Is Cyber Just Old School Risk in a Fancy Hoodie?

In this missive I’m addressing the digital economy’s elephant in the room, an idea sparked in conversation with a few esteemed colleagues (you know who you are 😉). It got me thinking, most of what’s being packaged as ‘cyber risk’ today is more traditional business risk with a flashy makeover. It’s fraud, theft, sabotage, espionage,  but now with Wi-Fi, acronyms and a globally exposed community marked and monitored by adversaries who only need one opening. We’ve simply traded in the trench coat and typewriter for hoodies, ransomware kits and talking in JavaScript.

Back in the day, a scammer might have forged a letterhead and faxed a fake invoice. Today, they spoof your CFO’s email and trick Accounts Payable or yours truly into wiring funds to a bank in Latvia (see my earlier missive on this theme). It’s still fraud, just with AI augmentation and orchestration at scale, where every globally recognised brand carries an unspoken ‘target-rich environment’ label. Employee misconduct used to mean dodgy expense claims or simply human error, driven by burnout, bypassing every technical control, which is now call ‘insider threat’ and is often simply an overworked mind that opened the door no firewall could close. Your competitors used to bribe someone for intel, now they deploy malware through a dodgy conference Wi-Fi and it’s called digital corporate espionage. An so on …

The industry’s response? Bury you in tech. AI (Artificial intelligence), ML (machine Learning), ZTNA (Zero Trust Network Access), SASE (Secure Access Service Edge), XDR (Extended Detection and Response), CNAPP (Cloud-Native Application Protection Platform) … it’s like someone spilled a bowl of alphabet soup on your procurement form. And every vendor insists their blinking dashboard of doom is the one true path to cyber nirvana. But here’s the thing, more tools ≠ more security. In fact, it often just means more cost, more complexity and more consultants sending you invoices that look like phone numbers.

Complexity used to be the bane of security. Now you would be mistaken to believe it is the new badge of honour, the more convoluted your architecture, the more secure you must be … right? After all, attackers can’t exploit what even your own team can’t understand.

So what’s a sensible leader to do? Which brings us to a revolutionary concept, yes that old chestnut, the Pareto Principle, the 80/20 rule. It worked in finance, operations and supply chain for years. And guess what? It works in cyber, too. You can achieve 80% of the risk reduction with 20% of high-impact, well-informed controls. Your ROI (return on investment) is about enabling more secure outcomes with smarter spending.

That’s right, instead of another bloated budget line for ‘quantum threat posture next-gen zero trust AI-augmented blockchain analytics,’ (Translation – more stuff to plug in that doesn’t stop Janet in Accounts from clicking a fake Zoom invite) focus on your top five risks, fund the 20% of controls that actually map to them and resist buying security theatre. This means focusing on the boring basics including but not exclusively:

• Patch critical systems
• Enable multi-factor authentication
• Monitor admin access
• Identity and Access management (Joiner, Mover, Leaver / JML)
• Train staff to spot phishing (and no, adding a cyber-dragon emoji to training doesn’t count as gamification)

These aren’t sexy. They won’t win you innovation awards. But they work. And unlike that AI-enabled blockchain-powered cyber toaster you bought last year, they actually reduce risk. For an independent read on the them head over to the Center for Internet Security (CIS).

Stop thinking of cybersecurity as a magical, separate discipline. It’s risk management in a digital context. Treat it as such. Would you spend £1 million on fire insurance and then store fireworks in the lobby by that door which gets propped open by the smokers? So don’t spend a fortune on cyber tools and then let Dave from Sales reuse “Password123” for the fifth time.

Focus your budget where it counts. Demand outcomes, not just dashboards. And if your security strategy sounds more like a sci-fi script than a business plan, it might be time to unplug, literally.

Securely yours (but not obsessively so),

P.S. If your CISO sends you this article anonymously, take the hint. They’re tired of explaining why a £300K firewall doesn’t stop Bob from clicking on ‘Free iPad.’