90 days, the posture changed — but more importantly, the mindset did.
Policies were in place. Documentation was complete. Controls were visible, active, and functioning. A third-party review confirmed compliance, with zero critical issues to address.
But beyond the audit result, the organization now had a way forward. Cybersecurity became a topic discussed in leadership meetings. Risk wasn’t buried in the backend — it was managed, monitored, and understood.
