Services /
Cybersecurity readiness
Cybersecurity readiness.
65% of medium-sized UK businesses identified a cyber breach or attack in the last 12 months. Less than a third have reviewed the risk their suppliers pose. We assess your real exposure in business terms, name who owns each risk and build a roadmap your team can fund and deliver without an enterprise security budget.
The right conversation to have
Cybersecurity
is a business risk decision.
Not a technology purchase.
The most common failure mode in mid-market cyber security is not the absence of tools. Most organisations at this scale already have a firewall, endpoint protection and some form of backup. The failure is that nobody owns the risk, exposure has never been assessed against the business that actually exists, and spend has gone on whatever a vendor sold last rather than what the evidence says matters most.
The evidence backs this up. Government survey data shows that 57% of medium businesses have a formal cyber security strategy, yet only 52% have board-level ownership and just 30% have reviewed the risk their own suppliers pose. The gap is not technical capability. It is accountability and oversight that has not kept pace with the risk.
When security is left entirely to IT, the conversation stays technical and the board never sees the actual exposure in terms it can act on. When there is no named executive owner, incidents get a panicked response instead of a rehearsed one, and decisions about acceptable risk get made by default rather than by choice.
The conversation that matters is about exposure and acceptable risk — what could actually go wrong, what it would cost the business and who decides how much risk is tolerable given what you can realistically afford to fix. Technology is one control among several. It is not the strategy.
A Medasi cybersecurity readiness engagement gives you an evidence-based view of where you are genuinely exposed, a named owner for each risk and a roadmap sized to what an organisation of your scale can fund and sustain.
How we frame the conversation
Not this …
But this …
We need a cyber security strategy.
We need to know which three risks would actually hurt the business and who is responsible for closing them.
Your security posture is weak.
Only 3 in 10 mid-sized businesses have reviewed the risk their own suppliers pose. That is the kind of gap we find and close.
We will run a penetration test.
In 90 days, you will have a named owner for every critical system, a tested response plan and a funded plan for what is left.
The framework
Six components.
Practical by design. Sized to your risk.
Most organisations at this scale do not need an enterprise security function. They need clear answers to three questions — what could actually go wrong, who owns each risk, and what happens in the first hour of an incident — for the systems that genuinely matter. This framework delivers that.
Risk register
A prioritised list of realistic threats to the systems and data that matter most, scored by likelihood and business impact — not a generic checklist of every theoretical vulnerability. Designed around what would actually hurt you, not what is theoretically possible.
Ownership model
A named executive risk owner and system owners for every critical asset. Without names, security decisions get made by default. System owners must have real authority — if they cannot mandate a fix, they are not actually owners.
Access and identity controls
Rules and reviews governing who can reach what, when access is removed and how privileged accounts are managed. The single most common source of exploitable exposure at this scale, and the cheapest to fix once visible.
Third party and supply chain oversight
Visibility of which vendors and partners can reach your systems or data, what access they have and how their own security posture affects your exposure. Supply chain compromise is now one of the most common routes into mid-market organisations.
Incident response plan
A tested, named-roles plan for the first hours of an incident — who decides, who communicates, who can authorise system isolation. A plan that has never been rehearsed is a document, not a capability.
Governance and review cadence
How the risk register is reviewed, how exceptions are approved and how the board gets a credible, non-technical view of exposure. A framework without a review rhythm decays within months as the estate changes around it.
the 90-day approach
Risk reduction before speed.
Foundations before features.
The 90-day horizon is the primary planning unit. Organisations at this scale lose focus on multi-year plans. We sequence by what reduces risk first, not what is easiest to deliver first.
Days 1-30
Establish foundations
Build the structural conditions for governance to take hold — including the executive conversations that determine whether it will survive.
Domain model agreed with senior leadership
Domain owners and stewards nominated
Governance lead identified
Priority datasets scoped for quality analysis
Framework documentation in client hands
Days 31-60
Build and activate
The framework goes live. The governance council meets. Quality data starts to inform decisions rather than frustrate them.
First governance council meeting held
Quality scorecards live for priority domains
Business glossary — first entries agreed
Data quality profiling complete
Remediation backlog populated and prioritised
Two to three quick wins identified and underway
Days 61-90
Stabilise and hand over
The programme transitions from consultant-led to client-led. Handover is planned from day one — not added at the end.
Council operating without consultant facilitation
Quick wins delivered and reported to sponsor
Executive sponsor quarterly review held
Handover readiness criteria confirmed
Maintenance regime in place and owned
All documentation in client-owned repository
The ownership model
Named accountability for every system.
No risks without owners.
Executive level
Executive risk owner
Typically the COO, CFO or Chief Digital Officer. Provides the mandate and authority for the programme. Makes the final call on acceptable risk where it cannot be fully eliminated. Chairs the quarterly risk review.
