Cybersecurity has become one of the most heavily invested areas in modern organisations. Every year, budgets rise, new tools are purchased, and more responsibilities are shifted to third parties. Yet breaches continue to rise in frequency and severity.
The core problem is not a lack of technology. It’s that too many organisations are building security on unstable foundations.
Strong cybersecurity is not something that can be bought in a box, generated by AI, or outsourced into existence. It is an outcome of well-run infrastructure, disciplined engineering, mature operations, and—most importantly—experienced, motivated people who have the time and capacity to do things properly and know the environment, know the users, know the nuances of that particular organisation and can not only think across the silos but are able to talk to people in all the departments.
1. The Foundation Matters More Than the Toolset
Most successful attacks do not rely on sophisticated zero-days. They exploit basic, preventable weaknesses—unpatched systems, misconfigured access, overly flat networks, or brittle legacy infrastructure with no clear ownership. Stressed staff members in all departments clicking on phishing emails because they are doing so many jobs or are fighting deadlines that are impossible to meet so can’t stop to look and think about what they are doing. This is something that all Security staff training misses.
Patching: The Most Effective but Neglected Control
Every breach post-mortem has a familiar refrain: the exploited vulnerability was known and fixable. Patching is not glamorous, not innovative, and not something a CEO can announce in a press release—but it is one of the single most cost-effective security practices.
A mature patching regime:
Reduces the opportunity window for attackers
Prevents emergency downtime and firefighting
Lowers operational and security costs
Builds predictability into the environment
The irony is that patching is often deprioritised not because it is hard, but because teams are overstretched or reliant on third parties who do not feel the impact of failure & conversely this is an area that automation can help in.
However, it should also be noted that the rushed Zero-day patching that cybersecurity professionals can many times panic themselves and senior leadership into forcing without thinking can be worse than being hacked in the first place. How many times have we see badly written, rushed patches to fix a zero day do huge amounts of damage because they “HAD TO BE INSTALL NOW!!” & were never able to be tested first?
2. Good Infrastructure Practices: The Bedrock of Cyber Resilience
Security is often discussed as a separate speciality, but the reality is that it sits on top of:
Solid network architecture
Standardised, hardened builds
Clear lifecycle management
Well-documented systems
Strict change and configuration controls
When infrastructure is healthy, security becomes exponentially easier. When it is messy, fragmented, or owned by external providers, you cannot secure what you cannot understand.
Modern, risk-aware infrastructure design—segmentation, identity-first access, infrastructure-as-code, lifecycle management—reduces the attack surface before a security tool even enters the conversation. Security tools become amplifiers of good engineering rather than a crutch to compensate for its absence.
This should also include not defaulting to Microsoft if you’re on Azure or just plugging in another module from a vendor that you’re already using. “Cloud First” should not be the default and now sovereignty is driving decision, have experts locally who know on-premises equipment.
How can you secure your data if you don’t know where it is? Products like Cyera are there to quickly and effectively search for and tag your data. Is it on a user’s laptop? Has it been copied across to a personal OneDrive?
3. The Human Factor: Why Fully Staffed, Experienced Teams Outperform Third Parties
One of the most damaging assumptions in corporate strategy today is the belief that outsourcing is cheaper, and that specialist partners can replace the expertise of internal staff.
The Risks of Outsourcing and Over-Reliance on Third Parties
Outsourcing often leads to:
Loss of organisational knowledge
Slower response times
Higher long-term costs
Reduced accountability
Limited situational awareness
A culture of “not my job” or “it’s not in our SLA”
Third parties rarely understand the internal nuances of an organisation. They cannot match the context, instincts, or urgency of people who live within the environment daily.
Fully Staffed Local Teams Are a Strategic Asset, Not a Cost
Investing in well-staffed, well-paid, and motivated teams is not a luxury—it is a cybersecurity control.
In-house teams:
Understand the environment deeply
Detect issues earlier
Respond faster in crises
Maintain higher-quality systems
Reduce reliance on expensive external vendors
Build and retain institutional knowledge
Make fewer errors because they aren’t overloaded
The cost of a breach dwarfs the cost of a well-paid engineer.
Rushed Staff Make Mistakes—Across Every Department
Cybersecurity is often framed as a technical problem, but human error is a major contributor to risk. Rushed staff click phishing emails. Overloaded engineers skip testing or defer patching. Burnt-out analysts misconfigure systems. Pressured developers bypass secure coding practices to meet deadlines.
Understaffing is not a budget efficiency—it is a direct path to security failures. What is the point of coming up with disaster plans when the staff that created them have been replaced by another 3rd party who still hasn’t read the documentation or the internal staff that you have trained in Marketing or Finance that knew what to do in a disaster have been replaced or moved on?
4. Experience Matters: Infrastructure Engineers Are Worth Their Weight in Gold
There is no substitute for deeply experienced infrastructure engineers—the people who understand not only how systems should work, but how they fail.
Security tools identify symptoms. Experienced engineers understand causes.
These are the individuals who:
Can spot subtle misconfigurations before they become incidents
Know how to simplify complex environments
Understand interdependencies that tooling cannot infer
Build resilient, secure, maintainable architectures
Provide the continuity and realism that outsourced teams cannot
The move toward cloud, automation, and AI has created a misconception that traditional infrastructure expertise is less relevant. In reality, the complexity of modern environments makes that experience more valuable than ever.
5. AI Is a Powerful Tool—But Not a Silver Bullet
AI can assist with detection, alert triage, and code analysis. But it cannot replace:
Ownership
Good engineering
Contextual understanding
Human judgement
Culture
Accountability
AI will amplify whatever foundations it is given. If your infrastructure is poorly maintained, if patching is inconsistent, if teams are stretched thin, AI will simply generate faster alerts about a problem that already existed and has no idea about the human factor. The rushed staff that will click on a link or miss an alert or that person in Marketing who saw the start of a phishing campaign but just deleted the email and went home.
AI can enhance good security practices, but it cannot fix bad ones.
6. Fewer Third Parties, More Control, Lower Risk
Many organisations accumulate vendors, each focused on a narrow task. This leads to:
Fragmented accountability
Inconsistent security postures
Integration gaps
Dependency risk
Higher overall cost
Reducing third parties—and empowering internal teams—creates end-to-end ownership. Problems get resolved earlier, and decisions are made with full situational awareness.
Security thrives when responsibility is clear, integrated, and internal.
My Conclusions: The Strongest and Cheapest Cybersecurity Strategy Is Doing the Basics Well
The narrative that cybersecurity requires constant new spending is misleading. In reality, organisations can be dramatically more secure—and spend less—by strengthening their foundations:
Robust patching and configuration management
Clean, modern, well-run infrastructure
Fully staffed, well-paid internal teams
Reduced dependency on third parties
Experienced engineers who understand the environment
Realistic expectations of AI and automation
Cybersecurity becomes cheaper when environments are simple, stable, well-maintained, and owned by people who care about them.
Get the basics right, invest in the people who understand your systems, and security stops being a battle. It becomes a natural, predictable, cost-effective outcome of operational excellence.
Comments ( 0 )