Cutting Through the Framework Fog: Building Real Cyber Resilience in Scotland

The Scottish Public Sector Cyber Resilience Framework (PSCRF) is designed to help Scotland assess cyber resilience and stay secure. But let’s be honest—there’s no shortage of frameworks out there. The National Cyber Security Centre (NCSC) also has its Cyber Assessment Framework (CAF), Brussels has the NIS2 Directive, and across the pond the Americans swear by NIST. All these acronyms and helpful frameworks are enough to make your head spin.

But here’s the thing—they’re all saying roughly the same thing. It doesn’t matter if you call it PSCRF, CAF, NIS, or NIST, they all boil down to common-sense security: know what’s at risk, protect it, plan for when things go wrong, and make sure you’re always improving. The names and bureaucratic red tape might differ—and some of these acronyms travel with more muscle-bound enforcement squads than others—but the core ideas don’t change. If you’re following one framework or directive properly, you’re probably covering a lot of what the others ask for.

Within the PSCRF, there are four ‘domains’; Manage security risk, protect against cyber attack, detect cyber security events, and respond and recover. A first recommended step is always to start a conversation with your strategic security vendors—ask them to map their technology onto the framework. Reject vagueries and you will start to gather a clear view of where you sit in the progression stages (baseline, target or advanced).

In these sorts of frameworks, the granular detail can sometimes make you lose sight of the overarching strategic architectures that are actually the key to achieving the advanced stages. One terminology that gets fewer references in PSCRF than in some of the other directives and frameworks we are seeing—but is no less useful in compliance—is zero trust.

Zero trust is the mindset shift that makes all these frameworks actually work. The old way of thinking—assuming that everything inside your network is safe—is gone. Instead, zero trust says: verify everything, trust nothing. While PSCRF doesn’t call it out by name, this is what it is referring to when it requires that “Network traffic, services and content is limited to that required to support business need”.

The important thing to keep in mind when building a zero trust model, is the criticality of granular information with which you can make continually adapting access decisions. Visibility and control go hand in hand, and with so many different data destinations, user locations, data types, devices, and even a mixture of organizational or partner instances of cloud apps, zero trust is all about context—understanding where and how data is being used and adapting protections accordingly.

Tying systems together

Where to start? The first step is coverage. You need tools that map your full footprint and fill in security gaps. Unified policies not only close those gaps but also simplify operations. It is for this reason security platforms—and close ecosystem ties between best-of-breed platforms—are popular.

Once you can derive insights from across your security architecture, next come those context-driven decisions. This connected approach also reduces risk sooner in the kill-chain of a security incident. If a device or app is high risk, it can be blocked immediately. Real-time event and alert correlation become crucial in detecting threats before they cause harm. Modern security technology should replace aging legacy systems because they are simply much better able to detect anomalous activity and apply layered control mechanisms.

Promoting a cybersecurity culture for your people and partners

Cyber resilience isn’t just about policies—it’s about real-time security awareness—and this is baked into PSCRF very clearly. Instead of relying on one-off training, organizations should implement real-time coaching, providing alerts and guidance when users attempt risky actions, such as uploading sensitive data to an unapproved app. This approach turns security into an ongoing learning process rather than a one-time exercise and nudges users into continually improving behaviours.

By making security proactive, intuitive, and embedded into daily workflows, you can strengthen both cyber awareness and public sector supply chain resilience, ensuring they stay ahead of threats before they happen.

Focusing on what really matters

So, what’s the takeaway here? Don’t get bogged down by the different frameworks. They’re all pushing us in the right direction. Focus on what really matters—understanding your risks, protecting your systems, and building a culture of resilience. And if you’re not already thinking about zero trust, now’s the time. It’s what pulls everything together and makes sure we’re not just reacting to threats, but actually staying ahead of them. That’s where we win.

CTA: A Strategic Roadmap for Zero Trust Security Implementation