DSPT View: Strengthening Cyber Security Maturity and Assurance Across an NHS Acute Trust

An NHS acute Trust engaged McCormickCo Security (MCS) to address long-standing cyber security capability gaps and to build a sustainable, self-sufficient cyber security function aligned to NHS governance and assurance requirements. The engagement spanned multiple years and focused on reducing cyber risk, improving operational efficiency, and embedding cyber security as a core business-as-usual capability rather than an annual compliance exercise.

At the outset of the engagement, the Trust employed several thousand staff and delivered acute hospital services to a large and diverse population. Its information systems were hosted and managed on a predominantly on-premises infrastructure, supporting a wide range of clinical and corporate services. Despite this complexity, the Trust did not have tooling in place to routinely monitor, analyse, and report on its cyber security posture in a consistent and defensible way.

Cyber remediation activity was largely reactive. Investigations were often triggered by third-party notifications, with individual security investigations taking up to two weeks to complete. This fragmented approach limited the Trust’s ability to understand its true level of risk and created challenges in prioritising remediation activity effectively.

The Trust recognised that this approach exposed it to an unknown and potentially unacceptable level of cyber risk. Senior leaders lacked access to timely, reliable information to support informed decision-making around patient safety, duty of care, and legal and contractual obligations. Engineers and security specialists did not have the data or analytics required to plan remediation activity at scale. Attempting to grow this capability organically was not considered feasible due to constraints on finance, resource, and specialist knowledge.

To overcome these challenges, the Trust required a partner with both the technical capability to address immediate cyber risks and the practical understanding needed to help an NHS organisation build a sustainable cyber security function that would deliver long-term value for money.

McCormickCo Security was engaged to help close these capability gaps and to support the development of a mature, self-sufficient cyber security function. Central to this approach was the deployment of DSPT View, MCS’s assurance and risk visibility platform designed specifically to support NHS DSPT and CAF requirements.

DSPT View was implemented to provide near real-time visibility across the Trust’s digital estate, combining threat intelligence feeds, automated data capture, analytics, and reporting into a single, accessible platform. This provided staff with cyber security responsibilities clear insight into risk exposure while giving the Trust Board assurance that cyber risks were being identified, prioritised, and managed proactively.

The platform was capable of collating approximately 80% of the evidence required to support DSPT accreditation in under one hour, removing a significant administrative burden from the Trust’s teams. Using DSPT View, MCS worked closely with senior leaders to review risk exposure scores, establish a shared understanding of priority risks, and agree a remediation strategy aligned to organisational objectives.

The deep analysis and reporting provided by DSPT View enabled structured remediation planning across servers, endpoints, and software inventories. Near real-time monitoring of the evolving threat landscape allowed remediation plans to be continuously refined as new vulnerabilities emerged. Trust engineers were coached to complete remediation tasks using asset-level vulnerability data and recommended remediation steps directly within the platform.

Alongside tooling, MCS helped establish consistent security processes, routines, and reporting cycles. Trust staff were mentored and supported to develop the skills and confidence needed to operate the cyber security function independently. Remediation activities were verified using DSPT View’s on-demand analysis and reporting capabilities, providing assurance that risk reduction activities had been completed effectively.

The engagement also focused on strengthening incident response capabilities and security protocols through close collaboration between MCS and the Trust’s digital teams. DSPT View’s comprehensive software inventory was used to identify redundant applications and overlapping functionality, enabling the Trust to rationalise its estate and reduce unnecessary cost.

Throughout the engagement, MCS supported the Trust in evidencing progress and validating the benefits of its cyber security programme by tracking improvements in risk exposure scores and assurance metrics. This enabled senior management to see clear, measurable returns on investment and make informed decisions about future cyber security priorities.

As a result of this work, the Trust achieved a significant reduction in its overall risk exposure score, moving from a high-risk position to a controlled and defensible posture. Millions of vulnerabilities were remediated and independently verified, and a dedicated internal cyber security team was developed with the capacity, skills, and processes required to support business-as-usual operations and incident response.

Operational efficiency improved substantially. The Trust eliminated lengthy investigation cycles, reduced reliance on external resource, and delivered concise, high-quality cyber reporting to the Board to support effective oversight and investment decisions. DSPT compliance was consistently achieved across multiple years, with the majority of required evidence generated rapidly through DSPT View.

The partnership enabled the Trust to transition from a reactive, fragmented approach to a proactive, sustainable cyber security capability, aligned to NHS expectations and resilient to an evolving threat landscape.

Services Delivered

During this engagement, McCormickCo Security delivered a comprehensive set of services, including:

• Cyber Security Leadership and Management – Providing strategic and operational leadership to stabilise risk and drive long-term improvement
• DSPT View Implementation – Deployment of a near real-time assurance and risk visibility platform aligned to DSPT and CAF
• Threat and Vulnerability Management – Identification, prioritisation, remediation, and verification of vulnerabilities at scale
• DSPT Assurance and Evidence Support – Automated evidence collection and assurance reporting to support sustained compliance
• Incident Response and Security Operations Support – Strengthening response capabilities and operational readiness
• Capability and Skills Development – Mentoring and training internal teams to build a self-sufficient cyber security function
• Board-Level Cyber Reporting – Clear, concise reporting to support executive oversight and decision-making
• Application and Estate Rationalisation – Reducing cost and complexity through improved software visibility

‍