Securing What Matters Most: A Practitioner’s View

Most organisations are doing plenty of cybersecurity. The bigger question is whether they’re securing the right things. As regulatory expectations shift towards demonstrable, risk-based decision-making, understanding what matters most to the business has never been more important.

The Fundamentals Haven’t Changed – The Context Has

I’ve been having versions of this conversation in security for the 25 years I’ve worked in cyber (or what was IT security when I first started in this area), and parts of it will sound familiar. The fundamentals haven’t changed much. What has changed is the context around them, and for me, that’s worth paying attention to.

We still must comply with regulations, standards, and control frameworks, and that isn’t going away, but there’s diminishing value in aligning with controls purely for the sake of compliance, which is something we’ve been pointing out for years, even as we struggle to break away from the well-trodden approach we’ve followed for decades. Regulators, boards, and customers now expect more: evidence of a risk-based approach. They want to see that we know which parts of the business are most critical (ie your minimal viable organisation), what could disrupt them (threat and risk scenarios), and how we’re prioritising security and resilience activity accordingly.

Why Is This Still So Difficult?

That’s the right direction, and we all agree, but it’s hard to do in practice. Why? Because most security functions are still consumed by day-to-day activity, stretched resources and competing priorities. And too often we lack a clear line of sight between what the team is doing and the business processes, services, assets and dependencies that matter most. From my perspective, without that line of sight, risk assessments, penetration testing, control reviews, etc., become too generic, lack strong direction and purpose, or, even worse, focus on areas of the business that just aren’t that critical and may benefit from applying baseline controls.

Cyber Risk Doesn’t Exist in Isolation…

It’s made harder by the fact that cyber risk rarely exists in isolation. The risks we deal with now are hybrid and cut across cyber, technology risk, operational resilience, physical security, third-party management, enterprise risk, compliance, and audit, and yet, many of these functions still report vertically, with little lateral sharing. That makes it genuinely difficult to build a joined-up picture of what’s truly critical, how it’s protected, where the dependencies run, and where we’re most exposed.

The uncomfortable truth is that no one can secure everything to the same standard. So, prioritisation isn’t optional; it’s our job to perform. Yet our assurance effort often follows the wrong triggers. A new application attracts a risk assessment, a pen test, or a code review simply because it’s new, while a mission-critical system that’s underpinned the business for a decade hasn’t been tested in years. The result is a mismatch between where we point assurance and where the real exposure lives.

Start with What Matters Most

The place to start is by identifying the business’s nucleus: the critical services, processes, data, systems, people, and third-party dependencies that must be protected and kept running at all costs. This requires discussion, challenge, and consensus across business, technology, risk, and resilience teams. It won’t be perfect the first time, but skipping it because it’s hard leaves us with no defensible basis for prioritisation at all.

Once we understand what’s most critical, risk assessment starts to earn its keep. The point isn’t to generate another risk register; it’s to work out what could realistically go wrong, how likely it is, what it would cost the business, and which controls we need to prevent, detect, and respond. That’s what connects business criticality to threat exposure, control effectiveness and remediation priorities.

It also gives us a far stronger story to tell regulators, boards, and auditors, which broadly follows a clear line from what matters most to the business, through the risks we’ve identified, to the controls we’ve put in place and the investment we’ve chosen to make. It’s the difference between security as a broad compliance exercise and security as focused business protection.

The Goal

This must ultimately be our goal now in cybersecurity: a cybersecurity programme that’s more practical, more connected, and more targeted. One that’s built around understanding what the business genuinely cannot afford to lose, how those critical services and assets are exposed, and where our time, effort and investment will have the greatest impact. That means moving beyond security activities driven primarily by compliance schedules or technology change and instead focusing assurance where it matters most.

We’ll never have unlimited resources, nor will we ever eliminate every risk. But by establishing a clear line of sight between business criticality, credible threat scenarios and the controls that protect them, we can make better decisions, justify investment more effectively and build resilience where it counts.

This is what good cybersecurity should be about: not trying to secure everything equally, but making informed, defensible decisions that protect what matters most to the organisation.

 

Meet Our Leadership Team.

At CRMG, our senior leadership team brings a rich history and deep expertise in cyber security. Spearheaded by consultants who are influential figures in the industry, our leaders are highly networked and well-established, with backgrounds in the ‘Big- Four’ firms.

LEARN MORE

Simon Rycroft

CO-FOUNDER AND CEO

Former Head of Consulting at the ISF. On a journey to bring accessible risk management to growing enterprises.

Nick Frost

CO-FOUNDER AND CHIEF PRODUCT OFFICER

Former Group Head of Information Risk, PwC. Motivated by the need to implement cyber risk principles for the real world!

Dan Rycroft

DELIVERY DIRECTOR

Former Head of Delivery, Cyber Security at DXC. Delivers risk-based cyber security programmes with maximum efficiency.

Matt Brett

DELIVERY LEAD – CYBER RISK SOLUTIONS

Former Portfolio Director, Tech Security & Risk, GSK. Specialises in implementing efficient, pragmatic cyber risk solutions.

Martin Tully

DELIVERY LEAD – GOVERNANCE AND COMPLIANCE

Twenty years’ experience in delivering fit-for-purpose cyber governance initiatives.

Ryan Hides

DELIVERY LEAD – THIRD PARTY RISK MANAGEMENT

Project Management and Six Sigma expertise. Specialises in turning effective third party risk management into a scalable reality.

Sarrah Ahmed

HEAD OF MARKETING

Bringing over 17+ years of marketing expertise, passionate about crafting innovative marketing campaigns.

Tom Everard

Director Risk Services

Director of Risk Services with a passion for people-focused cyber security, crisis management, and tackling insider risk.

Rebecca Stanley

Finance Manager

Focussed on ensuring everything continues to run smoothly, Rebecca collaborates across teams and with clients to manage budgets, reporting, and all things finance.