A unified, risk-based security roadmap

‍
Delivery teams across the organisation were working from fragmented backlogs with duplicated work, competing priorities and inconsistent ownership. This made it difficult to understand what mattered most, slowed decision-making, and limited senior visibility of progress.
‍
G&F reshaped the entire security roadmap around thematic risk areas, replacing dozens of disconnected workstreams with a single, prioritised plan aligned to the organisation’s highest-risk security needs. Clear governance forums were introduced to bring senior stakeholders together, accelerate decisions, and create transparency on delivery progress. Work packages were rationalised, dependencies mapped, and forward planning was embedded to ensure predictable execution and long-term sustainability.

This unified roadmap became the backbone of the programme, aligning teams, improving
accountability, and enabling the organisation to focus effort where it mattered most.
‍

Embedding DevSecOps maturity

‍
Security practices varied widely across teams, with inconsistent definitions of “done,” unclear ownership of vulnerabilities, and no reliable way to measure maturity. This fragmented approach slowed delivery and left leadership without confidence that security was being embedded effectively across the digital estate.
‍
G&F introduced a unified DevSecOps model grounded in the OWASP DSOMM framework. We established a clear baseline for maturity, aligned every team to a consistent set of practices, and embedded remediation activities directly into delivery workflows. Security checkpoints were integrated into sprint cycles, and measurable maturity benchmarks were introduced to track progress transparently.
‍
This structured approach enabled the client to achieve DSOMM Level 1 across 27 services, laying the groundwork for sustained improvement and a more predictable, secure delivery culture.
‍

Closing visibility gaps with CyberOps & threat modelling

‍
Critical applications lacked full SOC coverage, creating blind spots in monitoring and detection. Threat modelling was also inconsistent, carried out manually and too late in the delivery process.
‍
G&F supported the organisation’s CyberOps onboarding programme by helping integrate logs from internal applications and validating actionable use cases to improve detection quality. In parallel, we helped design and pilot the organisation’s first repeatable threat-modelling framework using IriusRisk, embedding proactive risk assessment earlier in design and development.
‍
Together, these contributions strengthened visibility, improved detection, and supported the organisation’s shift from reactive security to proactive risk management.

‍

Strengthening penetration testing & vulnerability management
‍

Penetration testing was inconsistent, tied to a single supplier, and often out of sync with delivery cycles. Vulnerability backlogs, particularly in Salesforce, had grown without clear ownership, and existing DAST tooling produced unreliable results.

‍
G&F supported the redesign of the testing approach by helping introduce a structured quarterly cadence, broader vendor coverage, and closer alignment with release timelines. We also helped embed vulnerability remediation into team backlogs and contributed to shaping a more effective future DAST strategy.

‍
These improvements increased testing consistency, sharpened remediation focus, and strengthened overall assurance.

‍

Building a security-first culture

‍
Security ownership had historically sat with central teams, leaving limited awareness and capability within delivery squads. This created bottlenecks, slowed remediation, and reduced confidence in secure delivery practices.

‍

G&F supported the rollout of a Security Champion network across Health Digital, providing targeted training in areas such as Salesforce security, Checkmarx and secure coding. We also helped integrate developer-focused tooling and lightweight guidance into day-to-day workflows.

‍

These efforts increased security awareness, improved team autonomy, and helped embed secure-by-design thinking across the delivery organisation.

‍