Talent and Governance, not Technology, are Key to Drive Change around Cyber Security

You Are Not Going to Fix Your Cyber Security Problems by Buying More Tech

For the last 20 years, large organizations have been spending significant amounts of money on cyber security products and solutions, on managed services, or with consultancies large and small.

Yet maturity levels remain elusive: McKinsey surveyed more than 100 firms in 2021 and found that 70% of their sample “had yet to fully advance to a mature-based approach”. These results are regularly matched by similar reports and also by the anecdotal evidence we can see in the field every day.

Consensus amongst cyber security professionals seems to point towards low maturity levels being a consequence of under-investment in that space.

I have rarely seen that hypothesis thoroughly tested and would argue the problem is broader.

In essence, cyber security good practices have been well established for the best part of the last 20 years, and to a large extent, continue to provide in most industries an acceptable level of protection against most threats and an acceptable level of compliance against most regulations.