Key Takeaways:
- The basics of cybersecurity matter and must be implemented well to gain sufficient value from innovations.
- Organizations must know their business assets, make their business visibly secure, and implement the least privilege principle.
- Testing incident response plans and outsourcing responsibility, not accountability, are crucial for effective cybersecurity.
- Implementing a federated model for asset management and maintaining an authoritative inventory are essential.
- Cybersecurity is a shared responsibility between IT, security teams, and executive management.
Introduction to Cybersecurity in 2025
What a year 2025 has been: Rich in both cyber events and innovations alike. On the latter, not a week has passed without a mention of innovation in Artificial Intelligence (AI). The level of useful innovation in cybersecurity, despite some questionable claims by certain vendors, will increase in 2026 with new products and services. To gain sufficient value from these innovations, however, we need to implement the basic controls well first. Whether we measure this against UK Cyber Essentials or CIS Critical Cyber Controls, the reality remains the same: cyber incidents are still mostly “enabled” by organisations neglecting these basics. This reinforces the belief that the following first principle still stands: In cybersecurity, basics matter.
The Importance of Knowing Your Business Assets
The first postulate in cybersecurity is to know your business assets. The phrase “One cannot protect what one does not know about” is particularly relevant in this context. The real issue is not “finding assets” but structural mis-governance enabled by unenforced processes, no authoritative inventory, and a culture that tolerates shadow IT. CIOs know that asset management related to business technology is not an easy task to get right. IT and cyber vendors led us to believe that we just need to buy their platform and all problems will magically go away. Not in the slightest. What many organisations should implement is a federated model where each team maintains its own configuration inventory, automatically maintained by system management tooling that allows for integrations and exports to a business-wide configuration management database (CMDB) platform.
Making Your Business Visibly Secure
The second postulate is to make your business visibly secure. In police training, they teach officers to spot burglar-inviting properties; this is also useful when scouting offices for physical intrusion exercises. The tell-tale signs comprise low fences, unlocked windows, weak door locks, no CCTV cameras, and a clear view into the property with high-value items visible. The same applies to digital security: DNS settings that were sufficient 20 years ago, expired web server certificates, email servers not supporting transport encryption, insecure website cookies, and the list goes on. When delivering security advisories to organisations, the first test is external digital “drive-by reconnaissance”. From experience, only about 1% of companies truly understand the importance of a secure perimeter and can correctly implement it.
Implementing the Least Privilege Principle
The third postulate is to make the least privilege principle non-negotiable. Every year, the annual Microsoft Digital Defense Report highlights the need to control privileged access to resources. If a person, computer, or computer code does not need higher privileges to perform its operations, then those privileges should be taken away. This seems like a logical conclusion. Yet, in assessments performed, organisations allow end-users to have local admin privileges on their computers (whether Windows or Mac). Similarly, IT personnel assign admin privileges for internal and cloud resources to their standard accounts. These mistakes cost companies dearly when attackers exploit these accounts, granting the attackers “keys to the kingdom”. The remedy is simple, yet too hard for many to implement.
Testing Incident Response Plans
The fourth postulate is to test your incident response plans. The shout of “Fire, fire, fire” triggers an organised evacuation of buildings. The training exercises that organisations are legally required to perform greatly reduce the likelihood of loss of life. Business leaders should consider similar exercises for IT and cyber attacks. Businesses that are obliged to implement strict regulations such as DORA or NIS2 are well aware of these requirements. That leaves the rest of the organisations to follow suit. If you are a business executive reading this, run a “tabletop exercise” with an external facilitator in the next 90 days. Simulate a scenario – such as ransomware – to test how the executive team makes decisions under pressure.
Outsourcing Responsibility, Not Accountability
The fifth and final postulate is to outsource responsibility, not accountability. Outsourcing, when implemented correctly, is a great way to improve quality and manage costs. It is well-known that executives should keep the accountability for the process quality and security operated by the outsourcer. This process starts at the Request for Proposal (RFP) stage where all requirements are collected, and continues during negotiations and the stand-up phase, establishing metrics and key performance indicator (KPI) reporting cycles. Treat your outsourcing partner as if they were an internal team; they are responsible for delivering the service, but the executive team is accountable for ensuring the service is delivered according to the contract. Please note that accountability is assigned to exactly one individual who signs off on the work and approves the deliverable.
