Five- and ten-year cyber roadmap, managed services contract exit, and an in-house cyber function built from scratch — supporting both a city council and a major international sporting event.
Local authorities operate under sustained pressure: shrinking budgets, rising regulatory expectations, and a threat landscape that has placed UK councils among the most frequently targeted public sector organisations. When a major international sporting event was announced, the cyber risk profile for the host city escalated significantly — the event itself would bring international attention, increased digital infrastructure, and a compressed delivery timeline during which security could not be an afterthought.
At the same time, the council's existing managed cyber services contract was approaching its end — and the organisation needed to determine whether to re-tender, build internal capability, or a combination of both. The existing contract had served its purpose but had not built lasting internal expertise; the council's in-house cyber capability was limited, and leadership lacked the strategic framework to make an informed decision about the future.
The organisation needed a strategy that would work across two different time horizons: the immediate pressures of the sporting event, and the longer-term challenge of building sustainable cyber resilience that would outlast any single contract or consultant.
Magma Cloud led the development of both the five-year and ten-year cyber security roadmaps — giving the council a phased, risk-prioritised plan for improving its security posture over two distinct planning horizons. The five-year plan focused on closing the most critical gaps and establishing sustainable governance; the ten-year plan addressed the longer-term ambition of building a mature, integrated security function.
For the international sporting event, we provided specialist cyber security support across the planning and preparation phase — identifying the specific risks associated with the event's digital infrastructure, advising on security requirements for event systems and partner networks, and ensuring the council's security posture could absorb the heightened threat activity that major international events reliably attract.
We then led the managed services contract (MSC) exit — a process that required careful knowledge transfer, documentation of the existing security baseline, and sequencing to ensure no gap in coverage between the outgoing provider and whatever came next. Exit from a long-running MSC is consistently underestimated in complexity; we had done it before, and that experience shaped how we approached it.
In parallel, we designed and led the recruitment of an in-house cyber function — defining the roles required, drafting job specifications, advising on the selection process, and helping the organisation understand what good looked like when evaluating candidates for security roles they did not yet have the expertise to assess independently. Building internal capability rather than perpetual external dependency was a deliberate strategic choice — one we supported from design through to delivery.
Book a free Ignite Assessment — a 30-minute call with a senior security architect. You'll leave with a read of your current posture, the top risks we'd tackle first, and a clear view of how we can help.
Book Ignite Assessment