Digital Newsletter
Each week our editor Phil Alsop rounds up the most popular articles, videos and expert opinions. We compile this into a Digital Newsletter and send it straight to your inbox every week.
Digital Magazines
We'll let you know each time a new edition of Digitalisation World is released so that you're always kept up-to-date with the latest and greatest news and press releases.
Video Magazines
The Digitalisation World Video magazine contains the latest Zoom interviews with experts in the industry.
Day to day, we help companies improve their cybersecurity maturity. It quickly becomes clear what a different view we have to our clients. They often ask us about the GenAI-powered tools and next-gen technologies they’ve heard so much about from keen marketing teams targeting specific use cases. But, in reality, we’re looking for far simpler security controls. Over the countless clients we’ve worked with over the years - the difference between the resilient and the rest is pretty simple. It’s just the basics, implemented to a consistently high standard.
It’s the basics that get you
No amount of expensive tooling will save a company from falling afoul of basic oversights. Yet, in the majority of cases this is exactly how these breaches happen. According to the UK Government’s Cyber Security Breaches Survey 2024, phishing is used in 84% of the attacks against businesses. Similarly, Verizon’s 2024 Data Breach Investigations Report (DBIR) pointed to stolen credentials as the top attack vector in the last year. These are problems that we largely already have solutions for - and yet they continue to be a dogged problem for businesses.
What allows companies to do those basics well? A cybersecurity framework. It really is that simple. In our experience, the mere presence of a framework is by far the biggest differentiator between well-secured and resilient organisations and the rest.
A foundation for good cybersecurity
When approaching cybersecurity, companies have a hard time knowing where to start. What frameworks offer is a guide to good cybersecurity: They offer structure and clarity; achievable milestones and metrics by which to measure success. Above all, however, they offer a playbook - they tell fledgling security programs what their priorities should be and where to start. From there it tells them how to actually measure risk; what metrics to track; where to place controls and invest time and define what is and isn’t a priority.
Frameworks install a common language for businesses around cybersecurity. While many may not know how to start implementing security controls in their organisation, frameworks offer them a way. In doing so, they acquire a language to communicate needs to management. This is often an excruciatingly hard thing for many cybersecurity departments who can’t find a way to translate technical concerns to business outcomes. In turn, security gets relegated to cost-centre status and departments have a hard time getting necessary budgets or advising on organisational risk. Frameworks provide the metrics and data points necessary to demonstrate how security affects the business, paving the way for longer-term resilience.
Frameworks are also largely scalable, which allows them to work for both small and medium sized businesses (SMEs) - accommodating their security needs as they grow and mature - as well as enterprises. From there, it provides a good basis for growing a business and will allow them to maintain a cybersecurity stance that can accommodate the growth. Indeed, as
a business grows and attracts more customers - more will be expected from them - and a framework will help to meet those new expectations.
An easier path to compliance
Even if an organisation isn’t committed to its own security - regulators are. Figuring out how to comply with any number of acronymed regulations and accreditations - such as PCI-DSS, GDPR or even Cyber Essentials - is a big headache for businesses. Frameworks offer a paint-by-numbers path to do that and thus avoid the audits, penalties and loss of business that so often accompany non-compliance. If regulatory audits and investigations do rear their head, companies that use frameworks will have the documented processes needed to demonstrate compliance.
Demonstrating trustworthiness in the supply chain
One of the strongest aspects of frameworks is that certification demonstrates a level of trustworthiness which is hard to gauge in any other ways. Frameworks from recognised bodies such as NIST, ISO 27001 or CIS are brand names and a signal to customers and partners that engagement with a given company won’t endanger them.
Companies are right to be concerned - the supply chain is a major source of risk. According to a 2024 Ponemon Institute report, 60% of security incidents emanate directly from vulnerabilities in the supply chain. Many are now expecting the right certifications from potential partners and suppliers. This is increasingly a condition for doing business with other firms. If a firm can't demonstrate that they comply with a given standard or framework, potential partners may forgo doing business with them altogether for fear of introducing third party risks, or that their association with a non-complying entity endangers their own compliance status.
Frameworks aren’t a panacea
There’s an easy trap to fall into here. Many will find a framework and merely check its boxes, following its guidance with the mere minimum of effort. While frameworks are effective guides about how to run cybersecurity within an organisation, they must be pursued with intent and discipline. In fact, data from the Center for Internet Security survey shows that 51% reported improvements only after a year, highlighting that frameworks are a long term investment, not a short term cure.
Indeed, frameworks aren’t a panacea. They won’t solve everything in one fell swoop, but they will offer a much needed path towards greater resilience. They’re dependent on a culture which is actively pursuing strong cybersecurity and will likely need buy in from leadership to realise its potential.
Moreover, many businesses will have specific cybersecurity requirements that fall outside of many frameworks’ scope. Companies in the healthcare sector will have specific requirements which a general purpose framework may not cover. Similarly, industrial firms with large investments into ICS and OT environments will have more specific concerns than many frameworks can offer.
You don’t need to trust our word for it: Various studies have confirmed the utility of the cybersecurity framework. One survey from the Center for Internet Security shows that 95%
of organisations experienced benefits, 43% reported fewer security incidents and another 43% reported greater maturity in security operations.
Frameworks won’t keep out the most advanced well-resourced attackers - but that’s not what most businesses need to worry about. They need to think about how to do the basics well, because it's those small oversights which bring about breaches and regulatory problems. Frameworks provide a way for most businesses to do those basics well and keep out the large majority of threats.
