The UK’s Department of Science, Innovation and Technology (DSIT) is responsible for the cybersecurity of over half a million domains across thousands of government organizations — from tiny Parish Councils to the massive NHS. At Infosecurity Europe 2026, DSIT’s Nick Woodcraft explained how they’re rethinking vulnerability management at a scale that would make most CISOs break into a cold sweat.
Talk Outcomes, Not Technology
The core insight is deceptively simple: most of the people managing these systems aren’t cybersecurity experts. They’re competent at their jobs — running local government services, managing healthcare systems — but they don’t need to understand the technical details of a DNS vulnerability. They need to know what happens if they don’t fix it.
“When you come with a problem, rather than talking about the technology, talk about the outcomes,” said Woodcraft, service owner for vulnerability monitoring at DSIT. Instead of explaining DNS record manipulation, you tell a council that their website could go offline. Suddenly it’s a priority.
Drip-Feed, Don’t Dump
DSIT learned the hard way that overwhelming organizations with vulnerability reports backfires. When they flagged 15 issues at once, organizations would get defensive and nothing would get fixed. So they switched to drip-feeding — gradually surfacing issues and helping organizations fix them one at a time, with dedicated human support focused solely on remediation.
It’s a lesson that applies far beyond government. Any security team that’s ever sent a 47-page vulnerability report to a development team knows the feeling of watching it disappear into a black hole. Prioritization and pacing matter as much as the findings themselves.
SIEM and the NCSC Portal
With thousands of organizations to support, hands-on guidance for everyone isn’t feasible. DSIT invested in SIEM solutions that let organizations ingest vulnerability data and prioritize it themselves. They also push data into the National Cyber Security Centre’s early warning portal — a place where government IT teams already look for trusted information.
Meeting people where they already are, rather than forcing them onto a new platform, is a small decision that dramatically increases adoption.
The AI Vulnerability Flood Is Coming
Woodcraft acknowledged the elephant in the room: frontier AI models are now uncovering vulnerabilities faster than ever before. DSIT is already planning for a “post-Mythos” world where the volume of discovered vulnerabilities could outpace remediation capacity. The combination of human expertise and automated systems that DSIT has built is designed to scale — but the challenge is growing faster than anyone expected.
For the rest of us, the takeaway is clear: vulnerability management isn’t just a technical problem. It’s a communication problem, a prioritization problem, and increasingly, a scaling problem. The organizations that figure out all three will be the ones that stay secure.