Programme level
Security readiness lead
The day-to-day owner of the readiness programme. Maintains the risk register, coordinates remediation and runs the incident response rehearsal. A coordination and accountability role — not necessarily a deep technical specialist.
Domain level
Critical system owner
A senior leader accountable for the security and access controls of a defined critical system — finance, customer data, operational technology. One owner per system. Makes the call on access requests and represents the system in incident response.
Operational level
Security steward
An IT or operations team member responsible for day-to-day monitoring within a system — flagging anomalies, maintaining access logs and acting as first point of contact when something looks wrong. The first line of detection, not the last line of defence.
Governance forum
Risk review forum
The forum where system owners and the readiness lead convene to review the risk register, approve exceptions and decide what gets funded next. Typically meets monthly. The executive risk owner attends quarterly and chairs the annual review.
Data quality analysis
Six domains.
Assessed against your most critical systems.
Before designing the framework, we establish an evidence-based picture of where quality fails, why it fails and what the business consequence is. Not every dimension matters equally for every dataset — we focus effort where it matters most.
Identity and access
The degree to which access to critical systems is granted, reviewed and removed in line with who actually needs it.
Leaver accounts still active months later; shared logins; no multi-factor authentication on finance or admin systems.
Third party exposure
The degree to which vendor and partner access to your systems and data is known, justified and reviewed.
Vendor access granted years ago and never revisited; no view of a key supplier's own security posture.
Data and backup resilience
The degree to which critical data can be recovered within a timeframe the business can actually tolerate.
Backups exist but have never been restored under realistic conditions; recovery time is assumed, not measured.
Patch and configuration hygiene
The degree to which systems are kept current and configured to known good practice rather than vendor defaults.
Critical patches delayed by months; default credentials or settings still in place on key systems.
Incident readiness
The degree to which the organisation could detect, respond to and recover from an incident without improvising.
A response plan exists on paper but has never been tested; no clarity on who can authorise isolating a system.
Workforce awareness
The degree to which staff recognise and correctly respond to social engineering and phishing attempts.
Annual training completed as a compliance exercise, with no measurable change in phishing susceptibility.
What you get
Board-ready outputs at every stage of the engagement.
Board-level one-pager
A standalone summary of risk position, the top three exposures by business impact, and a clear recommendation — designed to be read independently of any supporting document, in language a non-technical board can act on.
Risk register
A prioritised, evidence-based register of identified risks scored by likelihood and impact — updated at each major milestone and used as the single reference point for what gets funded next.
Exposure assessment report
A structured assessment across all six risk domains — with root cause analysis, business impact ratings and a prioritised remediation list ranked by impact and effort, not by what a vendor recommends.
Incident response plan
A tested, named-roles plan for the first hours of an incident, covering decision rights, communication and escalation — rehearsed through a tabletop exercise, not just written and filed.
90-day roadmap
A sequenced, phased delivery plan across the three horizons — sequenced by risk reduction, with named owners, realistic milestones and a funded plan for what remains beyond day 90.
Review and governance cadence
The recurring activities, ownership and forum structure needed to keep the risk register current after delivery ends — including the review rhythm and exception approval process.
Who this is for
Leaders who are accountable for risk they cannot currently see.
Cybersecurity readiness engagements are most valuable when an organisation has grown faster than its security thinking, when a recent incident or near-miss has exposed how little visibility leadership actually had or when a customer, insurer or regulator is asking questions the business cannot yet answer with confidence. They are also the right investment before a funding round, acquisition or major platform change, where unmanaged cyber risk becomes a liability on the balance sheet.
Chief Operating Officer
Accountable for operational continuity and the business cost of an incident
Chief Financial Officer
Weighing security spend against insurance requirements and balance sheet risk
Chief Digital or Technology Officer
Inheriting an estate where security decisions were made informally over time
Chief Executive Officer
Personally accountable to the board for a risk nobody has clearly quantified
When organisations engage us
A near-miss or actual incident
Something has already gone wrong, or come close to it, and leadership has discovered they had far less visibility and control than they assumed.
Customer, insurer or regulatory pressure
A client, cyber insurer or regulator is asking for evidence of controls the organisation cannot currently produce with confidence.
Growth that has outpaced governance
Headcount, systems and third party relationships have grown quickly, and nobody has stepped back to ask who can now reach what.
Pre-transaction due diligence
A funding round, acquisition or major platform change is on the horizon, and unmanaged cyber risk needs to be understood and addressed beforehand.
Start with clarity
Find out where you are genuinely exposed
— and what it would cost you.
A conversation about your current security posture and what a readiness engagement would realistically involve for an organisation of your scale.