When the owner of a Donegal agri-food business asked us to help improve her company's cybersecurity, the first thing she showed us was a stack of NCSC Ireland PDF guides she had downloaded over the previous year. She had read them carefully. She had highlighted sections and made notes in the margins. She had genuinely tried to implement the recommendations. What she had achieved was MFA on her Microsoft 365 account — one control from a document that outlined forty. The other 39 remained as highlighted text in a PDF on her desktop, implemented nowhere. The guides were excellent. The gap between reading them and acting on them had proven impossible to bridge alone.
That gap is the subject of this article.
The NCSC Ireland's Guidance Is Genuinely Good
The National Cyber Security Centre Ireland stands as one of the most valuable public institutions for Irish business cybersecurity. Its CyFUN framework provides a comprehensive, layered approach to cybersecurity controls. Its sector-specific guidance acknowledges that a legal firm's risks differ from a manufacturing plant's. Its advisory publications on specific threats — phishing campaigns, ransomware variants, vulnerability disclosures — are timely, accurate, and actionable. If every Irish SME could fully implement the NCSC Ireland's recommendations, Ireland's collective cyber resilience would be meaningfully stronger.[^1]
But the guidance has a fundamental limitation that is not a criticism of the NCSC: it is advice, not implementation. A document, however excellent, cannot configure your MFA settings, test your backup recovery, train your staff, or sit in front of your board and explain your risk posture. Between the guidance and the outcome, there is a significant and consistent gap — and for most Irish SMEs, nobody is bridging it.
Have you downloaded NCSC Ireland guidance that you intended to act on but haven't fully implemented? You are not alone, and the gap is bridgeable. Book a free 20-minute strategy call — we can tell you which controls from the NCSC guidance apply most urgently to your business and how to implement them without specialist in-house expertise.
The Four Gaps That Stop Irish SMEs Acting on Good Advice
The technical capability gap. NCSC guidance is precise and necessarily technical. Concepts like network segmentation, endpoint detection and response, cryptographic key management, and DNS filtering are accurate descriptions of what businesses should implement — but for a non-technical business owner, they can be as opaque as a medical journal to a layperson. The guidance assumes a baseline of IT literacy and technical capability that most Irish SMEs do not have in-house. The result is that the document is downloaded with good intentions and then not acted upon because the first step is unclear.
The prioritisation gap. The CyFUN framework covers dozens of controls across multiple categories. From a pure security standpoint, all of them matter. But for an SME with a limited budget and finite time, "everything is equally important" is the same as "nothing is the priority." Without business-specific context — your sector, your data, your current controls, your biggest exposures — it is impossible to know whether to spend your next €5,000 on a new firewall, a staff training programme, or a penetration test. The guidance provides the map; it cannot know your specific starting point or destination.
The accountability gap. Even businesses that produce a security improvement plan based on NCSC guidance rarely implement it fully. The daily demands of running a business — fulfilling orders, managing cash flow, dealing with HR, planning for growth — consistently outcompete security improvement tasks that have no immediate deadline. An Garda Síochána's National Cyber Crime Bureau notes that the businesses most commonly affected by serious incidents are not those that ignored security entirely, but those that intended to improve and never got around to it.[^2] Without someone accountable for ensuring the plan is executed, monitored, and maintained, it remains a document rather than a programme.
The point-in-time problem. Guidance is a snapshot. The NCSC Ireland updates its materials regularly and issues timely threat advisories, but the threat environment evolves faster than any static document can keep pace with. A security control that was adequate two years ago may be insufficient today. Phishing techniques that were detectable last year are now AI-enhanced and significantly more convincing. An organisation that reads guidance once and considers itself secure is operating on an outdated map.
What Bridges the Gap
The common element in all four gaps is the same: there is no person in the business whose job it is to take the guidance and turn it into action, then maintain that action as the threat landscape evolves. For large organisations, that person is a CISO. For most Irish SMEs, a vCISO fills the same role at a proportionate cost.
A vCISO takes the NCSC Ireland's excellent guidance as a starting framework, applies it to the specific context of your business — your size, sector, data, systems, and existing controls — and produces a prioritised, actionable plan. They then ensure that plan is executed, not just documented. They brief your management team on your obligations under GDPR and NIS2, maintain your risk register, oversee your incident response planning, and attend the quarterly leadership review where your security posture is on the agenda. The Data Protection Commission expects organisations to demonstrate active, documented security governance — this is precisely what a structured vCISO engagement produces.[^3]
The NCSC CyFUN framework, in particular, maps well to what a vCISO delivers. The framework identifies five levels of maturity, from basic to advanced. Most Irish SMEs sit at level one or two. A vCISO can take a business from level one to level three — functional, documented, and tested security controls — within twelve months. That is the level at which most NIS2 obligations can be satisfied proportionately.
The NCSC Ireland provides the blueprint. Implementing it requires a named person with time, authority, and expertise — which is exactly what a vCISO provides.
What to Do Next
Three actions that close the guidance-implementation gap for any Irish SME:
Use the NCSC's self-assessment tool. The NCSC Ireland has a practical online self-assessment based on the CyFUN framework. Complete it honestly — not aspirationally — and use the output to identify your two or three highest-priority gaps. That is your starting point, not the full document.
Assign ownership to each gap. For every security improvement you have identified, write a name next to it and a date by which it will be complete. If you cannot name someone to own it, that is the gap to address first — either by assigning it internally or engaging external help.
Review your implementation quarterly. Schedule a 60-minute security review at the end of each quarter. Check which planned improvements were completed, which were not, and why. A written record of these reviews is also evidence of the active governance that GDPR accountability and NIS2 require.
Related Reading
- The SME Cybersecurity Starter Kit: 10 Steps to Get Protected Today
- What Is a vCISO and Why Do Irish SMEs Need One?
- vCISO Transform Cybersecurity in 90 Days
[^1]: NCSC Ireland — Advice for Organisations: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: An Garda Síochána — Cyber Crime: https://www.garda.ie/en/crime/cyber-crime/ [^3]: Data Protection Commission: https://www.dataprotection.ie
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.