The UK’s Department of Science, Innovation and Technology (DSIT) is responsible for securing over half a million domains across thousands of government organizations.
This ranges from the smallest Parish Councils to the behemoth that is the National Health Service (NHS) and its various sub-organizations.
That makes advising these organizations on what the latest cybersecurity vulnerabilities are and how to fix them a challenge, especially in an era when frontier AI Models are uncovering more vulnerabilities than ever before.
However, that does not mean each individual organization must fully understand the technical details of what vulnerabilities could be exploited. Rather, it is more important that they are provided with the correct information on what to fix and how to fix it, explained Nick Woodcraft service owner for vulnerability monitoring at DSIT.
“When you come with a problem, rather than talking about the technology, talk about the outcomes,” he said said,
Woodcraft was speaking at Infosecurity Europe 2026, in a session on the Resilience and Cyber Risk stage, titled ‘From Months to Days: How DSIT Is Rethinking Remediation at Scale’.
Making Vulnerability Management Simple to Understand
For example, he detailed how DSIT has simplified discussion around DNS vulnerabilities. A local council does not need to know what exactly a DNS vulnerability is, but they are told that if the issue is not fixed, they may lose access to their website.
“Most of the people we talk to are extremely competent at what they are do, but they are not cybersecurity or vulnerability experts,” said Woodcraft.
Read More: What Fronter AI Models Like Mythos and GPT-Cyber Mean for Modern Cybersecurity
“But when you explain this is what it is, this is what it means – that you could lose access to your website – they understand and appropriately prioritize it. That’s been important, finding ways to help people understand,” he explained.
However, with over half a million domains across thousands of government organizations to help with managing security, it’s impossible for DSIT to be hands-on with every single one of those bodies.
How Technology Helps DSIT Manage Vulnerabilities
That is why DSIT has also invested in creating additional channels to analyse and pass on information, including Security Information and Event Management (SIEM) solutions and online resources where people can easily find the data.
“We can push everything we get into a SIEM, and they can prioritize it themselves,” Woodcraft explained.
“The National Cyber Security Centre (NCSC) has a portal with early warnings, so we started pushing our data into there, where people might expect to find it, they see the data and trust it. We’re trying to make it clear in ways they can understand,” he added.
In addition, DSIT stressed that it is important not to overwhelm other governmental departments and organizations with information about too many issues at once. Instead, organizations will respond more positively if the information is fed to them in stages.
“We quickly found that if you discover 15 issues within an organization and we said that we had found 15 things, it gets their backs ups and it’s too much information,” said Woodcraft.
“We started drip feeding stuff instead – we would gradually feed issues and help them fix it. We also have humans who were prepared to spend the time with them with the sole focus to get it fixed,” he added.
DSIT is already thinking about how it can help organizations stay secure in a post-Mythos world where new vulnerabilities could be uncovered faster than ever before.
According to Woodcraft, while it is a problem which will need to solved, what can go a long way to protecting organizations is by ensuring that they are doing the basics correctly.
“If we know to keep patching, to keep things up to date and to have the right processes in place, we’re not going to be in as much danger,” he said.
